Compliance actions policy violations

You can assign compliance actions for security policy violations and for compliance policy violations. When you configure access control in either type of policy, you can select default compliance actions that are provided with Ivanti EPMM. You can also select custom compliance actions that you create.

Figure 1. Compliance actions policy violations

To create the custom compliance actions, see Custom compliance actions.

Default compliance actions

The following table describes the default compliance actions:

Table 22.   Default compliance actions table

Default compliance action

Description

Send Alert

Sends alert that you configured for the policy violation.

To configure the alert, see Policy violations event settings.

Block Email, AppConnect Apps And Send Alert

This feature is not supported on Windows devices.

Customized compliance actions

These actions can contain 4 tiers of actions. Tiers 2-4 are only used in compliance policies; they are not used by legacy security policies. Security policies only perform the action defined in tier 1.

Custom compliance actions

You can customize the compliance actions that you want to take for the settings on the Compliance Actions page under Policies & Configs. After you create your customized compliance actions, the actions you created appear in a drop-down list in the Access Control section of your security policies.

Custom compliance actions enable you to specify combinations of the following actions:

  • Send alert
  • Block email access and AppConnect apps (includes blocking app tunnels)
  • Quarantine: block email access, block app tunnels, block AppConnect apps, and wipe AppConnect app data
  • Remove configurations (i.e., profiles)
  • Specify exceptions for Wi-Fi-only devices

Once you create a set of these actions, you can select that set from the drop downs in the Access Control section of security policies.

Creating a compliance action

With custom compliance actions, you can create actions to better manage access control. With tiered compliance actions, you can customize them to include up to 4 levels of action to better manage compliance actions.

Procedure 

  1. Log into the Admin Portal.
  2. Go to Policies & Configs > Compliance Actions.
  3. Select Add+ to open the Add Compliance Action dialog box.

  4. Select the appropriate fields as described in the Add Compliance Action table.

  5. If you want to add another set of actions, select the plus (+) button and select the fields, as necessary, to complete the second compliance action.
  6. If you want to add another set of actions, select the plus (+) button and select the fields, as necessary, to complete the third compliance action.
  7. Select Save to add the new compliance action for access control and compliance actions.
  8. You can select them by going to:
    • Policies & Configs > Policies > Security policy > Edit > Access Control section (1 tier only).

    • Policies & Configs > Compliance Policies > Add+ > Compliance Policy Rule > Compliance Actions drop-down (1-4 tiers).

      Using Compliance Actions with the "Enforce Compliance Actions Locally on Devices" option enabled does not have any effect if used in Compliance Policies. Those are only supported in the Security policy.

Add Compliance Action table

The following table describes the Add Compliance Actions options:

Table 1. Add Compliance Action fields

Item

Description

Name

Enter an identifier for this set of compliance actions. Consider specifying the resulting action so that the action will be apparent when you are editing a security policy.

Enforce Compliance Actions Locally on Devices

This feature is not supported on Windows devices.

ALERT: Send a compliance notification or alert to the user

Select if you want to trigger a message indicating that the violation has occurred. The Ivanti Mobile@Work app will send an alert to the device user based on the security policy violation, even without connection to Ivanti EPMM. To use this feature, you need to select this Compliance Action in Security Policies in Getting Started with Ivanti EPMM.

If de-selected, Ivanti EPMM will send alerts to device users, administrators, or both. To configure the alert, see

Policy violations event settings.

BLOCK ACCESS: Block email access and AppConnect apps

This feature is not supported on Windows devices.

QUARANTINE:
Quarantine the device

(Select this check box to display the other Quarantine options.)

This feature is not supported on Windows devices.

QUARANTINE:
Remove All Configurations and SaaS Sign-on Policy

This feature is not supported on Windows devices.

 

QUARANTINE:
Do not remove Wi-Fi settings for Wi-Fi only devices

This feature is not supported on Windows devices.

 

QUARANTINE:
Do not remove Wi-Fi settings for all devices (iOS and Android only)

This feature is not supported on Windows devices.

 

QUARANTINE:
Remove iBooks content, managed apps, and block new app downloads

This feature is not supported on Windows devices.

 

Retire:
Retire the Work profile or factory reset the managed device

This feature is not supported on Windows devices.

Wipe

This feature is not supported on Windows devices.

When the compliance action takes effect

When you first apply a security policy, several factors affect the amount of time required to communicate the changes to targeted devices:

  • Sync interval
  • Time the device last checked in
  • Battery level
  • Number of changes already queued

Once the change reaches the device, Ivanti EPMM checks the device for compliance. If the device is out of compliance, then the action is performed.

If the action for a security violation can be enforced locally on the device, and that option is selected in the Compliance Action dialog, then Apps@Work initiates the compliance action without requiring contact with Ivanti EPMM.