Compliance actions policy violations

You can assign compliance actions for security policy violations and for compliance policy violations. When you configure access control in either type of policy, you can select default compliance actions that are provided with Ivanti EPMM. You can also select custom compliance actions that you create.

Figure 1. Compliance actions policy violations

To create the custom compliance actions, see Custom compliance actions.

Figure 2. Compliance Action settings for iOS and Android devices

Compliance actions

IMPORTANT: As you read this section, refer to the process diagram above. Note that references to "Core" mean Ivanti EPMM.

Default compliance actions

The following table describes the default compliance actions:

**Table 40.** Default compliance actions table
Default compliance action	Description
Send Alert	Sends alert that you configured for the policy violation. To configure the alert, see Policy violations event settings.
Block Email, AppConnect Apps And Send Alert	Sends alert that you configured for the policy violation. Restricts access to email via ActiveSync if you are using a Standalone Sentry for email access. If you manually block, allow, or wipe a device on the ActiveSync Associations page, blocking email access in a compliance action has no impact. The manual action overrides Ivanti EPMM's automatic decision-making about access to email via ActiveSync. See "Overridding and re-establishing Ivanti EPMM management of a device" in the Ivanti Standalone Sentry Guide for EPMM. Immediately blocks access to the web sites configured to use the standard and Advanced AppTunnel feature. This action blocks tunnels that AppConnect apps and iOS managed apps use. Unauthorizes AppConnect apps. AppConnect apps become unauthorized when the next app checkin occurs. When launched, an AppConnect app displays a message and exits. Some iOS AppConnect apps that have portions that involve only unsecured functionality can allow the user to use only those portions. AppConnect apps become unauthorized when the next device checkin occurs. When the device user tries to launch an AppConnect app, the Secure Apps Manager displays a small pop-up message with the reason the app is unauthorized. This action impacts AppConnect apps, as well as third-party AppConnect for Android apps.
Customized compliance actions	These actions can contain 4 tiers of actions. Tiers 2-4 are only used in compliance policies; they are not used by legacy security policies. Security policies only perform the action defined in tier 1.

Custom compliance actions

You can customize the compliance actions that you want to take for the settings on the Compliance Actions page under Policies & Configs. After you create your customized compliance actions, the actions you created appear in a drop-down list in the Access Control section of your security policies.

Custom compliance actions enable you to specify combinations of the following actions:

Send alert
Block email access and AppConnect apps (includes blocking app tunnels)
Quarantine: block email access, block app tunnels, block AppConnect apps, and wipe AppConnect app data
Remove configurations (i.e., profiles)
Specify exceptions for Wi-Fi-only devices
iOS 12.0 or supported newer versions: remove managed apps, and block new downloads

Once you create a set of these actions, you can select that set from the drop downs in the Access Control section of security policies.

Creating a compliance action

With custom compliance actions, you can create actions to better manage access control. With tiered compliance actions, you can customize them to include up to 4 levels of action to better manage compliance actions.

Access control for macOS devices does not control email.

Procedure

Log into the Admin Portal.
Go to Policies & Configs > Compliance Actions.
Select Add+ to open the Add Compliance Action dialog box.
Select the appropriate fields as described in the Add Compliance Action table.
If you want to add another set of actions, select the plus (+) button and select the fields, as necessary, to complete the second compliance action.
If you want to add another set of actions, select the plus (+) button and select the fields, as necessary, to complete the third compliance action.
Select Save to add the new compliance action for access control and compliance actions.
You can select them by going to:
- Policies & Configs > Policies > Security policy > Edit > Access Control section (1 tier only).
- Policies & Configs > Compliance Policies > Add+ > Compliance Policy Rule > Compliance Actions drop-down (1-4 tiers).
  Using Compliance Actions with the "Enforce Compliance Actions Locally on Devices" option enabled does not have any effect if used in Compliance Policies. Those are only supported in the Security policy.

Add Compliance Action table

The following table describes the Add Compliance Actions options:

