Configuring compliance rules for Windows devices

You can assign compliance rules to Windows devices at the device group level and during device enrollment.

Enabling this feature in the MaaS360 Portal

  • From the MaaS360 Portal Home page, select Setup, and then enable Laptop and Desktop Management > Windows Desktop and Laptop Management.
    Laptop and Desktop Management setting
    The new platform type Windows Desktop OS is displayed in the Select Applicable Platforms section for any compliance rule:
    Windows Desktop OS setting

    Note: For 10.61 and earlier releases, you must manually enable the Windows Desktop OS check box to apply compliance rules to Windows devices. For the 10.62 release, the Windows Desktop OS check box is enabled by default.

Enforcement rules for Windows device compliance

The 10.62 release supports the following enforcement rules for Windows device compliance:
  • OS versions
  • Jailbroken or rooted devices that are detected by Windows Health Attestation failures
The Enforcement Rules page provides information about the enforcement rules that are available for compliance:
Enforcement Rules page

Configuring enforcement rules for OS versions

  1. From the Enforcement Rules section, go to OS Versions, and then configure the following options:
    Option Description
    Specify Version Range The range of Windows OS versions that is allowed for managed devices.
    Specify Allowed Versions The version of Windows devices that is allowed for managed devices.
    Specify Disallowed Versions The version of Windows devices that is not allowed for managed devices.
    OS Versions settings
  2. From the Enforcement Rules section, define the Enforcement Action that is taken immediately after managed devices are out of compliance.
    The following enforcement actions are available on rooted Windows devices:
    • selective wipe
    • change policy
    • wipe
    • remove control
    • hide device
    You can also choose to notify the user and the administrators when a managed device is out of compliance.

Configuring enforcement rules for jailbroken or rooted devices

  1. From the MaaS360® Portal, define the Health Attestation policy. Go to Security > Policies > Select a policy > Enterprise Settings > Health Attestation.
  2. Use the Change Policy action to apply the Health Attestation policy to the group.
    Note: If the Health Attestation policy is not visible in the MaaS360 Portal, contact IBM® Support to enable the policy.
    Health Attestation policy
  3. Select Devices > Groups > More > Change Rule Set to assign the rule set to the device group.
    Change Rule Set option
  4. From the Compliance Rule Set list, choose a jailbroken rule set, and then click Submit.
    Compliance Rule Set list
  5. From the Enforcement Rules section, define the Enforcement Action that is taken immediately after managed devices are out of compliance.
    Enforcement Action settings
    The following enforcement actions are available on rooted Windows devices:
    • selective wipe
    • change policy
    • wipe
    • remove control
    • hide device
    You can also choose to notify the user and the administrators when a managed device is out of compliance. When the defined health attestation state fails, the device is out of compliance and is marked as Jailbroken/Rooted in the Device Summary page.
  6. Go to the Device Summary page to view the Device Health Attestation State, Rules Compliance Status, Rule Set Name, and Out of Compliance Reasons:
    Device Summary page

Changing compliance rule sets during Windows device enrollments

  • During the enrollment request process, select the rule set from the Advanced Settings.