Audit log information
Several categories of information are available for you to view and audit. The category list, displayed on the left side of the Audit Logs page, includes:
- ActiveSync Device
- App Tunnel
- Compliance Action
- DEP (Device Enrollment)
- Custom Attributes
- Compliance Policy
- MTD (Mobile Threat Defense)
- Access Integration
- Derived Credential Provider
- Zebra FOTA
Before and after log information
Changes in the modification history for configurations, policies, labels, compliance groups, rules, and actions attributes are displayed in the Configuration Details page, which shows before and after content. You can view the logs from the Ivanti EPMM Logs > Audit Logs page. Logs with before and after values display an icon you can click to see the new information. The new log information is generated for the following actions:
- Create - The "Before" column will be empty.
- <![CDATA[ ]]>Edit or change - Both before and after values display.
- Delete - The "After" column will be empty.
In Ivanti EPMM version 18.104.22.168 and later versions, the before and after values can be readily identified from unchanged content because they are highlighted and in blue text in the Changes - Before & After panel.
Figure 1. Before & After Panel
To display the Changes - Before & After panel, click on any policy or configuration in the Policies & Configurations > Configurations tab to display the Configuration Details side panel to the right of the window. Click Modification History, and click the box corresponding to the change.
Best practices: label management
If Notes for Audit Logs is enabled, whenever a change is made to a label, a text box displays for the administrator to provide a reason for the change.
Example text to enter would be a change ticket order number. This information then displays in the Audit logs, in the Details column as "Reason."
This affects the following label-related activities:
- Add/Edit/Delete/Save Label (Both filter and manual)
- In Devices & Users > Devices > Advanced Search > Save to Label
- Add/Edit/Remove Label to devices
- Add/Edit/Remove Label to configurations
- Add/Edit/Remove Label to policies
- Add/Edit/Remove Label to apps
- Add/Edit/Remove Label to iBooks
The Notes for Audit Logs feature is also applicable to any administrator-made changes to iOS and macOS restrictions.
To enable this feature, see "Setup tasks" in Getting Started with Ivanti EPMM.
Device events record device-related actions taken by an administrator in the Admin Portal.
To monitor device actions, select one or more of the logged device actions in the Filters panel:
- Allow App Tunnel: Manually allow app tunnels from the selected device.
- Apply Label: Associate an item with a label.
- Apply Multiple Labels to One Device: Associate an item with multiple labels.
- Block App Tunnel: Manually disallow app tunnels from the selected device.
- Cancel Wipe: Cancels pending "Wipe" command if it was not yet delivered to the device. Applies to all modes.
- Change Language: Change the language associated with a device.
- Change Ownership: Toggle device ownership between Employee and Company.
- Check Available OS Update:
- Check Compliance: Check device against compliance criteria.
- Delete Retired Device: Remove entry for a device that is not longer managed.
- Device Location:
- Disable Activation Lock: Turn off the activation lock feature for the selected iOS device.
- Disable Data Roaming: Turn off the ability to use data when the device is roaming.
- Disable due to out of compliance:
- Disable Kiosk: Exit kiosk mode on the designated Android device.
- Disable KNOX Container: Turn off the Samsung Knox container feature for the selected device.
- Disable Personal Hotspot: Prevent the device user from using the personal hotspot feature.
- Disable Voice Roaming: Turn off the ability to make voice calls when the device is roaming.
- Download Available OS Update:
- Enable Activation Lock: Turn on the activation lock feature for the selected iOS device.
- Enable Data Roaming: Turn on the ability to use data while roaming for the selected iOS device.
- Enable Kiosk: Start kiosk mode on the designated Android device.
- Enable KNOX Container: Turn on the Samsung Knox container feature for the selected device.
- Enable MDM Lost Mode: Enable lost mode for the selected iOS device.
- Enable Personal Hotspot: Allow the device user to use the personal hotspot feature.
- Enable Voice Roaming: Turn on the ability to make voice calls when the device is roaming.
- Found: Designate the selected lost device as found.
- Install Downloaded OS Update:
- Install [email protected]: Install the [email protected] app.
- Locate: Retrieve the last known location for the selected device.
- Lock: Force the selected device to require a passcode for user access.
- Lost: Designate the selected device as lost.
- MobileIron Bridge: Create a configuration for the Bridge application for Windows 10 Management.
- Push Profile: Prompt a manual distribution of profiles to the selected device.
- Re-provision Device: Restart the provisioning process for the selected device.
- Reboot: Reboot the selected Windows device.
- Register Device: Start the registration process for the selected device.
- Remote Control: Establish a remote control session ([email protected]) on the selected Android device.
- Remote Display: Establish a remote view session ([email protected]) on the selected iOS device.
- Remove Device Attribute: Remove an attribute from a device.
- Remove Label: Remove the association between the specified label and the selected item.
- Remove Multiple labels from one device: Remove the association between the specified labels and the selected item.
- Request Derived Credential: Device user request in user portal for a derived credential.
- Request Unlock AppConnect Container (Android only): Initiate unlock AppConnect container.
- Request Unlock Device: Initiate unlock device.
- Request Unlock Passcode: Initiate unlock passcode.
- Resend Provision Message: No longer supported.
- Reset AppConnect Passcode: Device user request in user portal to reset the AppConnect passcode.
