INTRODUCTION
You can use application groups (app groups) and compliance policies to protect resources in your Workspace ONE UEM environment. Application groups identify permitted and restricted applications so that compliance policies can act on devices that do not follow protective standards.
You can configure app groups for several platforms but you cannot combine all of them with compliance polices. For those platforms that you cannot combine with compliance policies, apply an application control profile.
TASKS
STATE/ORGANIZATION MANDATE
To further enhance the protection of Corporate data your organization has mandated that only corporate approved application (Applications in the App Catalog) Should be allowed on Corporate Owned devices. Users should not be allowed to access the App store and randomly install apps from their.
In the case of employee owned devices, the organization understands they cannot restrict users from Installing applications onto their devices however, If a user has installed on their device(s) an app deemed as "bad/blacklisted" corrective action(s) must be take by the user or their device(s) must ultimately be prevented from accessing any and all corporate resource.
Public application installation on Corporate-Owned (Supervised) devices can be restricted by removing the App Store. In such a case, the organization will add and assign the approved public apps and then remove the store.
- Log into the WorkSpace One UEM Console if required
- Click Group & Setting --> All Settings
- Expand Apps --> Workspace One
- Click App Restrictions
- Select Override
- Check the Restricted Mode for Public iOS Application checkbox
- Click SAVE
- Click the 'X" to close the Settings dialog
While restricting the usage of the app store is an easy fix, this might not be a solution for everyone. In that case, it is possible to denied applications to run as well as taking over and forcing removal of the application.
To do this we need to, at high level:
- Create a restriction profile
- Assign to smart group with a tag
- Adding the denied app as a VPP app
- Tag device with Workspace ONE intelligence
In the Workspace ONE UEM console, if you configure the Privacy settings of the Personal Application as Do Not Collect the system does not collect the personal app information from the devices. That is, the end user’s personal application information is not transmitted from their devices.
The Privacy settings however have the following caveats that impact the Application List Compliance and Application Control profile settings:
- The compliance policy for the Application List checks to verify that a device has the appropriate applications (denylist, whitelist, or required). If the system does not query for the Application List, it might not check for these applications. As a result, the devices that contain certain applications in the denylist group are not marked as ‘non-compliant’. Similarly the devices that do contain certain ‘required’ (personal) applications is marked as ‘non- compliant’.
- Application control profile with the action on ‘denylist’ apps is not applied to the devices whose personal app privacy is set to Do Not Collect and is applied only on the devices for which we collect the personal app information.
- Click Groups & Settings --> All Settings
- Expand Device & Users --> General
- Click Privacy
- Select Override
- Scroll down to the Application Section
- Enable (Collect do not display) "Personal Application" under the Employee Owned column
- Click SAVE
- When Prompted, type in your security PIN - 1234
- Click the 'X' to close the settings dialog
Configure application groups, or app groups, so that you can use the groups in your compliance policies. Take set actions on devices that do not comply with the installing, updating, or removing applications.You assign application groups to organization groups
- In the Workspace One UEM Console, Click Resources --> App Groups
- Click Add Group
- Configure the App Group as follows:
- Type: Denylist
- Platform: Apple iOS
- Name: Restricted App - {Your Initials}
-
Application Name
- Didi
- Tiktok
- Click the search icon next to each application and select the Application to resolve the application ID
- Click NEXT
- Click FINISH
Compliance policies enable you to act upon devices that do not comply with set standards. For example, you can create compliance policies that detect when users install forbidden applications. Then configure the system to act automatically on devices with the non-compliance status.
You can create compliance policies for single applications using the Compliance List View, or for lists of applications using application groups. Although you are not required to use application groups, these groups enable you to take preventive actions on large numbers of non-compliant devices.
Example of Compliance Policy Actions: The compliance engine detects a user with a game-type application, which is one of the applications in a blacklisted app group list. You can configure the compliance engine to take several actions.
- Send a push notification to the user prompting them to remove the application.
- Remove certain features such as Wi-Fi, VPN, or email profiles from the device.
- Remove specific managed applications and profiles.
- Send a final email notification to the user copying IT Security and HR.
- In the Workspace One UEM Console, Click Devices --> Compliance Policies
- Click List View
- Click Add
- Click iOS
- Define the Policy as follows:
-
Match: All
- Application List
- Contains Denied App(s)
- Click NEXT
- Check Mark as Not Compliant
- Notify: Send Push Notification
-
After 1 hr
- Notify: Send Email to User
- CC: [email protected]
-
After 1 day
- Command: Enterprise Wipe
- Click NEXT
- Set Smart Group to 'Employee Owned (xxx/Employee Owned)'
-
Match: All
- Click NEXT
- Click FINISH & ACTIVATE
0 Comments
Add your comment