Creating compliance policy rules and groups

Before you begin 

Be sure you have completed Creating and applying server-initiated multi-tier compliance actions.

Threat types

Within MobileIron Threat Defense, there are three threat types. Within each type there are severity levels: Critical, Elevated, Normal, and Low. Altogether you have:

  • Device – Critical, Elevated, Normal, and Low severity levels
  • Network – Critical, Elevated, Normal, and Low severity levels
  • App – Critical, Elevated, Normal, and Low severity levels

For each threat type, you create compliance policy rules based on the threat severity. As a best practice, you should have the following compliance policy rules:

  • For Low and Normal threat types – use Send Alert
  • For Elevated threat type – use Block Access and/or Quarantine

  • For Critical threat type – use Quarantine or Tier Compliance:

    1. Block – notify
    2. Notification
    3. Quarantine – remove. If Low, send notification and let user decide what action to take.
    4. Tiered Compliance 23 hours
    5. Tiered Compliance 4 hours

Example of threat type implementation: user connects to hotel Wi-Fi

  • Tier 1 - Notification - MTD alerts the device user "You just connected to unsecure Wi-Fi"
  • Tier 2 - After 4 hours, MTD blocks the user's access to email and AppConnect apps.
  • Tier 3 - MTD Quarantines and blocks the Wi-Fi; removes user's access to the company network.

Creating compliance policy rules

You will need to create compliance policy rules based on threat severity level.

Procedure 

  1. From the MobileIron Core Admin portal, select Policies & Configs > Compliance Policies.
  2. Click the Compliance Policy Rule tab and then click Add+.
  3. Enter "Block" in the Rule Name field.
  4. Set the Status to Enabled.
  5. (Optional) Enter a description of the rule, for example, "MTD Block Rule."

  6. In the Condition expression field, enter this expression:

    (("common.platform" = "Android" OR "common.platform" = "iOS") AND "common.retired" = false) AND "common.retired" = false

  7. In the Compliance Actions field, select from the drop-down: Block Email, AppConnect apps, and Send Alert.
  8. (Optional) In the Message field, enter text for alerts generated by violations of the policy rule.
  9. Click Save. The Block rule displays in the Compliance Policy Rule tab.

  10. Repeat steps 2-9 using the parameters below for creating additional compliance policy rules.

    Rule Name field

    Condition expression field

    Compliance Actions field

    Notification

    (("common.platform" = "Android" OR "common.platform" = "iOS") AND "common.retired" = false) AND "common.retired" = false

    Send Alert

    Quarantine

    (("common.platform" = "Android" OR "common.platform" = "iOS") AND "common.retired" = false) AND "common.retired" = false

    Quarantine

    Tiered Compliance23hours

    (("common.platform" = "Android" OR "common.platform" = "iOS") AND "common.retired" = false) AND "common.retired" = false

    Tiered Compliance 23 hours

    Tiered Compliance4hours

    (("common.platform" = "Android" OR "common.platform" = "iOS") AND "common.retired" = false) AND "common.retired" = false

    Tiered Compliance 4 hours

When you have finished, you should have five compliance policy rules displayed in the Compliance Policy Rule tab.

Creating compliance policy groups

Compliance policy groups are used to apply the group's rules to devices matching the label.

Procedure 

  1. Select Policies & Configs > Compliance Policies.
  2. Click on the Compliance Policy Group tab and then click on Add+.
  3. Enter "MTDBlock" into the Group Name field.
  4. Keep the default Status of Enabled.
  5. (Optional) Enter a description of the group name, for example, "MTDBlock."
  6. In the Available Rules field, move the "Block" rule to the Selected Rules section. (Action is "Block Email, AppConnect apps, and Send Alert.")
  7. Click Save. The MTDBlock group displays in the Compliance Policy Group tab.

  8. Repeat steps 2-7 using the parameters below for creating additional compliance policy groups.

    Group Name field

    Status

    Rule Name

    Action Name

    MTDNotification

    Enabled

    Notification

    Send Alert

    MTDQuarantine

    Enabled

    Quarantine

    Quarantine

    MTDTiered23hours

    Enabled

    TieredCompliance23hours

    Tiered Compliance 23 hours

    MTDTiered4hours

    Enabled

    TieredCompliance4hours

    Tiered Compliance 4 hours

When you have finished, you should have five compliance policy rules displayed in the Compliance Policy Group tab.