The compliance engine is an automated tool by Workspace ONE ™ UEM that ensures all devices abide by your policies. These policies can include basic security settings such as requiring a passcode and having a minimum device lock period. For certain platforms, you can also decide to set and enforce certain precautions. These precautions include setting password strength, blacklisting certain apps, and requiring device check-in intervals to ensure that devices are safe and in-contact with Workspace ONE UEM.
Once devices are determined to be out of compliance, the compliance engine warns users to address compliance errors to prevent disciplinary action on the device. For example, the compliance engine can trigger a message to notify the user that their device is out of compliance.
In addition, devices not in compliance cannot have device profiles assigned to it and cannot have apps installed on the device. If corrections are not made in the amount of time specified, the device loses access to certain content and functions that you define. The available compliance policies and actions vary by platform.
You can automate escalations when corrections are not made, for example, locking down the device and notifying the user to contact you to unlock the device. These escalation steps, disciplinary actions, grace periods, and messages are all customizable with the Unified Endpoint Management Console.
There are two methods by which compliance is measured.
- Real Time Compliance (RTC) – Unscheduled samples received from the device are used to determine whether or not the device is compliant. The samples are requested on demand by the admin.
- Engine Compliance – The compliance engine, a software algorithm that receives and measures scheduled samples, primarily determines the compliance of a device. The time intervals for the running of the scheduler are defined in the console by the admin.
Enforcing mobile security policies involves a five-step procedure.
- Choosing your platform – Determine on which platform you want to enforce compliance. After you select a platform, you are never shown an option that does not apply to that platform.
- Building your policies – Customize your policy to cover everything from an application list, compromised status, encryption, manufacturer, model and OS version, passcode and roaming.
- Defining escalation – Configure time-based actions in hours or days and take a tiered approach to those actions.
- Specifying actions – Send SMS, email, or push notifications to the user device or send an email only to an Administrator. Request device check-in, remove or block specific profiles, install compliance profiles, remove, or block apps and perform an enterprise wipe.
- Configuring assignments – Assign your compliance policy by organization group or smart group then confirm the assignment by device.
All Your Compliance Policies
View a listing of all active and inactive compliance policies and their configurations. For more information, see Compliance Policies List View.
Platform-Specific Policy Rules and Actions
View which policy rules and actions can be applied to the platforms of your choosing, since not all options apply to all platforms. For more information, see Compliance Policy Rules by Platform and Compliance Policies Actions by Platform.
Add a New Policy
Add a compliance policy fast and easy by selecting the platform, define the rules, actions to be taken, and how the device is assigned. For more information, see Add a Compliance Policy.
Confirm the Health of Windows Devices
Windows devices enable you to configure and scan the health of the device at startup to ensure that your corporate resources are secure. For more information, see Compromised Device Detection with Health Attestation.