Event settings

Each event type has specific settings that need to be configured when you create or edit the event. This section describes the settings for each type.

International roaming event settings

This event type is not supported for Windows devices.

SIM changed event settings

This event type is not supported for Windows devices.

Memory size exceeded event settings

This event type is not supported for Windows devices.

This section address how to create a memory size exceeded event.

Procedure 

System event settings

A system event applies a compliance action when a component of a Core implementation is not working. System alerts are intended for relevant administrators.

Procedure 

  1. In the Admin Portal, go to Logs > Event Settings.
  2. Click Add New.
  3. Select System Event from the drop down menu.
  4. Use the guidelines in System event field description to complete the form:
  5. Click Save.

System event field description

Table 1. System event field descriptions

Field

Description

Name

Identifier for this event.

Description

Additional text to clarify the purpose of this notification.

Sentry (standalone and integrated) is unreachable

Applies a compliance action if Core is unable to contact the Sentry.

MobileIron gateway is unreachable

Select this option to send an alert if Core cannot connect to the Core gateway.

LDAP server is unreachable

Select this option to send an alert if Core cannot connect to any of the configured LDAP servers.

DNS server is unreachable

Select this option to send an alert if Core cannot connect to one of the configured DNS servers.

Mail server is unreachable

Select this option to send an alert if Core cannot connect to the configured SMTP server.

NTP server is unreachable

Select this option to send an alert if Core connect to the configured NTP server.

Certificate Expired or Certificate Error

Select this option to send an alert for certificate expiration.

An alert is sent 60 days before expiration and on the expiration date. Certificates supported include Admin Portal and device certificates.

Provisioning Profile Expired

This feature is not supported for Windows devices.

SMTP Relay server is unreachable

Applies a compliance action if the configured SMTP relay (used for SMS archive) does not respond to a ping or SMTP ping.

SMTP Relay server error

Applies a compliance action if the configured SMTP relay (used for SMS archive) returns an error. The alert includes available details to enable troubleshooting.

System storage threshold has been reached

Applies a compliance action if the system storage threshold has been reached.

Refer to Core System Manager Guide for information on setting this threshold or manually purging the data.

Connector state events

 

Applies a compliance action if the health of the Connector changes.

Core defines a healthy connector as one that connects to the server at expected intervals and syncs successfully with the LDAP server. An alert is generated if a Connector changes from healthy to unhealthy, or from unhealthy to healthy.

Connector requires upgrade

Applies a compliance action if the automated upgrade of the Connector fails. This alert prompts you to manually upgrade the Connector.

Connector can not connect to LDAP server

Applies a compliance action if a configured LDAP server is no longer reachable.

Connector is unreachable

Applies a compliance action if the Core server does not receive the expected response to the scheduled probe of the Connector.

This alert generally indicates network problems.

Application update failed

Alerts the administrator that the Apps@Work or Bridge update for Windows failed. For more information, administrators can the server logs.

Mobile Threat Definition Update

Alerts administrators when a new version of the mobile threat definition is available. The notification includes any impacts to the existing MTD Local Action policies if threats were removed from the latest update.

Generate Alert

Turns on/off the alert defined for this event.

Maximum Alerts

Specifies whether there is a limit on the number of alerts generated for a given event. If you select Limited, then you can specify the number of alerts to allow. By default, compliance is checked every 24 hours. See Managing Compliance and Creating an event for more information.

Alert Every

Specifies the time, in days, after which the alert count is reset.

Severity

Specifies the severity defined for the alert. Select Critical, Warning, or Information.

Template

Specifies the template to populate the resulting alert. Click View to display the content of the current template.

Select an alternate template from the drop-down or click Create to create a new template. See Customizing Event Center messages for information on creating a new template.

Send SMS

Specifies whether to send an alert in a text message, and whether to send it to the user, the administrator, or both. Specify users in the Apply to Users section or by selecting a label in the Apply to Labels section. If you select “Admin only” or “User + Admin”, then the CC to Admins section appears. Use this section to specify administrative users who should receive the alert.

Send Email

Specifies whether to send an alert in an email, and whether to send it to the user, the administrator, or both. Specify users in the Apply to Users section or by selecting a label in the Apply to Labels section. If you select “Admin only” or “User + Admin”, then the CC to Admins section appears. Use this section to specify administrative users who should receive the alert.

Send through Push Notification

Specifies whether to send a message, and whether to send it to the user, administrator, or both.

Specify users in the Apply to Users section or by selecting a label in the Apply to Labels section. If you select “Admin only” or “User + Admin”, then the CC to Admins section appears. Use this section to specify administrative users who should receive the alert.

