You can use application groups (app groups) and compliance policies to protect resources in your Workspace ONE UEM environment. Application groups identify permitted and restricted applications so that compliance policies can act on devices that do not follow protective standards.
You can configure app groups for several platforms but you cannot combine all of them with compliance polices. For those platforms that you cannot combine with compliance policies, apply an application control profile.
|App Group Platform||Works with Compliance Policies||Works with Application Control Profiles|
You are not required to configure application groups. However, application groups enhance the efficacy and reach of your compliance policies with minimal configurations.
Relationships Between Application Groups and Compliance Policies
|Application Group||Description||Compliance Policy||Action|
|Allowlist||Managed devices can install these applications from the AirWatch Catalog.
If an application is not on the list, it is not permitted on managed devices.
|Contains Non-allowlisted Apps||The compliance engine identifies applications not in the allowlisted app group installed on the device and applies the actions that are configured in the compliance rule.|
|Denylist||Managed devices do not install these applications from the AirWatch Catalog.
If an application is on this list, it is not allowed on managed devices.
|Contains denylisted Apps||The compliance engine identifies applications from the denylisted app group on the device and applies the actions that are configured in the compliance rule.|
|Required||Managed devices are required to install these applications from the AirWatch Catalog.
If an application is on this list, it is required device users install it on managed devices.
|Does Not Contain Required Apps||The compliance engine identifies applications from the required app group missing on the device and applies the actions that are configured in the compliance rule.|
Note: An application that is set for auto deployment mode in the UEM console does not automatically deploy under the following conditions:
In the Workspace ONE UEM console, if you configure the Privacy settings of the Personal Application as Do Not Collect the system does not collect the personal app information from the devices. That is, the end user’s personal application information is not transmitted from their devices.
The Privacy settings however have the following caveats that impact the Application List Compliance and Application Control profile settings:
If you want to take actions on your end-user’s personal applications list, keep a track of the personal app privacy configuration for the concerned device ownership type at all OGs, and verify the following:
Configure application groups, or app groups, so that you can use the groups in your compliance policies. Take set actions on devices that do not comply with the installing, updating, or removing applications.You assign application groups to organization groups. When you assign the application group to a parent organization group, the child organization groups inherit the application group configurations.
Complete options on the List tab.
|Type||Select the type of application group you want to create depending on the desired outcome: allow applications, block applications, or require application installations.
If your goal is to group custom MDM applications, select MDM Application. You must enable this option for it to display in the menu.
|Platform||Select the platform for the application group.|
|Name||Enter a display name for the application group in the Workspace ONE UEM console.|
|Add Application||Display text boxes that enable you to search for applications to add to the application group.|
|Application Name||Enter the name of an application to search for it in the respective app store.|
|Application ID||Review the string that automatically completes when you use the search function to search for the application from an app store.|
|Add Publisher - Windows Phone||Select for Windows Phone to add multiple publishers to application groups. Publishers are organizations that create applications.
Combine this option with Add Application entries to create exceptions for the publisher entries for detailed allowlists and denylists on Windows Phone.
Select Next to navigate to an application control profile. You must complete and apply an application control profile for Windows Phone. You can use an application control profile for Android devices.
Complete settings on the Assignment tab.
|Description||Enter the purpose of the application group or any other pertinent information.|
|Device Ownership||Select the type of devices to which the application group applies.|
|Model||Select device models to which the application group applies.|
|Operating System||Select operating systems to which the application group applies.|
|Managed By||View or edit the organization group that manages the application group.|
|Organization Group||Add more organization groups to which the application group applies.|
|User Group||Add user groups to which the application group applies.|
Select Finish to complete configurations.
You can edit your App Groups and Application Control Profile. When you edit app groups for Android and Windows phone, edit the app group first, then the application profile.
You can use app groups to push application notifications to app catalogs you require devices to install.
