VMware Cloud Expert

LAB 03 - Limit/Prevent non-compliant devices

Updated on

INTRODUCTION

The compliance engine is an automated tool by Workspace ONE UEM that ensures all devices abide by policies that you define. These policies can include basic security settings such as requiring a passcode and enforcing certain precautions including passcode strength, deny-listing certain apps, and requiring device check-in intervals.

Once devices are non-compliant, the compliance engine warns users to prevent disciplinary action on the device by addressing compliance errors.

In addition, devices not in compliance cannot have device profiles assigned to it and cannot have apps installed on the device. If corrections are not made in the amount of time specified, the device loses access to certain content and functions that you define. The available compliance policies and actions vary by platform.

TASKS

STATE/ORGANIZATION MANDATE

Your organization has instituted a mobile device security mandate to limit the organizations exposure to compromise and data leakage. Among the requirements in the mandate, they need to ensure that all devices connecting to their network and accessing corporate data must have encrypted storage. Any device found to be in violation of this mandate must 1st be notified, then corporate email access should be removed. If after 3 days the user has not addressed the violate the device should be removed from management and have no further access to the organization's resources.

Task 1 - Setup a compliance policy
  1. WS1 Console, Click Groups & Settings --> All Settings
  2. Expand Device & Users
  3. Expand General
  4. Click Message Templates
  5. Click Filter and under Category Select Compliance
  6. Select the "Compliance Violation User Notification" Message Template
  7. Click Copy
  1. Append your Initials at the end of the Template Name
  2. In the message template Message body section add the following sentence under {PolicyViolationRules}
    • Please encrypt the local any removable storage attached your device. For further instructions, please see the link below
      https://bit.ly/3pbp2l2
  1. Click SAVE to save the template
  2. Click the "X" to close the dialog
  3. In the WS1 Console, Click Devices --> Compliance Policies
  4. Click List View
  5. Click Add, to add a new Compliance Policy
  1. Select iOS
  2. Define the Policy Rule as follows:
  1. Click NEXT
  2. Uncheck "Default Template"
  3. Select your template from the dropdown list
  1. Click Add Escalation
  2. Chose Email
  3. Choose Block Email
  1. Click Add Escalation
  2. Set the Action delay to 2 days
  3. Choose Command
  4. Choose Enterprise Wipe
  5. Click NEXT
  1. Assign the policy to Employee Owned (xxxx / Employee Owned) Smart Group
  2. Click NEXT
  3. Click FINISH & ACTIVATE

Conclusion

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Message

Download Article PDF Print Article