Compliance Policies

The compliance engine is an automated tool by Workspace ONE UEM that ensures all devices abide by policies that you define. These policies can include basic security settings such as requiring a passcode and enforcing certain precautions including passcode strength, denylisting certain apps, and requiring device check-in intervals.

Once devices are noncompliant, the compliance engine warns users to prevent disciplinary action on the device by addressing compliance errors.

In addition, devices not in compliance cannot have device profiles assigned to it and cannot have apps installed on the device. If corrections are not made in the amount of time specified, the device loses access to certain content and functions that you define. The available compliance policies and actions vary by platform.

You can automate escalations when corrections are not made, for example, locking down the device and notifying the user to contact you to unlock the device. These escalation steps, disciplinary actions, grace periods, and messages are all customizable with the Unified Endpoint Management Console.

There are two methods by which compliance is measured.

• Real Time Compliance (RTC)

  Unscheduled samples received from the device are used to determine whether the device is compliant. The samples are requested on demand by the admin.

• Engine Compliance

  The compliance engine, a software algorithm that receives and measures scheduled samples, primarily determines the compliance of a device. The time intervals for the running of the scheduler are defined in the console by the admin.

Enforcing mobile security policies is represented by this general overview.

1. Select your platform.

   Determine on which platform you want to enforce compliance. After you select a platform, you are never shown an option that does not apply to that platform.

2. Build your policies.

   Customize your policy to cover everything from an application list, compromised status, encryption, manufacturer, model and OS version, passcode and roaming.

3. Define escalation.

   Configure time-based actions in hours or days and take a tiered approach to those actions.

4. Specify actions.

   Send SMS, email, or push notifications to the user device or send an email only to an administrator. Request device check-in, remove or block specific profiles, install compliance profiles, remove, or block apps and perform an enterprise wipe.

5. Configure assignments.

   Assign your compliance policy by organization group or smart group then confirm the assignment by device.