Event settings
Each event type has specific settings that need to be configured when you create or edit the event. This section describes the settings for each type.
- International roaming event settings
- SIM changed event settings
- Memory size exceeded event settings
- System event settings
- System event field description
- Policy violations event settings
- Policy violations event field description
- Device status event settings
International roaming event settings
This event type is not supported for Windows devices.
SIM changed event settings
This event type is not supported for Windows devices.
Memory size exceeded event settings
This event type is not supported for Windows devices.
This section address how to create a memory size exceeded event.
Procedure
System event settings
A system event applies a compliance action when a component of a Core implementation is not working. System alerts are intended for relevant administrators.
Procedure
- In the Admin Portal, go to Logs > Event Settings.
- Click Add New.
- Select System Event from the drop down menu.
- Use the guidelines in System event field description to complete the form:
- Click Save.
System event field description
Field |
Description |
Name |
Identifier for this event. |
Description |
Additional text to clarify the purpose of this notification. |
Sentry (standalone and integrated) is unreachable |
Applies a compliance action if Core is unable to contact the Sentry. |
MobileIron gateway is unreachable |
Select this option to send an alert if Core cannot connect to the Core gateway. |
LDAP server is unreachable |
Select this option to send an alert if Core cannot connect to any of the configured LDAP servers. |
DNS server is unreachable |
Select this option to send an alert if Core cannot connect to one of the configured DNS servers. |
Mail server is unreachable |
Select this option to send an alert if Core cannot connect to the configured SMTP server. |
NTP server is unreachable |
Select this option to send an alert if Core connect to the configured NTP server. |
Certificate Expired or Certificate Error |
Select this option to send an alert for certificate expiration. An alert is sent 60 days before expiration and on the expiration date. Certificates supported include Admin Portal and device certificates. |
Provisioning Profile Expired |
This feature is not supported for Windows devices. |
SMTP Relay server is unreachable |
Applies a compliance action if the configured SMTP relay (used for SMS archive) does not respond to a ping or SMTP ping. |
SMTP Relay server error |
Applies a compliance action if the configured SMTP relay (used for SMS archive) returns an error. The alert includes available details to enable troubleshooting. |
Applies a compliance action if the system storage threshold has been reached.
|
|
Connector state events
|
Applies a compliance action if the health of the Connector changes. Core defines a healthy connector as one that connects to the server at expected intervals and syncs successfully with the LDAP server. An alert is generated if a Connector changes from healthy to unhealthy, or from unhealthy to healthy. |
Connector requires upgrade |
Applies a compliance action if the automated upgrade of the Connector fails. This alert prompts you to manually upgrade the Connector. |
Connector can not connect to LDAP server |
Applies a compliance action if a configured LDAP server is no longer reachable. |
Connector is unreachable |
Applies a compliance action if the Core server does not receive the expected response to the scheduled probe of the Connector. This alert generally indicates network problems. |
Application update failed |
Alerts the administrator that the Apps@Work or Bridge update for Windows failed. For more information, administrators can the server logs. |
Mobile Threat Definition Update |
Alerts administrators when a new version of the mobile threat definition is available. The notification includes any impacts to the existing MTD Local Action policies if threats were removed from the latest update. |
Generate Alert |
Turns on/off the alert defined for this event. |
Maximum Alerts |
Specifies whether there is a limit on the number of alerts generated for a given event. If you select Limited, then you can specify the number of alerts to allow. By default, compliance is checked every 24 hours. See Managing Compliance and Creating an event for more information. |
Alert Every |
Specifies the time, in days, after which the alert count is reset. |
Severity |
Specifies the severity defined for the alert. Select Critical, Warning, or Information. |
Specifies the template to populate the resulting alert. Click View to display the content of the current template. Select an alternate template from the drop-down or click Create to create a new template. See Customizing Event Center messages for information on creating a new template. |
|
Send SMS |
Specifies whether to send an alert in a text message, and whether to send it to the user, the administrator, or both. Specify users in the Apply to Users section or by selecting a label in the Apply to Labels section. If you select “Admin only” or “User + Admin”, then the CC to Admins section appears. Use this section to specify administrative users who should receive the alert. |
Send Email |
Specifies whether to send an alert in an email, and whether to send it to the user, the administrator, or both. Specify users in the Apply to Users section or by selecting a label in the Apply to Labels section. If you select “Admin only” or “User + Admin”, then the CC to Admins section appears. Use this section to specify administrative users who should receive the alert. |
Send through Push Notification |
Specifies whether to send a message, and whether to send it to the user, administrator, or both. Specify users in the Apply to Users section or by selecting a label in the Apply to Labels section. If you select “Admin only” or “User + Admin”, then the CC to Admins section appears. Use this section to specify administrative users who should receive the alert. The length of the message is limited to 255 characters. |
Apply to Labels |
Send the alert to users in the selected labels. See the “Using labels to establish groups” section in Getting Started with Corefor more information. In most cases, if you do select a label, it should not be a label with broad coverage. System event alerts are usually not appropriate for device users. |
Search Users |
Enter the user ID to find users to which you want to send the alert. |
Apply to Users |
Send the alert to the selected users. |
Policy violations event settings
For Windows devices, only out of contact and out of policy violations are supported. Alerts can be sent by email only.
