Working with default policies
The features described in this section are supported on macOS devices.
Default policies are the policies applied to a device automatically when it is registered. Default policy values are also used as a starting point when you create a custom policy. Ivanti EPMM provides the values for each default policy specification. It is recommended that you create your own policies. You can use the settings in the default policies as a starting point. If you do edit a default policy’s values (not recommended), those new values become the starting point when you create a new custom policy.
Unlike configurations, a device can have only one policy of each type.
Ivanti EPMM provides defaults for the following policy types:
- Security (Refer to Getting Started with Ivanti EPMM for details.)
- Privacy (Refer to Getting Started with Ivanti EPMM for details.)
- Lockdown (Refer to Getting Started with Ivanti EPMM for details.)
- Sync (Refer to Getting Started with Ivanti EPMM for details.)
- ActiveSync (See “Working with ActiveSync policies” in the Ivanti Standalone Sentry Guide for EPMM.)
- AppConnect global policy (Refer to the AppConnect Guide for EPMM.)
You cannot delete default policies.
The default settings for each policy type are listed in the section for each type.
Prompting users to change the password
You can configure the default security policy to force users to change their passwords when a device is discovered to be non-compliant.
Consider notifying users of the new specifications before making changes to the policy.
This procedure applies to macOS 10.13 or later.
In the Admin Portal, go to Policies & Configs > Policies > Add New > Security or modify the default security policy.
The New Security Policy dialog box opens.
- Enter the Name of the policy.
- In the Priority field:
- For mandatory password changes, select Lower Than and choose Security Policy Omega (1) from the drop-down.
- For optional password changes, select Lower Than and choose Security Policy Sigma (45) from the drop-down.
- In the Password field, chose Mandatory or Optional.
- Select Mandatory.
Select the Enforce Password Rule at Next Login check box.
- Select Optional
- Select the Enforce Password Rule at Next Login check box.
- Select User Channel if you want all device users to change their password.
- Select Device Channel if you want all users to change their password, including the administrator user.
For iOS devices, if a security policy is edited and the Password field is set to Optional, then the security policy will not be pushed to devices. This results in an inaccurate count in your WatchList on the Policies & Configurations > Policies page. Ivanti, Inc recommends you have the Password field set to Mandatory.
- Select Mandatory.
- Select Save.
- If Notes for Audit Logs is enabled, a text dialog box opens. Enter the reason for the change and then select Confirm. For more information, see Best practices: label management.
Upon the next time a macOS device user logs in, the user is prompted to change the password.
When creating a new security policy and you have either user channel or device channel chosen, you must apply a label to the policy in order for the security policy to be pushed to user devices.