SDK App Compliance profiles help monitor and enforce compliance on devices that have Workspace ONE SDK-built apps. Devices with these profiles do not require an MDM profile and can be offline and still comply with app security policies.

Note: The SDK App Compliance feature is not available with custom profiles.

Navigation

Find settings in Groups & Settings > All Settings > Apps > Settings and Policies > SDK App Compliance.

Block and Wipe Functions for SDK App Compliance Settings

SDK App Compliance identifies non-compliant devices with SDK-built applications installed and act with the block or wipe function. It identifies non-compliance when a device's status satisfies the configured rules.

Note: Note: The App Version setting only applies the block action.
  • Wipe - The Wipe action, also called an enterprise wipe, clears privileged corporate data off devices that are not compliant with the applicable parameter. The system does not perform wipe actions on data unrelated to the enterprise. SDK App Compliance settings that use this action include the following list.
    • OS Version
    • Security Patch Date
    Note: The wipe function for Application Inactivity is not an enterprise wipe. The system wipes only the data on the device that pertains to the SDK-built app.
  • Block - The Block action prevents user access to SDK-built applications that meet a configured parameter. SDK App Compliance settings that use this action include the following list.
    • App Version
    • OS Version
    • Security Patch Date

Application Version

Restricts devices from accessing SDK-built applications unless the version is approved.

You cannot add more than one version of an SDK-built application.

Here is an example of how to configure this setting. You can enter and select Workspace ONE Boxer, select Less Than, and enter 4.9. This group of parameters sets the SDK to block access to any version of Workspace ONE BoxerVMware Boxer that is earlier than v4.9. This text box evaluates version identifiers as numeric values separated by a period. For example, 2.3.5 or 7.5.4.1. If your version contains non-numeric values, like 2.a.5, the SDK uses only the leading numeric values and it evaluates this value as 2. For a version number of 2.3.4.a, the SDK evaluates this value as 2.3.4.

Application Inactivity

Restricts devices from accessing SDK-built applications in case the applications stay inactive for a specified number of days. When enabled, application data is wiped when an iOS or Android application (specified by an app ID) reaches the allowed days of inactivity (1-90 days).

This policy does not impact older versions of apps.

This feature works for apps built with the Workspace ONE SDK v20.2 or later.

OS Version

Restricts devices from accessing your enterprise resources that are not on compliant OS versions.

Here is an example of how to configure this setting. Select Greater Than or Equal To, and enter Android 4.4.2. This group of parameters sets the SDK to block access to an Android device or wipe an Android device that either runs 4.4.2 or an OS version later than 4.4.2. This configuration approves of Android OS version 4.4.1 and earlier.

Security Patch Date

Restricts Android devices that are on a security patch older than a specified date. Enter a date that identifies the minimum approved security patch that you require Android devices to run in the Before text box. If an Android device runs a patch published before this date, the SDK acts with the configured action.

Where to Get Data

You can find device events for SDK App Compliance using two methods: from the Device Details view or from the Events page. You can access the following reports.
  • App Compliance Reported Non Compliant has a severity of Warning.
  • App Compliance Reported Compliant has a severity of Information.
If the SDK-built application reported as non-compliant with the SDK App Compliance settings, the applicable device events display in the event log or device events list.