Custom MDM applications are a type of app group and they are custom-made to track device information, such as location and jailbreak status. Enable Workspace ONE UEM to recognize custom MDM applications so you can assign them to special app groups to gather information, troubleshoot, and track assets. Workspace ONE UEM supports custom MDM applications made for the Android and Apple iOS platforms. Upload them as internal applications.
Enable the Use Custom MDM Applications so that you can select the option in the application group menu in Workspace ONE UEM. Workspace ONE UEM does not remove custom MDM applications after the compliance engine detects them on devices. These applications are for auditing, tracking, and troubleshooting.
Compliance policies enable you to act upon devices that do not comply with set standards. For example, you can create compliance policies that detect when users install forbidden applications. Then configure the system to act automatically on devices with the non-compliance status.
You can create compliance policies for single applications using the Compliance List View, or for lists of applications using application groups. Although you are not required to use application groups, these groups enable you to take preventive actions on large numbers of non-compliant devices.
Example of Compliance Policy Actions: The compliance engine detects a user with a game-type application, which is one of the applications in a blacklisted app group list. You can configure the compliance engine to take several actions.
You can configure an application list compliance policy for several platforms that acts on non-compliant devices.
Supported Platforms for Compliance Policies and Applications:
Add compliance policies that work with app groups to add a layer of security to the mobile network. Policy configurations enable the Workspace ONE UEM compliance engine to take set actions on non-compliant devices.
Select the options that reflect your desired compliance goals.
|Contains||Add the application identifier to configure the compliance engine to monitor for its presence on devices.
If the engine detects the application is installed on devices assigned to the Compliance Rule, the engine performs the actions configured in the rule.
|Does Not Contain||Add the application identifier to configure the compliance engine to monitor for its presence on devices.
If the engine detects the application is not installed on devices assigned to the Compliance Rule, the engine performs the actions configured in the rule.
|Contains Denied Apps||If the engine detects applications listed in denylist app groups on devices assigned to the Compliance Rule, the engine performs the actions configured in the rule.|
|Contains Non-Allowed Apps||If the engine detects applications not listed in whitelisted app groups on devices assigned to the Compliance Rule, the engine performs the actions configured in the rule.|
|Does Not Contain Required Apps||If the engine detects that devices assigned to the Compliance Rule are missing applications in required app groups, the engine performs the actions configured in the rule.|
|Does Not Contain Version||Add the application identifier and the application version the compliance engine monitors device to ensure the correct version of the application is installed on devices.
If the engine detects the wrong version of the application is installed on devices assigned to the Compliance Rule, the engine performs the actions configured in the rule.
You can get the Application Identifier from an app store or from its record in the Workspace ONE UEM console. Navigate to Resources > Apps > List View > Internal or Public. Select View from the actions menu for the application and then look for the Application ID information.
Select the Actions tab to set escalating actions to perform if a user does not comply with an application-based rule. The first action is immediate but is not compulsory to configure. Use it or delete it. You can augment or replace the immediate action with further delayed actions with the Add Escalations feature.
|Mark as Not Compliant||Select the check box to tag devices that violate this rule, but once the device is tagged non-compliant and depending on escalation actions, the system might block the device from accessing resources and might block admins from acting on the device.
Deselect this option when you do not want to quarantine the device immediately.
|Application||Select to remove the managed application.|
|Command||Select to configure the system to command the device to check in to the console, to perform an enterprise wipe, or to change roaming settings.|
|Select to block email on the non-compliant device.|
|Notify||Select to notify the non-compliant device with an email, SMS, or push notification using your default template.
You can also send a note to the admin concerning the rule violation.
|Profile||Select to use Workspace ONE UEM profiles to restrict functionality on the device.|
Select the Assignment tab to assign the Compliance rule to smart groups.
|Managed By||View or edit the organization group that manages and enforces the rule.|
|Assigned Groups||Type to add smart groups to which the rule applies.|
|Exclusions||Select Yes to exclude groups from the rule.|
|View Device Assignment||Select to view the devices affected by the rule.|
Select the Summary tab to name the rule and give it a brief description.