Working with default policies

Default policies are the policies applied to a device automatically when it is registered. Default policy values are also used as a starting point when you create a custom policy. MobileIron provides the values for each default policy specification. It is recommended that you create your own policies. You can use the settings in the default policies as a starting point. If you do edit a default policy’s values (not recommended), those new values become the starting point when you create a new custom policy.

Unlike configurations, a device can have only one policy of each type.

MobileIron Core provides defaults for the following policy types:

  • Security (Refer to Getting Started with MobileIron Core for details.)
  • Privacy (Refer to Getting Started with MobileIron Core for details.)
  • Lockdown (Refer to Getting Started with MobileIron Core for details.)
  • Sync (Refer to Getting Started with MobileIron Core for details.)
  • ActiveSync (See “Working with ActiveSync policies” in the .)
  • AppConnect global policy (Refer to the MobileIron Core AppConnect and AppTunnel Guide for MobileIron Core.)
NOTE: You cannot delete default policies.

The default settings for each policy type are listed in the section for each type.

Setting an alert that a device's PIN change request was skipped

You can set an alert to have the device user change the password / PIN. You can also identify devices that have prompted the device user to change the password / PIN but the device user skipped the prompt.

Procedure 

  1. In your security policy, indicate the value in the Maximum Password Age field the number of days a password is valid for. See toGetting Started with MobileIron Corefor details.
  2. Create a compliance action with the desired number of days (1,2,3…up to 7) that the administrator wants to give as a grace period before taking a compliance action. For example, if the the administrator wants to have immediate effect, the value would be 7 (days.) If the administrator wants to give a grace period of 5 days, the value would be 2 (days.). See Adding custom attributes to users and/or devices.

  3. Using Advanced searching, create a search that searches for devices that are less than 7 days (for example) of the device's password expiration date. Utilize the Android > Password/PIN Days Before Expiring field as part of your search criteria.

    NOTE: If the Maximum Password Age is 0, that means the PIN is set to never expire. When this happens, it means the Screenlock PIN Change Prompt – Showing value will always display as false and the Password/PIN Days Before Expiring displays as 0. Thus, the compliance policy cannot be a simple rule of just Password/PIN Days Before Expiring > Is less than or equal to > 7. It needs to be Password/PIN Days Before Expiring > Is less than or equal to > 7 and Password/PIN Days Before Expiring > Is greater than > 0 (see below).

  4. Click Save to Label.

  5. Apply the saved search to the appropriate labels (Actions > Apply to Labels).

    To view the results, go to Device Details page and in the Details tab, view the values for the following fields:
  • Screenlock PIN Change Prompt - Showing - Indicates if device user was prompted to change the device's screen lock password / PIN and the device user skipped the prompt. Values are:

    • Unknown - If coming from an older client device, value is unknown.

    • True - Indicates the PIN is to expire in 7 days or less.

    • False - (default) Indicates the device user is not being prompted to change the password / PIN (it has not reached its 7-day expiration window.)

    The value listed stays until the device user successfully changes the password /PIN on the device.

  • Password/PIN Days before expiring field - represents the number of days before the password / PIN will expire. This numerical value is controlled by the Security policy's Maximum Password Age field value.

    This field is a dynamic field, its value decreases every day by 1 until the password / PIN is renewed. At renewal, the value returns to the original number stated in the Maximum Password Age field and starts a new daily count-down.