Procedure
- In the Admin Portal, go to Logs > Event Settings.
- Click Add New.
-
Select Policy Violation Event from the drop- down menu. The New Policy Violations Event dialog box opens.
- Follow the guidelines in Policy violations event field description to complete the form.
- Click Save.
Apply only one Policy Violations event to each device. If more than one policy violations event applies to a device, only the last one you edited and saved is triggered. Therefore, do not create a separate policy violations event for each type of security policy violation.
In that one Policy Violations event, select all of the security policy settings that you want to trigger the event. Use the template variable $DEFAULT_POLICY_VIOLATION_MESSAGE in your message template to specify the security policy violation that triggered the event.
Policy violations event field description
The following table describes fields for configuring a policy violation event.
Field |
Description |
Name |
Identifier for this event. |
Description |
Additional text to clarify the purpose of this notification. |
Connectivity |
|
Out-of-contact with Server for X number of days |
Select this option to send an alert when a device has been out of contact for the number of days specified in the Security policy assigned to it. |
Out-of-policy for X number of days |
Select this option to send an alert when a policy has been out of date for the number of days specified in the Security policy assigned to it. |
Device Settings |
|
Passcode is not compliant |
Applies a compliance action if a device is detected having a passcode that does not meet the requirements specified in the associated security policy. |
App Control |
|
Disallowed app found |
Applies a compliance action if an app that is specified as Disallowed is installed on a device. Apps are specified as Required, Allowed, or Disallowed under Apps > App Control. |
App found that is not in Allowed Apps list |
Applies a compliance action if an app that does not appear on the list of allowed apps has been detected on a device. Apps are specified as Required, Allowed, or Disallowed under Apps > App Control. |
Required app not found |
Applies a compliance action if an app that is specified as Required is not installed on a device. Apps are specified as Required, Allowed, or Disallowed under Apps > App Control. |
Data Protection/Encryption - iOS - Android |
|
Data Protection/Encryption is disabled |
. |
Security - Windows |
|
OS Build is less than the required OS build |
Select this option to apply a compliance action if the device build is less than the OS build defined in the Security policy. |
Last Hotfix is less than the required hotfix |
Select this option to apply a compliance action if the device OS build is less than the hotfix build defined in the Security policy. |
Last Hotfix installation date is out of date |
Select this option to apply a compliance action if the device OS has not been updated in the time interval defined in the Security policy. |
iOS |
|
Disallowed iOS model found |
Select this option to apply a compliance action when a restricted iOS model is registered. |
Disallowed iOS version found |
Select this option to apply a compliance action when a restricted iOS version is registered. |
Compromised iOS device |
Select this option to apply a compliance action when a compromised iOS is registered or connects to the server. That is, an iOS device has been compromised by circumventing the operator and usage restrictions imposed by the operator and manufacturer. |
iOS Configuration not compliant |
Applies a compliance action if an iOS device does not have the expected security policy or app settings. This state may indicate that a setting was changed or was not applied successfully. |
Restored Device connected to server |
Applies a compliance action if a previously wiped device has been restored and attempts to connect through the Core deployment. |
Applies a compliance action if the device user disables multitasking for the iOS app. Disabling multitasking increases the likelihood that a compromised device will go undetected for a significant period of time. |
|
Device MDM deactivated (iOS 5 and later) |
Applies a compliance action when the MDM profile on a managed iOS 5 device is removed. |
macOS |
|
Disallowed macOS version found |
Applies a compliance action if Core finds a registered device running a prohibited version of macOS. |
Device MDM deactivated |
Applies a compliance action if Core detects that MDM (Mobile Device Management) has been deactivated on a registered macOS device. |
FileVault encryption disabled |
Applies a compliance action if Core detects a registered macOS device with disabled FileVault encryption. |
Android |
|
Disallowed Android OS version found |
Applies a compliance action if an Android device having a disallowed OS version is detected. You can specify disallowed versions in the security policy. |
Compromised Android device detected |
Applies a compliance action if a modified Android device is detected. That is, an Android device has been compromised by circumventing the operator and usage restrictions imposed by the operator and manufacturer. |
Device administrator not activated for DM client or agent |
Generate an alert when a managed Android device is found to have no device administrator privilege activated for Mobile@Work or the Samsung DM Agent. |
Actions |
|
Generate Alert |
