Working with default policies
Default policies are the policies applied to a device automatically when it is registered. Default policy values are also used as a starting point when you create a custom policy. Ivanti EPMM provides the values for each default policy specification. It is recommended that you create your own policies. You can use the settings in the default policies as a starting point. If you do edit a default policy’s values (not recommended), those new values become the starting point when you create a new custom policy.
Unlike configurations, a device can have only one policy of each type.
Ivanti EPMM provides defaults for the following policy types:
- Security (Refer to Getting Started with Ivanti EPMM for details.)
- Privacy (Refer to Getting Started with Ivanti EPMM for details.)
- Lockdown (Refer to Getting Started with Ivanti EPMM for details.)
- Sync (Refer to Getting Started with Ivanti EPMM for details.)
- ActiveSync (See “Working with ActiveSync policies” in the Ivanti Standalone Sentry Guide for EPMM.)
- AppConnect global policy (Refer to the AppConnect Guide for EPMM.)
You cannot delete default policies.
The default settings for each policy type are listed in the section for each type.
Setting an alert that a device's PIN change request was skipped
You can set an alert to have the device user change the password / PIN. You can also identify devices that have prompted the device user to change the password / PIN but the device user skipped the prompt.
Procedure
- In your security policy, indicate the value in the Maximum Password Age field the number of days a password is valid for. See Getting Started with Ivanti EPMM for details.
- Create a compliance action with the desired number of days (1,2,3…up to 7) that the administrator wants to give as a grace period before taking a compliance action. For example, if the the administrator wants to have immediate effect, the value would be 7 (days.) If the administrator wants to give a grace period of 5 days, the value would be 2 (days.). See Adding custom attributes to users and/or devices.
-
Using Advanced searching , create a search that searches for devices that are less than 7 days (for example) of the device's password expiration date. Utilize the Android > Password/PIN Days Before Expiring field as part of your search criteria.
If the Maximum Password Age is 0, that means the PIN is set to never expire. When this happens, it means the Screenlock PIN Change Prompt – Showing value will always display as false and the Password/PIN Days Before Expiring displays as 0. Thus, the compliance policy cannot be a simple rule of just Password/PIN Days Before Expiring > Is less than or equal to > 7. It needs to be Password/PIN Days Before Expiring > Is less than or equal to > 7 and Password/PIN Days Before Expiring > Is greater than > 0 (see below).
- Select Save to Label.
-
Apply the saved search to the appropriate labels (Actions > Apply to Labels).
To view the results, go to Device Details page and in the Details tab, view the values for the following fields:- Screenlock PIN Change Prompt - Showing - Indicates if device user was prompted to change the device's screen lock password / PIN and the device user skipped the prompt. Values are:
- Unknown - If coming from an older client device, value is unknown.
- True - Indicates the PIN is to expire in 7 days or less.
- False - (default) Indicates the device user is not being prompted to change the password / PIN (it has not reached its 7-day expiration window.)
The value listed stays until the device user successfully changes the password /PIN on the device.
- Password/PIN Days before expiring field - represents the number of days before the password / PIN will expire. This numerical value is controlled by the Security policy's Maximum Password Age field value.
- This field is a dynamic field, its value decreases every day by 1 until the password / PIN is renewed. At renewal, the value returns to the original number stated in the Maximum Password Age field and starts a new daily count-down.
- Screenlock PIN Change Prompt - Showing - Indicates if device user was prompted to change the device's screen lock password / PIN and the device user skipped the prompt. Values are: