You can enforce rules and take actions when devices do not comply with your policies. This list is platform agnostic. Navigate to Devices > Compliance Policies > List View, select the Add button, and then select the platform to see all the Rules and Actions you can take specific to that platform.

Rules

Setting Description
Application List Detect specific denylisted apps that are installed on a device, or detect all apps that are not allowlisted. You can prohibit certain apps (such as social media apps) and apps denylisted by vendors, or permit only the apps you specify.

Due to the way application status is reported on iOS devices, an app achieves 'Installed' status only after the installation process is fully completed. For this reason, if you are making a compliance rule that measures the application list of iOS devices, consider enforcing an action that avoids the destruction of data. For example, enterprise wipe or device wipe.
Antivirus Status Detect whether or not an antivirus app is running. The compliance policy engine monitors the Action Center on the device for an antivirus solution. Windows supports all third-party antivirus solutions.
Cell Data/Message/Voice Use Detect when end-user devices exceed a particular threshold of their assigned telecom plan.

Workspace ONE UEM can only provide notification of when usage exceeds a predetermined threshold, UEM cannot limit the actual usage.

In order for this policy rule to function correctly, you must enable Advanced telecom and assign that telecom plan to the device.
Compliance Attribute Compare attribute keys in the device against third-party endpoint security, which returns a Boolean value representing device compliance. Only available for Windows Desktop devices.
Compromised Status Detect if the device is compromised. Prohibit the use of jailbroken or rooted devices that are enrolled with Workspace ONE UEM.

Jailbroken and rooted devices strip away integral security settings and can introduce malware in your network and provide access to your enterprise resources. Monitoring for compromised device status is especially important in BYOD environments where employees have various versions of devices and operating systems.
Device Last Seen Detect if the device fails to check in within an allotted time window.
Device Manufacturer Detect the device manufacturer allowing you to identify certain Android devices. You can specifically prohibit certain manufacturers or permit only the manufacturers you specify.
Encryption Detect whether or not encryption is enabled on the device. Windows supports all third-party encryption solutions.
Firewall Status Detect whether or not a firewall app is running. The compliance policy engine checks the Action Center on the device for a firewall solution. Windows supports all third-party firewall solutions.
Free Disk Space Detect the available hard disk space on the device.
iBeacon Area Detect whether your iOS device is within the area of an iBeacon Group.
Interactive Certificate Profile Expiry Detect when an installed profile on the device expires within the specified length of time.
Last Compromised Scan Detect if the device has not reported its compromised status within the specified schedule.
MDM Terms of Use Acceptance Detect if the end user has not accepted the current MDM Terms of Use within a specified length of time.
Model Detect the device model. You can specifically prohibit certain models or permit only the models you specify.
OS Version Detect the device OS version. You can prohibit certain OS versions or permit only the operating systems and versions you specify.
Passcode Detect whether a passcode is present on the device.
Roaming Detect if the device is roaming. Only available for Telecom Advanced Users.
Roaming Cell Data Use Detect roaming cell data use against a static amount of data measured in MB or GB. Only available for Telecom Advanced Users.
Security Patch Version Detect the date of the Android device's most recent security patch from Google. Applicable only to Android version 6.0 and later.
SIM Card Change Detect if the SIM card has been replaced. Only available for Telecom Advanced Users.
System Integrity Protection Detect the status of macOS's proprietary protection of system-owned files and directories against modifications by processes without a specific "entitlement", even when run by the root user or a user with root privileges.
Windows Automatic Update Status Detect whether Windows Automatic Update has been activated. The compliance policy engine monitors the Action Center on the device for an Update solution. If your third-party solution does not display in the action center, it reports as not monitored.
Windows Copy Genuine Validation Detect whether the copy of Windows currently running on the device is genuine.

Actions

Application

  • Block/Remove Managed App
  • Block/Remove All Managed Apps

    When the Block/Remove App action is applied to a noncompliant device, the Workspace ONE UEM console removes the indicated app(s) and begins a 2 hour timer before the next possible device sync. Each time the device sync runs, it calculates which apps to add and remove, taking into account the active compliance policies. When the device sync runs after the 2 hour timer, and the same app is discovered, the app is removed.

    During this 2 hour time period, however, the end user can attempt to go around the compliance action and reinstall the blocked apps. For instance, if they sideload the APK file or install a public app from the Play Store, the compliance action may not be triggered. Consider making a device profile to prevent the end user from installing apps.

    There are two ways to do this when you make a device profile at Resources > Profiles & Baselines > Profiles.

    • Android only – Add an Application Control payload to disable access to denied apps. In order for this payload to work, you must create a Denylist app group in Resources > Apps > Settings > App Groups and assign it to the device in question.
    • Add a Restrictions payload, disabling the slider for Allow Installing Applications.

Command

  • Change Roaming Settings
  • Enterprise Wipe - This prevents the delivery of profiles until the device reports back a compliant status.
  • Enterprise Reset
  • OS Updates - Available to devices with iOS versions 9 through 10.2.1 if they are supervised and DEP-enrolled. Devices with iOS 10.3 and later need only be supervised.
  • Request Device Check-In
  • Revoke Azure Tokens - Requires 'Use Azure AD For Identity Services' enablement in Settings > System > Enterprise Integration > Directory Services > Advanced. Affects all devices for a given user, disabling any app that relies upon the Azure token.

Email

  • Block Email

Notify

  • Send Email to User - Includes option to CC the user's manager.
  • Send SMS to Device
  • Send Push Notification to Device
  • Send Email to Administrator

Profile

  • Install Compliance Profile.
  • Block/Remove Profile
  • Block/Remove Profile Type
  • Block/Remove All Profiles - This prevents the delivery of profiles until the device reports back a compliant status.

Parent topic: Compliance Policy Rules and Actions

check-circle-line exclamation-circle-line close-line
Scroll to top icon