You can create compliance policies that detect when users have blacklisted applications and configure these policies to resolve non-compliance.

For information about application compliance policies, see Build an Application Compliance Policy.

For information about the relationship between application compliance policies and application groups, see Application Groups and Compliance Policies Work Together to Apply Standards Across Devices .

Example of Compliance Policy Actions

The compliance engine detects a user with an application blacklisted by an App Scan Integration Vendor. You can configure the compliance engine to take various measures.

  • Send a push notification to the user prompting them to remove the application.
  • Remove certain features such as Wi-Fi, VPN, or email profiles from the device.
  • Send an email notification to the user copying IT Security and HR.

Configure Compliance for App Scan

Build an application compliance policy to perform an action on devices with non-compliant applications:

  1. Ensure that you are in the correct organization group.

  2. Navigate to Devices > Compliance Policies > List View and select Add.
  3. Select the platform depending on the application reputation scanning service you use.
  4. Select Application List on the Rules tab and select Contains Vendor Blacklisted App(s) for integration.

    Add applications from your application reputation scanning system so that the compliance engine monitors for them on devices.

    If the engine detects applications listed in these unique blacklisted app groups on devices assigned to the compliance rule, the engine performs the actions configured in the rule.

  5. In the Actions tab, set escalating actions for the engine to perform.

    Setting Description
    Mark as Not Compliant

    Enable the check box to tag devices that violate this rule, but once the device is tagged non-compliant and depending on escalation actions, the system might block the device from accessing resources and might block admins from acting on the device.

    Disable this option when you do not want to quarantine the device immediately.

    Application Select to remove the managed application.
    Command Select to configure the system to command the device to check in to the console, to perform an enterprise wipe, or to change roaming settings.
    Email Select to block email on the non-compliant device.

    Select to notify the non-compliant device with an email, SMS, or push notification using your default template.

    You can also send a note to the admin concerning the rule violation.

    Profile Select to use Workspace ONE UEM profiles to restrict functionality on the device.
  6. In the Assignment tab, assign the compliance rule to smart groups.

    Setting Description
    Managed By View or edit the organization group that manages and enforces the rule.
    Assigned Groups Type to add smart groups to which the rule applies.
    Exclusions Select Yes to exclude groups from the rule.
    View Device Assignment Select to view the devices affected by the rule.
  7. Move to the Summary tab to name the rule and give it a brief description.
  8. Select Finish and Activate to enforce the newly created rule.