The length of the message is limited to 255 characters.

Apply to Labels

Send the alert to users in the selected labels. See the “Using labels to establish groups” section in Getting Started with Corefor more information.

In most cases, if you do select a label, it should not be a label with broad coverage. System event alerts are usually not appropriate for device users.

Search Users

Enter the user ID to find users to which you want to send the alert.

Apply to Users

Send the alert to the selected users.

Policy violations event settings

For Windows devices, only out of contact and out of policy violations are supported. Alerts can be sent by email only.

Procedure 

  1. In the Admin Portal, go to Logs > Event Settings.
  2. Click Add New.
  3. Select Policy Violation Event from the drop- down menu. The New Policy Violations Event dialog box opens.

  4. Follow the guidelines in Policy violations event field description to complete the form.
  5. Click Save.

Apply only one Policy Violations event to each device. If more than one policy violations event applies to a device, only the last one you edited and saved is triggered. Therefore, do not create a separate policy violations event for each type of security policy violation.

In that one Policy Violations event, select all of the security policy settings that you want to trigger the event. Use the template variable $DEFAULT_POLICY_VIOLATION_MESSAGE in your message template to specify the security policy violation that triggered the event.

Policy violations event field description

The following table describes fields for configuring a policy violation event.

Table 2. Policy violation event field description

Field

Description

Name

Identifier for this event.

Description

Additional text to clarify the purpose of this notification.

Connectivity

Out-of-contact with Server for X number of days

Select this option to send an alert when a device has been out of contact for the number of days specified in the Security policy assigned to it.

Out-of-policy for X number of days

Select this option to send an alert when a policy has been out of date for the number of days specified in the Security policy assigned to it.

Device Settings

Passcode is not compliant

Applies a compliance action if a device is detected having a passcode that does not meet the requirements specified in the associated security policy.

App Control

Disallowed app found

Applies a compliance action if an app that is specified as Disallowed is installed on a device.

Apps are specified as Required, Allowed, or Disallowed under Apps > App Control.

App found that is not in Allowed Apps list

Applies a compliance action if an app that does not appear on the list of allowed apps has been detected on a device.

Apps are specified as Required, Allowed, or Disallowed under Apps > App Control.

Required app not found

Applies a compliance action if an app that is specified as Required is not installed on a device.

Apps are specified as Required, Allowed, or Disallowed under Apps > App Control.

Data Protection/Encryption - iOS - Android

Data Protection/Encryption is disabled

.

Security - Windows

OS Build is less than the required OS build

Select this option to apply a compliance action if the device build is less than the OS build defined in the Security policy.

Last Hotfix is less than the required hotfix

Select this option to apply a compliance action if the device OS build is less than the hotfix build defined in the Security policy.

Last Hotfix installation date is out of date

Select this option to apply a compliance action if the device OS has not been updated in the time interval defined in the Security policy.

iOS

Disallowed iOS model found

Select this option to apply a compliance action when a restricted iOS model is registered.

Disallowed iOS version found

Select this option to apply a compliance action when a restricted iOS version is registered.

Compromised iOS device

Select this option to apply a compliance action when a compromised iOS is registered or connects to the server. That is, an iOS device has been compromised by circumventing the operator and usage restrictions imposed by the operator and manufacturer.

iOS Configuration not compliant

Applies a compliance action if an iOS device does not have the expected security policy or app settings. This state may indicate that a setting was changed or was not applied successfully.

Restored Device connected to server

Applies a compliance action if a previously wiped device has been restored and attempts to connect through the Core deployment.

MobileIron iOS App Multitasking disabled by user

Applies a compliance action if the device user disables multitasking for the iOS app. Disabling multitasking increases the likelihood that a compromised device will go undetected for a significant period of time.

Device MDM deactivated (iOS 5 and later)

Applies a compliance action when the MDM profile on a managed iOS 5 device is removed.

macOS

Disallowed macOS version found

Applies a compliance action if Core finds a registered device running a prohibited version of macOS.

Device MDM deactivated

Applies a compliance action if Core detects that MDM (Mobile Device Management) has been deactivated on a registered macOS device.

FileVault encryption disabled

Applies a compliance action if Core detects a registered macOS device with disabled FileVault encryption.

Android

Disallowed Android OS version found

Applies a compliance action if an Android device having a disallowed OS version is detected. You can specify disallowed versions in the security policy.

Compromised Android device detected

Applies a compliance action if a modified Android device is detected. That is, an Android device has been compromised by circumventing the operator and usage restrictions imposed by the operator and manufacturer.

