Creating a compliance rule for devices

Follow these steps to create a compliance rule for your devices in the IBM® MaaS360® Portal.

Procedure

  1. From the IBM MaaS360 Portal home page, select Security > Compliance Rules.
  2. On the Compliance Rules window, click Add Rule Set.
  3. On the Add Rule window, specify the group that the rule applies to, the name of the rule set, and which existing rule to use as a basis.
  4. Click Continue.
  5. On the Basic Settings tab, configure the following settings and rules.
    Basic Settings
    Configure the platforms that the rule set applies to and then enter the email addresses that receive alerts for the rule set.
    Enforcement Rules
    Configure to enforce security compliance for mobile devices. You can choose the following options.
    • Enrollment in MDM
    • Specific operating system versions
    • Support for block- and file-level encryption, or no encryption
    • Compliance with corporate app policies for allowed, blocked, and required apps
    • Support for remote wipe
    • Restrictions for jailbroken (iOS), rooted (Android), or Health Attestation Failed (Windows) devices
    • Managing access of blocked devices to corporate resources
    • Enforcing operating system patch update installation

    You can configure various enforcement actions for this rule. For more information, see Configuring enforcement actions for compliance rules.

    The Wipe action wipes all data from the mobile device and resets the device to the original factory settings. For Android 2.2, the Wipe action resets the phone memory only. However, for Android 2.3, the Wipe action resets both the phone memory and the SD card.

    Note: The Block and the Wipe enforcement actions are available only with the Cloud Extender® integration.
    Geo-Fencing Rules
    Configure to enforce location-related compliance for mobile devices to change the policy on the device based on its location or to specify actions that occur on the device when the device is removed from one of the approved locations.

    You can configure various enforcement actions for this rule. For more information, see Configuring enforcement actions for compliance rules.

    Monitoring Rules
    Configure to monitor various device state changes, changes to the SIM, when the device is in roaming, and any operating system version changes.

    You can configure various enforcement actions for this rule. For more information, see Configuring enforcement actions for compliance rules.

    Expense Monitoring Rules
    Configure to take real-time action for expense management, apply changes to mobile data usage to monitor both roaming and in-network data usage, and to manage usage thresholds.

    You can configure various enforcement actions for this rule. For more information, see Configuring enforcement actions for compliance rules.

    Note: Purchase the Expense Management module separately. Contact IBM Support for more information.
    Group Based Rules
    Configure to create rules for previously defined groups of devices or users.
    Custom Attribute Rules
    Configure to create rules for previously defined groups of devices or users.
  6. Apply your changes, and then click Save.
    Note: Windows supports encryption compliance rule only for System drive.

Configuring enforcement actions for compliance rules

About this task

You can configure various enforcement actions to automatically apply to devices at specified time intervals when the device goes out of compliance (OOC) or does not meet the defined compliance criteria. You can add multiple enforcement actions and configure the required schedule and sequence for these actions.

For example, you might want to ensure that your managed devices are up to date with the required OS versions. You can configure the OS Versions rule and specify the allowed OS versions for different platforms such as iOS, Android, macOS. You can configure multiple enforcement actions to automatically apply when devices do not comply with the configured allowed OS versions as follows.

  • Send an alert immediately after the device enters the OOC state to inform the user.
  • If the device remains OOC one day after applying the first action, apply Selective Wipe action to revoke the device’s access to corporate content such as email, Wi-Fi, and VPN.
  • If the device remains OOC one day after applying the second action, apply the Remove Control action to stop managing the device.

The enforcement actions include Alert, Selective Wipe, Change Policy, Wipe, Remove Control, Hide Device, and so on. The list of enforcement actions varies for different rules. For more information on these actions, see Device details view.

You can also choose to notify the user by email or device notification and notify the admins with customized messages whenever an enforcement action is applied to the device.

Note: When a device enters the OOC state, modifying existing enforcement actions such as changing their sequence, adding new ones, or resetting interval doesn't prompt immediate compliance with the new configuration. Instead, the device continues to follow the previous enforcement actions that were in effect when it entered the OOC state, considering the duration since then. The new configuration is only considered once the time interval for the previously set actions has elapsed. After this interval, the device starts to implement the newly configured actions.