Tiered compliance

Administrators can apply multiple compliance actions over time on violating devices using tiered compliance. The following example describes a possible 3-tiered compliance action:

  1. Send device users a warning message that their device is out of compliance, and give them time to fix the violation.
  2. If the device is violating the same policy 24 hours later, Ivanti EPMM sends users a second message and blocks the device.
  3. If the device continues to violate the same policy another 24 hours later, Ivanti EPMM sends users a third message and quarantines the device.

The increasing penalties over time allow a user that is unintentionally violating a policy to get back under compliance before punitive measures are taken, rather than immediately pulling email configurations, for example, off the device and interrupting normal work flow.

Tiers beyond the first one are only used by compliance policy rules, and are not used for security policies.

Tiered compliance behavior

  • Tiered compliance checks do not run based on delay times. For example, if the delay time is 4 hours, Ivanti EPMM does not automatically run a tiered compliance check after 4 hours. Instead, the next compliance check will occur in one of the following cases:
    • Device Check-in
    • Compliance check from the Devices page
    • Periodic compliance check (if the device has not checked in since the last periodic compliance check)
  • If a device check-in or compliance check occurs during the interval between two tiers, Ivanti EPMM will not take action based on the next tier. Ivanti EPMM will only take action for the next tier after the delay time between tiers has elapsed.
  • Delays between tiers are cumulative. For example, if the delay for tier 2 is 4 hours, and 8 hours for tier 3, then Ivanti EPMM takes tier 3 action after 12 hours.