Device administrator not activated for DM client or agent

Generate an alert when a managed Android device is found to have no device administrator privilege activated for Mobile@Work or the Samsung DM Agent.

Actions

Generate Alert

Turns on/off the alert defined for this event.

Maximum Alerts

Specifies whether there is a limit on the number of alerts generated for a given event. If you select Limited, then you can specify the number of alerts to allow.

Alert Every

Specifies the time, in days, after which the alert count is reset.

Severity

Specifies the severity you define for this alert. Select Critical, Warning, or Information.

Template

Specifies the template to populate the resulting alert. Click View to display the content of the current template. Select an alternate template from the drop down or click Create to create a new template.

See Customizing Event Center messages for information on creating a new template.

Send SMS

Specifies whether to send an alert in a text message, and whether to send it to the user, the administrator, or both.

Specify users in the Apply to Users section or by selecting a label in the Apply to Labels section. If you select “Admin only” or “User + Admin”, then the CC to Admins section appears. Use this section to specify administrative users who should receive the alert.

Send Email

Specifies whether to send an alert in an email, and whether to send it to the user, the administrator, or both.

Specify users in the Apply to Users section or by selecting a label in the Apply to Labels section. If you select “Admin only” or “User + Admin”, then the CC to Admins section appears. Use this section to specify administrative users who should receive the alert.

Send through Push Notification

Specifies whether to send a message, and whether to send it to the user, the administrator, or both.

Specify users in the Apply to Users section or by selecting a label in the Apply to Labels section. If you select “Admin only” or “User + Admin”, then the CC to Admins section appears. Use this section to specify administrative users who should receive the alert.

The length of the message is limited to 255 characters.

Apply to Labels

Send the alert to users in the selected labels. See the “Using labels to establish groups” section in Getting Started with Core for more information.

Search Users

Enter the user ID to find users to which you want to send the alert.

Apply to Users

Send the alert to the selected users.

CC to Admins

If you selected “Admin only” or “User + Admin”, then the CC to Admins section appears. Use this section to specify administrative users who should receive the alert.

Device status event settings

The device status event applies only to Android and iOS devices. The following describes the steps to create a device status event in the Admin Portal.

Procedure 

  1. Go to Logs > Event Settings.
  2. Click Add New.
  3. Select Device Status Event from the drop-down menu. The New Status Event dialog box opens.

  4. Use the following guidelines to complete the form:

    Field

    Description

    Name

    Identifier for this event.

    Description

    Additional text to clarify the purpose of this notification.

    Triggers when

    Specifies the conditions on the device that will trigger an alert:

    Device status is changed (Android and iOS)

    Android device reports policy/config errors

    Android device reports policy/config warnings

    Work schedule policy applied (Android and iOS)

    Actions

    Severity

    Specifies the severity you define for this alert. Select Critical, Warning, or Information.

    Template

    Specifies the template to populate the resulting alert. Click View to display the content of the current template. Select an alternate template from the drop-down or click Create to create a new template.

    See Customizing Event Center messages for information on creating a new template.

    Send SMS

    Specifies whether to send an alert in a text message, and whether to send it to the user, the administrator, or both.

    Specify users in the Apply to Users section or by selecting a label in the Apply to Labels section. If you select “Admin only” or “User + Admin”, then the CC to Admins section appears. Use this section to specify administrative users who should receive the alert.

    Send Email

    Specifies whether to send an alert in an email, and whether to send it to the user, the administrator, or both.

    Specify users in the Apply to Users section or by selecting a label in the Apply to Labels section. If you select “Admin only” or “User + Admin”, then the CC to Admins section appears. Use this section to specify administrative users who should receive the alert.

    Send through Push Notification

    Specifies whether to send a message, and whether to send it to the user, the administrator, or both.

    Specify users in the Apply to Users section or by selecting a label in the Apply to Labels section. If you select “Admin only” or “User + Admin”, then the CC to Admins section appears. Use this section to specify administrative users who should receive the alert.

    The length of the message is limited to 255 characters.

    Apply to Labels

    Send the alert to users in the selected labels. See the “Using labels to establish groups” section in Getting Started with Core for more information.

    Search Users

    Enter the user ID to find users to which you want to send the alert.

    Apply to Users

    Send the alert to the selected users.

    CC to Admins

    If you selected “Admin only” or “User + Admin”, then the CC to Admins section appears. Use this section to specify administrative users who should receive the alert.

  5. Click Save.

If more than one device status event applies to a device, only the last one you edited and saved is triggered.