Configure and Enforce Compliance

The final phase in the integration process is extending smart groups in Workspace ONE UEM to add groups for devices tagged with MTD - [Low/Medium/High] Risk, so that any device with an active threat is placed in the corresponding group. That group is then applied by policies that create enforcement actions which remain in effect until the device end user remediates the threat. The device is then removed from the corresponding group and returned to normal function.

A Typical Risk Remediation Workflow

  1. A mobile device is impacted by an active threat.
  2. Workspace ONE Mobile Threat Defense identifies the threat and communicates the device’s status to the console.
  3. The Workspace ONE Mobile Threat Defense console categorizes the device according to the settings in the Protections module. For example, by default, a device with an active issue classified as “Trojan” is considered High Risk.
  4. The Workspace ONE Mobile Threat Defense console communicates this device status by applying the MTD - High Risk tag to the device in Workspace ONE UEM.
  5. Because it is tagged MTD - High Risk, Workspace ONE UEM dynamically adds the device to the MTD High Risk smart group. All policies that apply to the MTD High Risk smart group are now in effect for the device.
  6. The device user is notified of the threat. The device user remediates the threat by uninstalling the “Trojan” malware.
  7. The Lookout for Work app gives the all clear and communicates the device’s new status to the Workspace ONE Mobile Threat Defense console.
  8. The Workspace ONE Mobile Threat Defense console no longer considers the device high risk, so it removes the MTD - High Risk tag from the device in Workspace ONE UEM.
  9. Because it is no longer tagged as MTD - High Risk, Workspace ONE UEM removes the device from the MTD High Risk smart group. The device user is no longer affected by the policies for that smart group.

Configure Threat Classification

Workspace ONE Mobile Threat Defense classifies mobile threats of various types, so that you can match different classifications to the risk levels they represent. All threat classifications initially reflect the default threat levels assigned by Workspace ONE Mobile Threat Defense. Administrators with full access to the Workspace ONE Mobile Threat Defense console can modify these settings from the Protections module.

this screenshot shows the Protections tab on the Workspace ONE Mobile Threat Defense Console.

Your MDM platform calculates device compliance according to these risk levels at runtime. The threat classification policy in Workspace ONE Mobile Threat Defense directly drives the device compliance status in Workspace ONE UEM.

Configure Risk Response Policies

In order to treat devices at risk with the correct level of response, you must create three smart groups and up to six device policies in Workspace ONE UEM.

Create Risk Response Smart Groups

  1. Log into the Workspace ONE UEM Console with your administrator account, then move to the organization group (OG) that manages all the devices you want to protect with Mobile Threat Defense.
    • Move OGs by clicking the OG selector button in Workspace ONE UEM. Do not create a smart group from the Global OG.
  2. Navigate to Groups & Settings > Groups > Assignment Groups.
  3. Select the Add Smart Group button. The Create New Smart Group screen displays.
  4. In the Name text box, enter a name for the smart group, MTD Low Risk.
  5. In the Organization Group section, the name of the OG you moved to in step 1 displays and is enabled by default. Leave this check box enabled.
  6. In the Tags section, search for MTD - Low Risk and Add only that tag. If you have not created these tags, see the integration workflow.
  7. Select Save

    This screenshot shows the modal for a smart group after it has been configured with the OG and tags from the integration example

  8. Repeat steps 3-7 to make two more smart groups, matching the names of the smart groups for the remaining tags, MTD - Medium Risk and MTD - High Risk. For example, the smart group named MTD Medium Risk represents devices with only the MTD - Medium Risk tag.

By the end of this process, you will have three smart groups, one for each risk level.

Create Risk Response Device Policies for Android

  1. While logged into Workspace ONE UEM as an administrator, select the Add button in the top banner, then select Profile.
  2. Select Android.
  3. In the Name Your Profile text box, enter MTD Low Risk Android.
  4. Add each applicable payload to the device profile that gets assigned to Android devices at risk from an external threat. For example, Application Control, which you can configure to disable access to corporate apps or Restrictions which you can configure to limit device functionality.
  5. When finished adding payloads, select Next.
  6. Under Smart Group, select the name of the smart group you created ealier, MTD Low Risk.
  7. Under the Deployment section, set the following options.
    • Assignment Type - Auto
    • Allow Removal - With Authorization or Never. If you select With Authorization, you must enter a password. End users can only remove the MTD Low Risk Android profile with this password.
    • Managed By - leave it set to the default organization group
    • Install Only - deactivated
    • Schedule Install Time - deactivated
  8. Select Save & Publish.

    This screenshot shows the modal for an Android device profile after it has been configured with the OG and smart group from the risk response example.

  9. Repeat steps 1-8 to make MTD Medium Risk Android and MTD High Risk Android versions of the profile, each with customized profile payloads that match the risk level.

By the end of this process, you will have three device policies for Android, one for each risk level.

Create Risk Response Device Policies for iOS

  1. While logged into Workspace ONE UEM as an administrator, select the Add button in the top banner, then select Profile.
  2. Select Apple iOS and then Device Profile.
  3. Under the General tab, enter as the Name, MTD Low Risk iOS.
  4. Under Smart Groups, select the name of the smart group you created ealier, MTD Low Risk.
  5. Configure the following options.
    • Deployment - Managed
    • Assignment Type - Auto
    • Allow Removal - With Authorization or Never. If you select With Authorization, you must enter a password. End users can only remove the MTD Low Risk iOS profile with this password.
    • Managed By - leave it set to the default organization group
    • Additional Assignment Criteria - accept all default settings
    • Removal Date - leave blank
  6. In the left panel, select and configure each applicable payload to the device profile that gets assigned to iOS devices at risk from an external threat. For example, Restrictions which you can configure to limit device functionality or Network Usage Rules which you can configure to limit cellular, SIM, and data roaming usage.
  7. When finished adding payloads, select Save And Publish.

    This screenshot shows the modal for an iOS device profile after it has been configured with the OG and smart group from the risk response example.

  8. Repeat steps 1-7 to make MTD Medium Risk iOS and MTD High Risk iOS versions of the profile, each with customized profile payloads that match the risk level.

By the end of this process, you will have three device policies for iOS, one for each risk level.

check-circle-line exclamation-circle-line close-line
Scroll to top icon