Managing security risks with the Risk Rule Configurator
You can view all the rules that identify risk incidents for the User Risk Management feature. Each rule identifies a condition for a risk incident. When the defined condition in the risk rule is met, a corresponding risk incident with a severity and a score is generated against the device and the user who is assigned to that device.
Accessing the Risk Rule Configurator from the MaaS360 Portal
From the MaaS360 Portal Home page, go to the Security Management section and select . By default, all rule sets in the Risk Rule Configurator are enabled. Administrators have the flexibility to disable or enable any of the rule sets and also enable or disable particular rule description under a rule name. You can define the severity of the risk rule as low, medium, and high for individual rule description under a rule name.
Example of the Risk Rule Configurator screen
In the following example, a rule is defined in the Risk Rule Configurator with a High severity and an if app compliance state on device is out of compliance precondition. If any device is out of compliance, the precondition for the app compliance state is true. A risk incident with a high severity is created against the device and the user who is assigned that device.
Predefined risk rules in the Risk Rule Configurator
|Predefined risk rule||Description|
|Antivirus inactive||This rule checks the inactive status of antivirus software that is installed on a Windows
A Windows device might have various antivirus software programs that are installed on the device. If all the antivirus software programs that are installed on the device are in an inactive state, the default severity is High.
If one of the antivirus software programs that is installed on the device is in an active state, the risk score and risk incident that is associated with this risk rule is removed from the security dashboard.
Note: This risk rule does not evaluate Windows devices that do not have antivirus software programs installed on the device.
|Application compliance state||This rule checks the application compliance status on a device. The application compliance
status becomes out of compliance when the restricted app is detected on the user's device or when
the required app is found missing on the user's device.
To define the restricted apps and required apps on the device, configure the Application Compliance settings in the following device MDM policies:
|Blocked URL access (Secure Browser)||This rule checks the number of times blocked URLs are accessed on the device from the
You can define blocked URLs in the URL filter settings for Secure Browser (WorkPlace Persona policy) at .
|Critical security patch missing||This rule checks if a critical security patch is missing on the Windows device.
The higher the number of critical security patches that are missing on the device, the higher the risk score, and severity. The defined severity is based on 1 - 2 security patches missing, 3 - 5 security patches missing, or more than five security patches missing on the Windows device.
|Device encryption||This rule checks the encryption status on the device.
This rule checks whether the device is partially encrypted or unencrypted on all enrolled and activated devices. If the encryption status is partially encrypted, the default severity is Medium. If the encryption status is unencrypted, the default severity is High.
|Device inactivity||This rule checks when the device last reported to MaaS360. The amount of time from the last reported check-in determines the risk level of the device. The higher the number of days since the device last checked in, the higher the risk level.|
|Old version of OS||This rule checks how old the operating system version on the device is compared to the
latest operating system version that is available for the device. The higher the older version of
the operating system on the device compared to the latest available operating system version, the
higher the risk level.
This rule applies to Android, iOS, macOS, and Windows 10 devices. The following operating system versions are used in the risk rule to compare to the operating system version on devices:
|Device jailbroken or rooted||This rule checks if the device is jailbroken (iOS) or rooted (Android). This status is determined for all enrolled and activated devices.|
|Device passcode not compliant||This rule checks if the passcode status on the device is compliant according to the defined passcode requirements.|
|Devices not managed||This rule checks the managed status of the device. If the managed status of the device is in an unenrolled state, the risk increases for these types of devices.|
|Malware detected||This rule checks the status of the IBM Security Trusteer Malware product. If this status is
true, a risk incident occurs against the device.
To define the Trusteer Threat Management settings, enable Trusteer Threat Management in the following device MDM policies:
|Mobile data usage limit exceeded||This rule checks whether the device exceeded the limit for network data usage or roaming
This limit is based on the mobile plan that is defined in the MaaS360 Portal at.
Note: You must enable the Mobile Expense Management (MEM) module setting on the Services page for this rule check to work as intended.
|Older version of MaaS360 app||This rule checks how old the MaaS360 app version on the device (Android and iOS) is when
compared to the latest available MaaS360 app version. This rule applies to all enrolled and
activated devices with the installed MaaS360 app.
The older the MaaS360 app version on the Android and iOS device, the higher the risk score and severity. The defined severity is based on MaaS360 app that is one minor release old, two minor releases old, or three minor releases old.
|Out of compliance (OOC) events||This rule checks for the number of times a device is out of compliance. This rule checks
against compliance rules that are defined at
Applying compliance rules to devices).
(for more information, see |
The higher the frequency of out-of-compliance events, the higher the risk score and severity. The defined severity is based on 1 - 2 times, 3 - 5 times, or more than five times where the device is out of compliance.
|SIM change detected on device||This rule checks if a SIM card change action occurred on the device. If a SIM change is detected on the device, a Medium severity is applied by default. The SIM card change rule applies to devices that are Corporate-Owned or Corporate Third Party only.|
|Usage policy acceptance||This rule checks the status of the usage acceptance policy on the device.
You can define the user acceptance policy from the Services settings (WorkPlace Persona policy).
You can define the severity of the rule based on the status of the usage acceptance policy (expired, not accepted, or pending):
Note: You must enable the EULA Management Service on the Services page at End user license agreement self-serviceability for this rule check to work as intended.