Security settings (WorkPlace Persona policy)
Use the Security settings to configure device and data security on MaaS360® enrolled devices.
You can configure the following security-specific policy settings.
- Device Security Policies
- Data Protection Policies
- Other Settings
| Policy setting | Description | Supported devices |
|---|---|---|
| Restrict jailbroken/rooted devices | This option prevents users from accessing secure content if their device is jail-broken or rooted. | iOS, Android |
| Restrict devices with malware | This option prevents access to corporate content if malware is detected on the device. | iOS App 2.71+ Android 5.65+ |
| App exceptions | Enter the App ID of apps to allow, regardless of malware status. | Android App 5.70+ |
| Allow all system apps | This option allows all system apps, regardless of malware status. | Android App 5.95+ |
| Restrict access to insecure Wi-Fi | This option restricts users from accessing secure content if the device is connected to an
unsecured wifi network. If this setting is enabled, configure wifi settings such as remediation
actions and to define trusted wifi SSIDs. Note: Enable the GPS location service on the device to use
this setting.
|
Android App 6.00+ |
| Insecure Wi-Fi remediation action | Choose to notify a user or block wifi on the device when the device is connected to an unsecured wifi network. | Android App 6.00+ |
| Trusted Wi-Fi SSIDs | Provide a comma-separated list of trusted wifi SSIDs that are exempt from a compliance check. If this field is blank, then all SSIDs, including trusted SSIDs, are scanned regularly and might lead to potential resource drain on the device. | Android App 6.00+ |
| Enable time bomb (days) | This option deletes corporate data from the container if the data is not accessed for a specific number of days. The allowed range is 7 - 365 days. This field must be blank to not set a time bomb value. | iOS, Android |
| Policy setting | Description | Supported devices |
|---|---|---|
| Restrict export of managed content and email attachments | This option restricts the export of managed content and email attachments. This setting also restricts the forwarding of content from external or personal email clients, or from opening content in unmanaged apps. Configure the following list of allowed app names and attachments for iOS and Android. | iOS, Android |
| Allow iOS app name | This option exports content to defined third-party apps. Type a few characters to search for the app name. Input the app name that you want to allow. All other iOS apps are blocked from being used. | iOS |
| Allow Android app ID | This option exports content to the defined third-party apps. Input the Android app ID that you want to allow. All other Android apps are blocked. | Android |
| Allowed file types | This option allows a third-party app to open files of the defined type. Input comma-separated
extension types (DOC, JPG, XLS) that
you want to allow. All other file types are blocked. Note: You can open all other file types in the
MaaS360 app, but you cannot export those
files.
|
iOS, Android |
| Restrict file share | This option restricts the sharing of files. If you disable this setting, you can share files with allowed apps. | Android 5.65+ |
| Restrict clipboard export |
This option restricts copying and pasting content externally to an app that does not have the
IBM®
MaaS360 SDK
. Users can still copy and paste within the app and also copy
content from outside into the app.
Note: For Android devices, this setting does not apply to wrapped
or SDK-based
apps.
|
iOS, Android |
| Restrict screenshot |
For iOS devices, this option limits screen recording or screen sharing of the IBM MaaS360 app. For Android devices, this option limits capturing screenshots within the IBM MaaS360 container along with screen recording and screen sharing. |
Android, iOS Agent 3.7+ |
| Restrict print | This option restricts users from downloading content from the device to a printer. For Android devices, file exports must be allowed for the Print option to display on the IBM MaaS360 Viewer and IBM MaaS360 Editor. For iOS devices, enabling the Print option allows users to export content to other apps by using Printer Options even if File and Clipboard restrictions are enforced. |
Android App 5.55+ iOS App 2.70+ |
| Restrict import of files | This option restricts users from importing documents from other apps to email, or from saving these files. If this setting is not enabled, choose whether to restrict or allow the following settings. | iOS App 2.30+ Android App 5.00+ |
| Restrict import from camera | This option restricts users from importing images with the camera. | Android App 5.21+ |
| Restrict import from gallery | This option restricts users from importing images from the photo gallery. | Android App 5.21+ |
| Restrict import from SD card | This option restricts users from importing files or content from the SD card. | Android App 5.21+ |
| Configure apps allowlist for import | This option enables users to import files only from allowlisted apps into Email/Docs using import buttons (identified by a plus sign). However, users still cannot import any file through open-with/share intent from allowlisted apps. | Android App 5.21+ |
| Allowed apps | This option specifies the App IDs for allowed apps. This field must be blank if no third-party apps are allowed for importing. | Android App 5.20+ |
| Lock widgets with container | This option locks the widgets with a container timeout. | Android App 5.35+ |
| Restrict notifications when app is locked | When an app is locked, notifications for new email messages, calendar invites, and reminders are restricted and a generic notification text is displayed. All notifications from WorkPlace apps are restricted. If the setting is enabled, configure the following restrict notifications. | Android App 5.00+ |
| Restrict notifications for new emails and calendar invites | This option restricts notifications for new email messages and calendar invites. | Android App 5.32+ |
| Restrict notifications for event and task reminders | This option restricts notifications for events and task reminders. | Android App 5.32+ |
| Restrict notifications for new docs distributed | This option restricts notifications for any new documents that are distributed. | Android App 5.55+ |
| Restrict Doc access based on Inactivity | This option restricts access to docs, if app is not accessed for defined number of minutes (5 to 1440). This field must be blank to ignore. Supported only if WorkPlace PIN® is not enabled and for AD users. | iOS App 2.97+ |
| Enable AD rights management handling | Microsoft Cloud must have access to Corporate Rights Management AD to specify the app client ID. Contact IBM Support for more information. | iOS 3.18+ Android App 5.75+ |
| App client ID | The client ID generated by the app when you registered the app for the Azure AD tenant. To
display an App client ID from Azure in the MaaS360 Portal,
follow the steps.
|
iOS 3.18+ Android App 5.75+ |
| Policy setting | Description | Supported devices |
|---|---|---|
| Validate server certificate | Validates server certificates from MaaS360 servers during SSL connection. This setting provides extra protection against man-in-the-middle attacks. Configure the following SSL certificate settings. | iOS 3.1+ Android App 5.32+ |
| Use SSL inspection in corporate network | Enable this option if your corporate network uses SSL. | iOS 3.1+ Android App 5.32+ |
| Server certificates for SSL Inspection | Uploads root CA certificates only for SSL inspection. | iOS 3.1+ Android App 5.32+ |
| Allow collection of diagnostic logs | Collects diagnostic logs from your network. If you disable this setting, the logs are not
collected. Note: Disabling this setting impacts the ability to troubleshoot issues. Do not disable
this setting during the solution Trial phase.
|
iOS 2.98+ Android App 5.32+ |
| Restrict adding of SDK / wrapped apps on launcher | Restricts activated WorkPlace apps from displaying in the launcher. | iOS 2.99+ |
| Advanced configuration details | Configure the setting name and value for advanced mail configuration. Note: This setting must
be configured if suggested by IBM Support.
|
iOS 3.0+ iOS Browser 2.04+ Android App 5.55+ |
| Enable Bluetooth based workstation login | If this setting is enabled, users can use Bluetooth-based authentication to lock or unlock
their workstation. Note: This setting is only supported if Entrust is selected as the derived
credential vendor.
|
iOS 10.0+ |