Compliance Rule Set Editor
- Kari Mattsson
- Anonymous
In the compliance rule set window, you can:
- Define the rules the devices must comply to
- Define to which device groups the rule set applies
- Define scheduled checking for the rules
The support for different compliance rules depends on the platform. On legacy platforms, you can only check if and when the device has last connected to the service.
Basic Settings
The basic settings are:
Name (mandatory)
Enter a display name for the rule set.
Automatic checking
Click the link to select on which weekdays to run automatic checking for the rule set.
Enter an Email address to which the results are sent if one or more devices fail the scheduled compliance check.
Select Send report also if all device match rules if necessary.
Applies to groups
Select the device groups to which the rule set applies by clicking Select device groups. In the view that opens, in the Groups list, click on groups (Ctrl click for multiple selection) and select them by clicking >>.
Device groups are configured in the Devices→Groups view, as described in Device Groups.
Rule List
The rule list lists the rules applicable for the particular platform.
The columns are as follows:
Rule
Name of the rule.
Enabled
Whether the rule is enabled or not.
Requirement
The exact requirement for the value if applicable. For different rules, you can select the requirement from a drop-down list, input a value, or open a requirement editor.
Auto-enforce
Some rules can be automatically enforced if a device does not comply with the rules. Automatic enforcing is done when the compliance is checked, either manually or during scheduled compliance check. As with manual enforcing, the EMM service executes commands in the failing devices to make them compliant.
Platform Support for Rules
The rules are made separately for each platform. Different platforms support different rules.
| Rule | Android | iOS | Windows 8-10 |
|---|---|---|---|
| Device is roaming | ✓ | ✓ | ✓ |
| Device is rooted | ✓ | ✓ | |
| EAS accounts are installed | ✓ | ||
| EAS accounts use SSL | ✓ | ✓ | ✓ |
| EAS is active | ✓ | ✓ | |
| EAS server | ✓ | ||
| Encrypt | ✓ | ||
| Encrypted | ✓ | ✓ | |
| Has been synced | ✓ | ✓ | ✓ |
| IMEI specified | ✓ | ✓ | |
| Installed app requirements | ✓ | ✓ | ✓ |
| Password is compliant | ✓ | ✓ | |
| Password minimum length | ✓ | ||
| Password requirement | ✓ | ||
| Phone number specified | ✓ | ||
| PNS token is valid | ✓ | ||
| Push notification system in use | ✓ | ||
| Settings update mode 'Active' | ✓ | ||
| Settings update mode 'Passive' | ✓ | ||
| Time since last DM session | ✓ | ✓ | ✓ |
| Time since last sync session | ✓ | ✓ | ✓ |
| WLAN: Only secure connections allowed | ✓ | ||
| WSDM client installed | ✓ | ||
| WSDM client version | ✓ | ✓ | |
| WSDM DM interval in hours, max | ✓ | ||
| WSDM DM interval in hours, min | ✓ |
Other platforms (mostly legacy) only support the connectivity rules: Has been synced and Time since last DM/sync session.
Rules
Device is roaming (Android, iOS, Windows 8-10)
Select Yes to require that the devices are roaming (this is rarely useful) or No that they may not be roaming (typically).
The roaming state of a device is shown in the Network page in device diagnostics.
Device is rooted (Android)
Select Yes to require that the devices are rooted or No to require that the devices are rooted.
The rooted state of a device is shown in the device page in device diagnostics.
EAS accounts are installed (Android)
Requires that EAS accounts are installed on the devices. The EAS accounts of a device are shown in the EAS accounts section in the device diagnostics, as described in Device Diagnostics.
EAS accounts use SSL (Android, iOS, Windows 8-10, etc)
Select Enabled to make use of SSL mandatory or Disabled to disallow the use of SSL.
The rule can be auto-enforced.
EAS is active (Android, Windows 8-10)
Requires that the device configuration has an active Exchange ActiveSync profile. The profile is configured in device configuration, in the Email & Exchange→Exchange ActiveSync section.