- Reset Password:
- Restart iOS Device: Restart iOS device.
- Reset PIN: Generate a new registration PIN for the selected Windows device.
- Retire: End management of the selected device.
- Send Activation Lock Bypass Code: Send the bypass code to the selected iOS device.
- Send Alert: Send compliance alert to the selected device.
- Send APNS message: Launch a client and authenticate against Ivanti EPMM.
- Send Message: Send SMS message to the selected device.
- Set Device Attribute: Set an attribute to a device.
- Shutdown iOS Device: Shutdown iOS device.
- Sign In: Launch a client and authenticate against Ivanti EPMM.
- Sign Out: End session between the client and Ivanti EPMM.
- Substitution Variable Change: Change a configuration due to a change in the value of a substitution variable.
- Unlock AppConnect Container (Android only): Begin unlock device and AppConnect container.
- Unlock Device and AppConnect Container: (Android only): Begin unlock device and AppConnect container.
- Unlock Device Only: Clear the passcode for the selected device.
- Update Device Comment: Change the Comment field in the record for the selected device.
- Update OS Software: Update iOS software.
- Wakeup: Force the device client to check in.
- Windows License: Alert administrators to upgrade the SKU of Windows 10 desktop devices. Options can be Windows 10 Pro to Enterprise or Windows 10 Education to Enterprise.
- Wipe: Return the device to factory default settings.
Events beginning with Request, such as Request Unlock Device, are logged when an administrator clicks the corresponding command in the Admin Portal. The corresponding event without the word Request, such as Unlock Device, is logged when Ivanti EPMM actually sends the request to the device. Ivanti EPMM sometimes delays sending requests to regulate Ivanti EPMM performance.
ActiveSync Device information
These events do not apply to Mac devices.
To monitor ActiveSync device actions, select one or more of the logged ActiveSync device actions in the Filters panel
- ActiveSync Device Comment: Add or change the comment associated with an ActiveSync device entry.
- Add Correlation:
- Allow Device: Allow a blocked ActiveSync device to access the ActiveSync server.
- Assign ActiveSync Policy: Apply an ActiveSync policy to the selected device.
- Block Device: Prevent the selected device from accessing the ActiveSync server.
- Link To MI Device: Associate an ActiveSync device with a device registered with Ivanti EPMM.
- Remove: End the association between the Ivanti EPMM device and the ActiveSync device record.
- Remove Correlation:
- Revert ActiveSync Policy: Restore the Default ActiveSync Policy to the selected device.
MDM events indicate when a device takes an action due to a Ivanti EPMM request. These events pertain only to iOS and Mac devices unless otherwise noted.
To monitor these actions, select one or more of the logged MDM actions in the Filters panel.
- Apply Redemption Code: Apply Redemption Code: Use a Apple License code.
- Clear Passcode: Clear Passcode: Reset device passcode.
- Device Lock: Set screen lock on device.
- Install Encrypted Sub-Profile:
- Install Managed Application: Install a managed app.
- Install MDM Profile: Install the MDM profile on the device.
- Install Provisioning Profile: Install the provisioning profile for a managed app.
- Lock Device (Android): Lock an Android device.
- Profile Change: Change the profile on an iOS or Android device.
- Remove Encrypted Sub-Profile:
- Remove Managed Application: Uninstall a managed app.
- Remove MDM Profile: Remove the MDM profile from the device.
- Remove Provisioning Profile: Remove the provisioning profile for a managed app.
- Settings: Modify device settings.
- Unlock Device (Android): Unlock an Android device and the AppConnect container on the device.
- Unlock Device Only (Android): Unlock an Android device.
- Wipe Device (called Erase Device in the MDM Activity tab): Restore the iOS device to factory defaults.
- Wipe Device (Android): Restore the Android device to factory defaults.
This MDM log information is also provided in the Logs > MDM Activity tab.
To monitor actions involving certificates, select one or more of the logged certificate actions in the Filters panel.
- Apply User Provided Certificate: Use a certificate already provided by the user and sent to Ivanti EPMM.
- Create Device Certificate: Issue a device certificate.
- Create User Certificate: Issue a user certificate.
- Delete User Provided Certificate: Destroy certificate provided by the user via the self-service portal.
- Device Certificate Expired: Warn on a device certificate that is no longer valid due to expiration.
- Device Certificate Renewal: Re-enrolls a device certificate.
- Reuse Device Certificate: Use an existing device certificate.
- Reuse User Certificate: Use an existing user certificate.
- Revoke Device Certificate: Reclaim a device certificate.
- Revoke User Certificate: Reclaim a user certificate.
- Upload User Provided Certificate: Send certificate provided by the user via the self-service portal.
- User Certificate Expired: Warn on a user certificate that is no longer valid due to expiration.
- User Certificate Renewal: Re-enroll a user certificate.
The contents of the Logs > Certificate Management shows information about certificates, such as their expiration dates. It allows you to take actions, such as re-enroll, remove, and revoke on the certificates.
App Tunnel events
To monitor actions involving app tunnels, select one or more of the logged app tunnel actions in the Filters panel.
- Allow App Tunnel: Permit the specified app tunnel.
- App Tunnel Comment: Add a comment on the selected app tunnel.
- Block App Tunnel: Do not allow the specified app tunnel.
- Remove App Tunnel: Delete the selected app tunnel configuration.