Table 1. Add Compliance Action fields

Item	Description
Name	Enter an identifier for this set of compliance actions. Consider specifying the resulting action so that the action will be apparent when you are editing a security policy.
Enforce Compliance Actions Locally on Devices	This feature is not supported on macOS devices. Select this to enable the Ivanti Mobile@Work app to enforce compliance actions on the device for security violations without requiring action from Ivanti EPMM. Ivanti EPMM also continues to enforce compliance actions. For iOS, this option is only supported in the Security Policy under the "Apply compliance action when a compromised iOS device is detected."For more information, see Security policies in Getting Started with Ivanti EPMM. For any other uses in Security Policy or Compliance Policy Rule, this option has no effect on iOS devices.
ALERT: Send a compliance notification or alert to the user	This feature is not supported on macOS devices. Select if you want to trigger a message indicating that the violation has occurred. The Ivanti Mobile@Work app will send an alert to the device user based on the security policy violation, even without connection to Ivanti EPMM. To use this feature, you need to select this Compliance Action in Security Policies in Getting Started with Ivanti EPMM. If de-selected, Ivanti EPMM will send alerts to device users, administrators, or both. To configure the alert, see Policy violations event settings.
BLOCK ACCESS: Block email access and AppConnect apps	This feature is not supported on macOS devices. Selecting this option has the following impact to the device: Restricts access to email via ActiveSync if you are using a Standalone Sentry for email access. If you manually block, allow, or wipe a device on the ActiveSync Associations page, blocking email access in a compliance action has no impact. The manual action overrides Ivanti EPMM’s automatic decision-making about access to email via ActiveSync. See “Overriding and re-establishing Ivanti EPMM management of a device” in the Ivanti Standalone Sentry Guide for EPMM. Immediately blocks access to the web sites configured to use the standard and Advanced AppTunnel feature. This action blocks tunnels that AppConnect apps and iOS managed apps use. Unauthorizes AppConnect apps. AppConnect apps become unauthorized when the next app checkin occurs. When launched, an AppConnect app displays a message and exits. Some iOS AppConnect apps that have portions that involve only unsecured functionality can allow the user to use only those portions. AppConnect apps become unauthorized when the next device check in occurs. When the device user tries to launch an AppConnect app, the Secure Apps Manager displays a small pop-up message with the reason the app is unauthorized. This action impacts AppConnect apps, as well as third-party AppConnect for Android apps. If the"Enforce Compliance Actions Locally on Devices" check box is selected, this action makes AppConnect apps unauthorized even without connection to Ivanti EPMM. To use this feature, you need to select this Compliance Action in the Security Policy under the condition "Apply compliance action when a compromised iOS device is detected." For more information, see Security policies in Getting Started with Ivanti EPMM.
QUARANTINE: Quarantine the device (Select this check box to display the other Quarantine options.)	This feature is not supported on macOS devices. Selecting this option has the following impact to the device: Immediately blocks access to the web sites configured to use the standard and Advanced AppTunnel feature. This action blocks tunnels that iOS managed apps use. AppConnect apps are retired, which means they become unauthorized and their secure data is deleted (wiped). If the "Enforce Compliance Actions Locally on Devices" check box is selected, this action makes AppConnect apps unauthorized and wipes their secure data without connection to Ivanti EPMM. To use this feature, you need to select this Compliance Action in the Security Policy under the condition "Apply compliance action when a compromised iOS device is detected." For more information, see Security policies in Getting Started with Ivanti EPMM.
QUARANTINE: Remove All Configurations and SaaS Sign-on Policy	With the "Enforce Compliance Actions Locally on Devices" check box de-selected, select if you want to remove the configurations (i.e., profiles) that provides access to corporate resources. Requires AppConnect apps to be re-installed after the device is back in compliance. This feature is not supported as an iOS local action as removal of configurations can only be done from the Ivanti EPMM server side.
QUARANTINE: Do not remove Wi-Fi settings for Wi-Fi only devices	Select if you want to retain the Wi-Fi configurations devices that do not have cellular access. Select this option to ensure that you can still contact these devices. The iOS version determines how Ivanti EPMM decides whether a device supports Wi-Fi only. Prior to iOS 4.2.6, the device model (e.g., iPod) is used. This feature is not supported as an iOS local action as removal of configurations can only be done from the Ivanti EPMM server side.
QUARANTINE: Do not remove Wi-Fi settings for all devices (iOS and Android only)	This feature is not supported on macOS devices. Select this option to retain the Wi-Fi configurations for any device, regardless of whether it has cellular access. You might select this option to preserve limited network access despite the policy violation. This feature is not supported as an iOS local action as removal of configurations can only be done from the Ivanti EPMM server side.
QUARANTINE: Remove iBooks content, managed apps, and block new app downloads	This feature is not supported on macOS devices. Select this option to remove iBooks content and Managed Apps from the device as well as block access to Apps@Work when the device is not compliant. This feature is not supported as an iOS local action as removal of configurations can only be done from the Ivanti EPMM server side.
Retire: Retire the Work profile or factory reset the managed device	This feature is not supported on iOS or macOS devices.
Wipe	This feature is not supported on iOS or macOS devices.

When the compliance action takes effect

When you first apply a security policy, several factors affect the amount of time required to communicate the changes to targeted devices:

Sync interval
Time the device last checked in
Battery level
Number of changes already queued
The app check in interval for AppConnect for iOS
Whether Enforce Compliance Actions Locally on Devices is selected

Once the change reaches the device, Ivanti EPMM checks the device for compliance. If the device is out of compliance, then the action is performed.

If the action for a security violation can be enforced locally on the device, and that option is selected in the Compliance Action dialog, then Ivanti Mobile@Work initiates the compliance action without requiring contact with Ivanti EPMM.