EAS server (Windows 8-10)
Requires that Exchange ActiveSync server must equal the one configured in the input field.
Encrypt (Windows 8-10)
Requires that device settings are correct for enabling device encryption. The rule does not require that encryption is actually used, but that the settings make it possible.
Encrypted (Android, Windows 8-10)
Requires that the devices must be encrypted. Encryption is configured in the Security→Device encryption section of the device configuration. The current status is shown in the Network section of device diagnostics, as described in Device Diagnostics.
Has been synced (all platforms)
Requires that the devices have been synchronised with the EMM service.
IMEI specified
Requires that the IMEI (or equivalent) code of the devices is known or indicated. The IMEI code of a device is shown in the device information section in the device diagnostics, as described in Device Diagnostics.
Installed app requirements
Click the requirement to open the Installed app requirements editor. The number of required, blacklisted, and whitelisted applications is shown in the requirement label.
The rule can be auto-enforced, in which case the required or offending applications are automatically installed or removed by the EMM service when the compliance is checked.
Password is compliant (Android and iOS)
Check fails if the current password is not compliant. Password compliance follows the password policy, as defined in the Security→Password policy section of the device configuration. You can see the current status of password compliance for a device in the device information section in device diagnostics, as described in Device Diagnostics.
Password minimum length (Windows 8-10)
Requires that the device passwords have at least the given length.
Password requirement (Windows 8-10)
Requires that passwords are used.
Phone number specified
Requires that the devices must have a phone number specified in the device configuration.
PNS token is valid (iOS)
Requires that the Push Notification Service token is valid.
Push notification system in use (Android)
Requires that a push notification system is used. You need to choose from the given options: Google Cloud Messaging, XMPP/WSDM, or SMS/WSDM. The push system is configured the Applications→WSDM Client section in device configuration. The current notification protocol of a device is shown in the Protocols section of device diagnostics, in the Management and notification support→NotificationProtocol field, as described in Device Diagnostics.
Settings update mode 'Active' (Windows 8-10)
Requirement for the 'Active' update mode. The update mode is configured in the Network→Connection settings (WP8) section of the device configuration.
Settings update mode 'Passive' (Windows 8-10)
Requirement for the 'Passive' update mode.
Time since last DM session (all platforms)
Requires that the devices have made a device management session within the given time. You need to enter the time and its unit (hours, days, weeks). The connection interval is configured in the Applications→WSDM Client section of the device configuration. The actual time since last DM session is shown in the General section in device diagnostics, in the Last processed field, as described in Device Diagnostics.
Time since last sync session (all platforms)
Requires that the devices have made a device management session within the given time. You need to enter the time and its unit (hours, days, weeks). The connection interval is configured in the Applications→Synchronisation settings section of the device configuration. The actual time since last DM session is shown in the General section in device diagnostics, in the Last data synchronisation field, as described in Device Diagnostics.
WLAN: Only secure connections allowed (iOS)
Requires that only connections with secure WPA/WPA2 are allowed. WEP or ambiguous options are not allowed.
WSDM client installed (Windows 8)
Requires that a WSDM client, such as Company Hub, is installed.
WSDM client version
Requires that the versions of the WSDM clients currently installed in the devices matches the specified version. The version must be given as a (Java) regular expression. Note that separator dots must be quoted with backslash. For example, "4\.0\.[0-7]" would match any 4.0.x version, where x is from 0 to 7. The string must match the entire version string. For example, to match any 4.0.x version, "4\.0" would not be sufficient, but you could specify "4\.0\.\d+".
WSDM DM interval in hours, max (Android)
Requires that the configured DM connection interval should not be longer than the length given in hours. The connection interval is configured in the Applications→WSDM Client section of device configuration.
WSDM DM interval in hours, min (Android)
Requires that the configured DM connection interval should be at least the length given in hours. The connection interval is configured in the Applications→WSDM Client section of device configuration.