Security settings (WorkPlace Persona policy)

Use the Security settings to configure device and data security on MaaS360® enrolled devices.

You can configure the following security-specific policy settings.

  • Device Security Policies
  • Data Protection Policies
  • Other Settings
Table 1. Configure Device Security Policies
Policy setting Description Supported devices
Restrict jailbroken/rooted devices This option prevents users from accessing secure content if their device is jail-broken or rooted. iOS, Android
Restrict devices with malware This option prevents access to corporate content if malware is detected on the device. iOS App 2.71+

Android 5.65+

App exceptions Enter the App ID of apps to allow, regardless of malware status. Android App 5.70+
Allow all system apps This option allows all system apps, regardless of malware status. Android App 5.95+
Restrict access to insecure Wi-Fi This option restricts users from accessing secure content if the device is connected to an unsecured wifi network. If this setting is enabled, configure wifi settings such as remediation actions and to define trusted wifi SSIDs.
Note: Enable the GPS location service on the device to use this setting.
Android App 6.00+
Insecure Wi-Fi remediation action Choose to notify a user or block wifi on the device when the device is connected to an unsecured wifi network. Android App 6.00+
Trusted Wi-Fi SSIDs Provide a comma-separated list of trusted wifi SSIDs that are exempt from a compliance check. If this field is blank, then all SSIDs, including trusted SSIDs, are scanned regularly and might lead to potential resource drain on the device. Android App 6.00+
Enable time bomb (days) This option deletes corporate data from the container if the data is not accessed for a specific number of days. The allowed range is 7 - 365 days. This field must be blank to not set a time bomb value. iOS, Android
Table 2. Configure Data Protection Policies
Policy setting Description Supported devices
Restrict export of managed content and email attachments This option restricts the export of managed content and email attachments. This setting also restricts the forwarding of content from external or personal email clients, or from opening content in unmanaged apps. Configure the following list of allowed app names and attachments for iOS and Android. iOS, Android
Allow iOS app name This option exports content to defined third-party apps. Type a few characters to search for the app name. Input the app name that you want to allow. All other iOS apps are blocked from being used. iOS
Allow Android app ID This option exports content to the defined third-party apps. Input the Android app ID that you want to allow. All other Android apps are blocked. Android
Allowed file types This option allows a third-party app to open files of the defined type. Input comma-separated extension types (DOC, JPG, XLS) that you want to allow. All other file types are blocked.
Note: You can open all other file types in the MaaS360 app, but you cannot export those files.
iOS, Android
Restrict file share This option restricts the sharing of files. If you disable this setting, you can share files with allowed apps. Android 5.65+
Restrict clipboard export
This option restricts copying and pasting content externally to an app that does not have the IBM® MaaS360 SDK . Users can still copy and paste within the app and also copy content from outside into the app.
Note: For Android devices, this setting does not apply to wrapped or SDK-based apps.
iOS, Android
Restrict screenshot

For iOS devices, this option limits screen recording or screen sharing of the IBM MaaS360 app. For Android devices, this option limits capturing screenshots within the IBM MaaS360 container along with screen recording and screen sharing.

Android, iOS Agent 3.7+
Restrict print This option restricts users from downloading content from the device to a printer.

For Android devices, file exports must be allowed for the Print option to display on the IBM MaaS360 Viewer and IBM MaaS360 Editor.

For iOS devices, enabling the Print option allows users to export content to other apps by using Printer Options even if File and Clipboard restrictions are enforced.

Android App 5.55+

iOS App 2.70+

Restrict import of files This option restricts users from importing documents from other apps to email, or from saving these files. If this setting is not enabled, choose whether to restrict or allow the following settings. iOS App 2.30+

Android App 5.00+

Restrict import from camera This option restricts users from importing images with the camera. Android App 5.21+
Restrict import from gallery This option restricts users from importing images from the photo gallery. Android App 5.21+
Restrict import from SD card This option restricts users from importing files or content from the SD card. Android App 5.21+
Configure apps allowlist for import This option enables users to import files only from allowlisted apps into Email/Docs using import buttons (identified by a plus sign). However, users still cannot import any file through open-with/share intent from allowlisted apps. Android App 5.21+
Allowed apps This option specifies the App IDs for allowed apps. This field must be blank if no third-party apps are allowed for importing. Android App 5.20+
Lock widgets with container This option locks the widgets with a container timeout. Android App 5.35+
Restrict notifications when app is locked When an app is locked, notifications for new email messages, calendar invites, and reminders are restricted and a generic notification text is displayed. All notifications from WorkPlace apps are restricted. If the setting is enabled, configure the following restrict notifications. Android App 5.00+
Restrict notifications for new emails and calendar invites This option restricts notifications for new email messages and calendar invites. Android App 5.32+
Restrict notifications for event and task reminders This option restricts notifications for events and task reminders. Android App 5.32+
Restrict notifications for new docs distributed This option restricts notifications for any new documents that are distributed. Android App 5.55+
Restrict Doc access based on Inactivity This option restricts access to docs, if app is not accessed for defined number of minutes (5 to 1440). This field must be blank to ignore. Supported only if WorkPlace PIN® is not enabled and for AD users. iOS App 2.97+
Enable AD rights management handling Microsoft Cloud must have access to Corporate Rights Management AD to specify the app client ID. Contact IBM Support for more information. iOS 3.18+

Android App 5.75+

App client ID The client ID generated by the app when you registered the app for the Azure AD tenant.
To display an App client ID from Azure in the MaaS360 Portal, follow the steps.
  1. Log in to the Azure Management Portal.
  2. Select the Active Directory that you want to use.
  3. Click Applications, and then add an application.
  4. To register the application, provide the following information:
    1. Select Add an application my organization is developing.
    2. Provide a name for the application. For example, MaaS360 RMS.
    3. Select Type = Native client application.
    4. Specify the Redirect URI = maas360://msal/auth.
  5. Select the application, and then click Configure.
  6. From Permissions to other applications, set Windows Azure Active Directory, and then select Sign in and read user profile as the delegated permissions.
  7. From Permissions to other applications, set Microsoft Rights Management Services, and then select Create and access protected content for users as the delegated permissions.
  8. Copy the App client ID that is displayed in Azure and paste the ID in the IBM MaaS360 Portal.
iOS 3.18+

Android App 5.75+

Table 3. Configure Other Settings
Policy setting Description Supported devices
Validate server certificate Validates server certificates from MaaS360 servers during SSL connection. This setting provides extra protection against man-in-the-middle attacks. Configure the following SSL certificate settings. iOS 3.1+

Android App 5.32+

Use SSL inspection in corporate network Enable this option if your corporate network uses SSL. iOS 3.1+

Android App 5.32+

Server certificates for SSL Inspection Uploads root CA certificates only for SSL inspection. iOS 3.1+

Android App 5.32+

Allow collection of diagnostic logs Collects diagnostic logs from your network. If you disable this setting, the logs are not collected.
Note: Disabling this setting impacts the ability to troubleshoot issues. Do not disable this setting during the solution Trial phase.
iOS 2.98+

Android App 5.32+

Restrict adding of SDK / wrapped apps on launcher Restricts activated WorkPlace apps from displaying in the launcher. iOS 2.99+
Advanced configuration details Configure the setting name and value for advanced mail configuration.
Note: This setting must be configured if suggested by IBM Support.

iOS 3.0+

iOS Browser 2.04+

Android App 5.55+

Enable Bluetooth based workstation login If this setting is enabled, users can use Bluetooth-based authentication to lock or unlock their workstation.
Note: This setting is only supported if Entrust is selected as the derived credential vendor.
iOS 10.0+