Configuring compliance rules for Windows devices

You can assign compliance rules to Windows devices at the device group level and during device enrollment.

Enabling this feature in the IBM MaaS360 Portal

  • From the MaaS360 Portal Home page, select Setup, and then enable Laptop and Desktop Management > Windows Desktop and Laptop Management.
    The new platform type Windows Desktop OS is now available in the Select Applicable Platforms section for any compliance rule.
    Note: For 10.61 and earlier releases, you must manually enable the Windows Desktop OS checkbox to apply compliance rules to Windows devices. For the 10.62 release, the Windows Desktop OS checkbox is enabled by default.

Enforcement rules for Windows device compliance

The 10.62 release supports the following enforcement rules for Windows device compliance.
  • OS versions
  • Jailbroken or rooted devices that are detected by Windows Health Attestation failures
The Enforcement Rules page provides information about the enforcement rules that are available for compliance.

Configuring enforcement rules for OS versions

  1. From the Enforcement Rules section, go to OS Versions, and then configure the following options.
    Option Description
    Specify Version Range The range of Windows OS versions that is allowed for managed devices.
    Specify Allowed Versions The version of Windows devices that is allowed for managed devices.
    Specify Disallowed Versions The version of Windows devices that is not allowed for managed devices.
  2. From the Enforcement Rules section, define the Enforcement Action that is taken immediately after managed devices are out of compliance.
    The following enforcement actions are available on rooted Windows devices.
    • Selective wipe
    • Change policy
    • Wipe
    • Remove control
    • Hide device
    You can also choose to notify the user and the administrators when a managed device is out of compliance.

Configuring enforcement rules for jailbroken or rooted devices

  1. From the IBM® MaaS360® Portal, define the Health Attestation policy. Go to Security > Policies > Select a policy > Enterprise Settings > Health Attestation.
  2. Use the Change Policy action to apply the Health Attestation policy to the group.
    Note: If the Health Attestation policy is not visible in the IBM MaaS360 Portal, contact IBM Support to enable the policy.
  3. Select Devices > Groups > More > Change Rule Set to assign the rule set to the device group.
  4. From the Compliance Rule Set list, choose a jailbroken rule set, and then click Submit.
  5. From the Enforcement Rules section, define the Enforcement Action that is taken immediately after managed devices are out of compliance.
    The following enforcement actions are available on rooted Windows devices.
    • Selective wipe
    • Change policy
    • Wipe
    • Remove control
    • Hide device
    You can also choose to notify the user and the administrators when a managed device is out of compliance. When the defined health attestation state fails, the device is out of compliance and is marked as Jailbroken/Rooted in the Device Summary page.
  6. Go to the Device Summary page to view the Device Health Attestation State, Rules Compliance Status, Rule Set Name, and Out of Compliance Reasons.

Changing compliance rule sets during Windows device enrollments

  • During the enrollment request process, select the rule set from the Advanced Settings.