Turns on/off the alert defined for this event. |
Maximum Alerts |
Specifies whether there is a limit on the number of alerts generated for a given event. If you select Limited, then you can specify the number of alerts to allow. |
Alert Every |
Specifies the time, in days, after which the alert count is reset. |
Severity |
Specifies the severity you define for this alert. Select Critical, Warning, or Information. |
Specifies the template to populate the resulting alert. Click View to display the content of the current template. Select an alternate template from the drop down or click Create to create a new template. See Customizing Event Center messages for information on creating a new template. |
|
Send SMS |
Specifies whether to send an alert in a text message, and whether to send it to the user, the administrator, or both. Specify users in the Apply to Users section or by selecting a label in the Apply to Labels section. If you select “Admin only” or “User + Admin”, then the CC to Admins section appears. Use this section to specify administrative users who should receive the alert. |
Send Email |
Specifies whether to send an alert in an email, and whether to send it to the user, the administrator, or both. Specify users in the Apply to Users section or by selecting a label in the Apply to Labels section. If you select “Admin only” or “User + Admin”, then the CC to Admins section appears. Use this section to specify administrative users who should receive the alert. |
Send through Push Notification |
Specifies whether to send a message, and whether to send it to the user, the administrator, or both. Specify users in the Apply to Users section or by selecting a label in the Apply to Labels section. If you select “Admin only” or “User + Admin”, then the CC to Admins section appears. Use this section to specify administrative users who should receive the alert. The length of the message is limited to 255 characters. |
Apply to Labels |
Send the alert to users in the selected labels. See the “Using labels to establish groups” section in Getting Started with Core for more information. |
Search Users |
Enter the user ID to find users to which you want to send the alert. |
Apply to Users |
Send the alert to the selected users. |
CC to Admins |
If you selected “Admin only” or “User + Admin”, then the CC to Admins section appears. Use this section to specify administrative users who should receive the alert. |
Device status event settings
The device status event applies only to Android and iOS devices. The following describes the steps to create a device status event in the Admin Portal.
Procedure
- Go to Logs > Event Settings.
- Click Add New.
-
Select Device Status Event from the drop-down menu. The New Status Event dialog box opens.
-
Use the following guidelines to complete the form:
Field
Description
Name
Identifier for this event.
Description
Additional text to clarify the purpose of this notification.
Triggers when
Specifies the conditions on the device that will trigger an alert:
•Device status is changed (Android and iOS)
•Android device reports policy/config errors
•Android device reports policy/config warnings
•Work schedule policy applied (Android and iOS)
Actions
Severity
Specifies the severity you define for this alert. Select Critical, Warning, or Information.
Specifies the template to populate the resulting alert. Click View to display the content of the current template. Select an alternate template from the drop-down or click Create to create a new template.
See Customizing Event Center messages for information on creating a new template.
Send SMS
Specifies whether to send an alert in a text message, and whether to send it to the user, the administrator, or both.
Specify users in the Apply to Users section or by selecting a label in the Apply to Labels section. If you select “Admin only” or “User + Admin”, then the CC to Admins section appears. Use this section to specify administrative users who should receive the alert.
Send Email
Specifies whether to send an alert in an email, and whether to send it to the user, the administrator, or both.
Specify users in the Apply to Users section or by selecting a label in the Apply to Labels section. If you select “Admin only” or “User + Admin”, then the CC to Admins section appears. Use this section to specify administrative users who should receive the alert.
Send through Push Notification
Specifies whether to send a message, and whether to send it to the user, the administrator, or both.
Specify users in the Apply to Users section or by selecting a label in the Apply to Labels section. If you select “Admin only” or “User + Admin”, then the CC to Admins section appears. Use this section to specify administrative users who should receive the alert.
The length of the message is limited to 255 characters.
Apply to Labels
Send the alert to users in the selected labels. See the “Using labels to establish groups” section in Getting Started with Core for more information.
Search Users
Enter the user ID to find users to which you want to send the alert.
Apply to Users
Send the alert to the selected users.
CC to Admins
If you selected “Admin only” or “User + Admin”, then the CC to Admins section appears. Use this section to specify administrative users who should receive the alert.
- Click Save.
If more than one device status event applies to a device, only the last one you edited and saved is triggered.