Managing secure locations for a device

The Locations feature enables an administrator to determine whether a device is at a designated secure location and receiving the necessary policies while onsite. The administrators can set a particular policy to a location range to restrict or warn their users about the applied policy.

Before you begin

• The Location Services on the devices must be enabled.
• The device must have active internet for the policies to be applied.
• The user must set Location permission for MaaS360 to Always in device settings.

About this task

The Geo-fencing rule, included with the compliance rule set, places a device out of compliance if a device is removed from a designated secure location. The administrator can send actions against the device and also apply policies to the device when the device checks back in a designated secure location.

If a device is removed from a designated secure location, the device can receive a policy in other ways based on the following sequence; groups, devices, users.

A location is either a physical location such as a physical address, or a network connection such as a wifi SSID. IBM® MaaS360® detects a geographical or wifi-based location and applies a policy to the device within 30 minutes depending on the network and the status of the app on the device.

For Android devices, IBM MaaS360 immediately detects a wifi-based location for a device.

For iOS devices, the location updates in IBM MaaS360 depend on administrator settings like Geo-fencing.

For an address-based location, IBM MaaS360 uses a policy to detect a device, which might take up to 5 minutes (the default setting is 15 minutes) depending on the network connection and the status of the MaaS360 app on the device. IBM MaaS360 detects the location of a device based on the frequency setting that is configured in the Android MDM policy. If this setting is configured to check the device often, you might drain the battery on the device. The IBM MaaS360 agent can notify only the IBM MaaS360 Portal up to 100 times a day for any changes to a device's location. When that limit is reached, the agent cannot communicate changes to the IBM MaaS360 Portal or change a policy until the next day. IBM MaaS360 provides offline Geo-fencing functions for Android MDM policies. Offline policy features require applicable Android devices to come online to receive policy and map data. Once this information is gathered, the device updates policies by using Geo-fencing guidelines while the device is offline. To enable offline Geo-fencing, contact your IBM MaaS360 Account Manager or Partner.

Notes:

• To use location-based functions, the administrator must enroll the devices and install the IBM MaaS360 app on the device.
• Location tracking is not supported on Android devices that are enrolled in Profile Owner (PO) and Work Profile on Corporate Owned (WPCO) modes.

Follow the steps to set up the location of devices based on a geographical area or a wifi network.

1. From the IBM MaaS360 Portal home page, select Security > Locations.
2. Select one of the following options.
   • To add an address-based location, follow the steps.
     1. Click Add Address based Location. The Bing map displays the location of a device based on the IP address that is used to sign in to the IBM MaaS360 customer account.
     2. Type the location Address and Range (in miles), and click Search.
        
     3. Type the name of the location, and click Add this specific location with Range. The location is displayed on the Locations page.
   • To add a wifi-based location, follow the steps.
     1. Click Add Wi-Fi based Location.
        
     2. Enter the Location Name, Wi-Fi SSID, and MAC Address, and click Add. The location is displayed on the Locations page.
     Notes:

     • Location is determined by the device that is connected to the wifi SSID that you typed in the Wi-Fi SSID field.
     • The wifi based location setting requires MES 1.85+ and IBM MaaS360 Core App for Windows 4.0+. The address-based location setting requires MES 2.16+ and IBM MaaS360 Core App for Windows 4.0+.
     • Contact IBM Support to enable this feature.
   
3. Select a location on the Locations page, and click one of the following actions under the device location.

   Action	Description
   Edit	Edits the address-based location of a device.
   Assign Policies	Applies a policy to a device at the address-based location. The options are available for iOS and Android devices. Click Select Policy and select the policy. Click Select Device Group to assign the policy to a group of devices. Click Confirm.
   Delete	Removes an address-based location from a policy.

4. The administrator can also set policies when a device checks out from a location range. To enable, go to Security > Compliance Rules.
5. Click Add Rule Set.
6. Enter the Rule Set Name and select an option from the Copy From drop-down to set based on an existing rule.
7. Click Continue to create a new compliance rule set.
8. Under the Rules, go to Geo-Fencing Rules and verify that Geo-Fencing is enabled.
9. Set a rule when the device goes Out-Of-Compliance (OOC) under Enforcement Action > Immediately after OOC. The values that are available are as follows.
   • Alert
   • Block
   • Selective Wipe
   • Change Policy option enables the admin to modify any policy for iOS, Android, and Windows MDM.
   • Wipe
10. To notify the users, select the checkbox for Email, Device Notification.
11. To notify the admins, select the checkbox for Standard Email List, or enter manually in Other Emails. The admin can also enter a customized message under Message to notify the users.
12. Click Save to apply the changes.

Results

When the device is within the set location range, the user is checked-in and a particular policy is applied, and when the device is outside that location range, then the user is checked-out from those policies but other policies can be applicable.