Compliance actions policy violations

You can assign compliance actions for security policy violations and for compliance policy violations. When you configure access control in either type of policy, you can select default compliance actions that are provided with Core. You can also select custom compliance actions that you create.

Figure 1. Compliance actions policy violations

To create the custom compliance actions, see Custom compliance actions.

Default compliance actions

The following table describes the default compliance actions:

Table 1. Default compliance actions table

Default compliance action

Description

Send Alert

Sends alert that you configured for the policy violation.

To configure the alert, see Policy violations event settings.

Block Email, AppConnect Apps And Send Alert

This feature is not supported on Windows devices.

Customized compliance actions

These actions can contain 4 tiers of actions. Tiers 2-4 are only used in compliance policies; they are not used by legacy security policies. Security policies only perform the action defined in tier 1.

Custom compliance actions

You can customize the compliance actions that you want to take for the settings on the Compliance Actions page under Policies & Configs. After you create your customized compliance actions, the actions you created appear in a drop-down list in the Access Control section of your security policies.

Custom compliance actions enable you to specify combinations of the following actions:

  • Send alert
  • Block email access and AppConnect apps (includes blocking app tunnels)
  • Quarantine: block email access, block app tunnels, block AppConnect apps, and wipe AppConnect app data
  • Remove configurations (i.e., profiles)
  • Specify exceptions for Wi-Fi-only devices

Once you create a set of these actions, you can select that set from the drop downs in the Access Control section of security policies.

Creating a compliance action

With custom compliance actions, you can create actions to better manage access control. With tiered compliance actions, you can customize them to include up to 4 levels of action to better manage compliance actions.

Procedure 

  1. Log into the Admin Portal.
  2. Go to Policies & Configs > Compliance Actions.
  3. Click Add+ to open the Add Compliance Action dialog box.
  4. Select the appropriate fields as described in the Add Compliance Action table.
  1. If you want to add another set of actions, click the plus (+) button and select the fields, as necessary, to complete the second compliance action.
  2. If you want to add another set of actions, click the plus (+) button and select the fields, as necessary, to complete the third compliance action.
  3. Click Save to add the new compliance action for access control and compliance actions.
  4. You can select them by going to:
    • Policies & Configs > Policies > policy > Edit > Access Control section (1 tier only).
    • Policies & Configs > Compliance Policies > Add+ > Compliance Policy Rule > Compliance Actions drop-down (1-4 tiers).

Add Compliance Action table

The following table describes the Add Compliance Actions options:

Table 2. Add Compliance Action fields

Item

Description

Name

Enter an identifier for this set of compliance actions. Consider specifying the resulting action so that the action will be apparent when you are editing a security policy.

Enforce Compliance Actions Locally on Devices

This feature is not supported on Windows devices.

 

ALERT: Send a compliance notification or alert to the user

Select if you want to trigger a message indicating that the violation has occurred. Core sends alerts to users, administrators, or both.

To configure the alert, see Policy violations event settings.

BLOCK ACCESS: Block email access and AppConnect apps

This feature is not supported on Windows devices.

QUARANTINE:
Quarantine the device

(Select this check box to display the other Quarantine options.)

This feature is not supported on Windows devices.

QUARANTINE:
Remove All Configurations and SaaS Sign-on Policy

This feature is not supported on Windows devices.

 

QUARANTINE:
Do not remove Wi-Fi settings for Wi-Fi only devices

This feature is not supported on Windows devices.

 

QUARANTINE:
Do not remove Wi-Fi settings for all devices (iOS and Android only)

This feature is not supported on Windows devices.

 

QUARANTINE:
Remove iBooks content, managed apps, and block new app downloads

This feature is not supported on Windows devices.

 

Retire:
Retire the Work profile or factory reset the managed device

This feature is not supported on Windows devices.

When the compliance action takes effect

When you first apply a security policy, several factors affect the amount of time required to communicate the changes to targeted devices:

  • sync interval
  • time the device last checked in
  • battery level
  • number of changes already queued
  • whether Enforce Compliance Actions Locally on Devices is selected.

Once the change reaches the device, Core checks the device for compliance. If the device is out of compliance, then the action is performed.

If the action for a security violation can be enforced locally on the device, and that option is selected in the Compliance Action dialog, then Apps@Work initiates the compliance action without requiring contact with Core.