The compliance engine is an automated tool by Workspace ONE UEM powered by AirWatch that ensures all devices abide by policies that you define. These policies can include basic security settings such as requiring a passcode and enforcing certain precautions including passcode strength, blacklisting certain apps, and requiring device check-in intervals.

Once devices are determined to be out of compliance, the compliance engine warns users to address compliance errors to prevent disciplinary action on the device. For example, the compliance engine can trigger a message to notify the user that their device is out of compliance.

In addition, devices not in compliance cannot have device profiles assigned to it and cannot have apps installed on the device. If corrections are not made in the amount of time specified, the device loses access to certain content and functions that you define. The available compliance policies and actions vary by platform.

You can automate escalations when corrections are not made, for example, locking down the device and notifying the user to contact you to unlock the device. These escalation steps, disciplinary actions, grace periods, and messages are all customizable with the Unified Endpoint Management Console.

There are two methods by which compliance is measured.

  • Real Time Compliance (RTC)

    Unscheduled samples received from the device are used to determine whether or not the device is compliant. The samples are requested on demand by the admin.

  • Engine Compliance

    The compliance engine, a software algorithm that receives and measures scheduled samples, primarily determines the compliance of a device. The time intervals for the running of the scheduler are defined in the console by the admin.

Enforcing mobile security policies is represented by this general overview.

  1. Choose your platform.

    Determine on which platform you want to enforce compliance. After you select a platform, you are never shown an option that does not apply to that platform.

  2. Build your policies.

    Customize your policy to cover everything from an application list, compromised status, encryption, manufacturer, model and OS version, passcode and roaming.

  3. Define escalation.

    Configure time-based actions in hours or days and take a tiered approach to those actions.

  4. Specify actions.

    Send SMS, email, or push notifications to the user device or send an email only to an Administrator. Request device check-in, remove or block specific profiles, install compliance profiles, remove, or block apps and perform an enterprise wipe.

  5. Configure assignments.

    Assign your compliance policy by organization group or smart group then confirm the assignment by device.

Confirm the Health of Windows Devices

Windows devices enable you to configure and scan the health of the device at startup to ensure that your corporate resources are secure. For more information, see the topic Compromised Device Detection with Health Attestation found in the Windows Desktop Device Management documentation on docs.vmware.com.