Creating a compliance rule for devices

Follow these steps to create a compliance rule for your devices in the IBM® MaaS360® Portal.

Procedure

  1. From the IBM MaaS360 Portal Home page, select Security > Compliance Rules.
    The Compliance Rules window is displayed.
  2. Click Add Rule Set.
    The Add Rule window is displayed.
  3. Specify the group that the rule applies to, the name of the rule set, and which existing rule to use as a basis.
  4. Click Continue.
    The Basic Settings tab is displayed.
  5. Configure the following settings and rules:
    • Basic Settings:Configure the platforms that the rule set applies to and then enter the email addresses that receive alerts for the rule set.
    • Enforcement Rules: Configure to enforce security compliance for mobile devices.

      Choose the following options:

      • Enrollment in MDM
      • Specific operating system versions
      • Support for block- and file-level encryption, or no encryption
      • Compliance with corporate app policies for allowed, blocked, and required apps
      • Support for remote wipe
      • Restrictions for jailbroken (iOS), rooted (Android), or Health Attestation Failed (Windows) devices
      • Managing access of blocked devices to corporate resources
      • Enforcing operating system patch update installation

      You can configure various enforcement actions for this rule. For more information, see Configuring enforcement actions for compliance rules.

      The Wipe action wipes all data from the mobile device and resets the device to the original factory settings. For Android 2.2, the Wipe action resets the phone memory only. However, for Android 2.3, the Wipe action resets both the phone memory and the SD card.

      Note: The Block and the Wipe enforcement actions are available only with the Cloud Extender® integration.
    • Geo-Fencing Rules: Configure to enforce location related compliance for mobile devices, to change the policy on the device based on its location or to specify actions that occur on the device when the device is removed from one of the approved locations.

      You can configure various enforcement actions for this rule. For more information, see Configuring enforcement actions for compliance rules.

    • Monitoring Rules: Configure to monitor various device state changes, changes to the SIM, when a user's device is roaming, and any operating system version changes.

      You can configure various enforcement actions for this rule. For more information, see Configuring enforcement actions for compliance rules.

    • Expense Monitoring Rules: Configure to take real-time action for expense management, apply changes to mobile data usage, to monitor both roaming and in-network data usage, and to manage usage thresholds.

      You can configure various enforcement actions for this rule. For more information, see Configuring enforcement actions for compliance rules.

      Note: You must purchase the Expense Management module separately. Contact IBM® Support for more information.
    • Group Based Rules: Configure to create rules for previously defined groups of devices or users.
    • Custom Attribute Rules: Configure to create rules for previously defined groups of devices or users.
  6. Apply your changes, and then click Save.

Configuring enforcement actions for compliance rules

About this task

You can configure various enforcement actions to automatically apply to devices at specified time intervals when the device goes out of compliance (OOC) or does not meet the defined compliance criteria. You can add multiple enforcement actions and configure the required schedule and sequence for these actions.

For example, you might want to ensure that your managed devices are up to date with the required OS versions. You can configure the OS Versions rule and specify the allowed OS versions for different platforms such as iOS, Android, macOS, etc. You can configure multiple enforcement actions to automatically apply when devices do not comply with the configured allowed OS versions as follows:

  • Send an alert immediately after the device enters the OOC state to inform the user.
  • If the device remains OOC one day after applying the first action, apply Selective Wipe action to revoke the device’s access to corporate content such as email, Wi-Fi, and VPN.
  • If the device remains OOC one day after applying the second action, apply Remove Control action to stop managing the device.

The enforcement actions include Alert, Selective Wipe, Change Policy, Wipe, Remove Control, Hide Device, etc. The list of enforcement actions varies for different rules. For more information on these actions, see Device details view.

You can also choose to notify the user by email or device notification and notify the admins with customized messages whenever an enforcement action is applied to the device.

Note: When a device enters the OOC state and already has a pre-existing set of enforcement actions configured, making changes to those pre-existing enforcement actions, such as altering the sequence, adding new actions, or resetting the interval for actions, will not cause the device to immediately adhere to the new configuration. Instead, the device will still consider the time duration since it moved to OOC state and will continue to follow the previous enforcement action configuration that was in place when it entered the OOC state. The device will not consider the new configuration until the time interval for the previously configured action has passed. Only after this interval has passed, the device will start considering the newly configured actions.