Managing device compliance checks

Devices are checked for compliance with assigned policies each time they check in with Ivanti EPMM. In addition, Ivanti EPMM checks all devices for compliance at regular intervals to detect out-of-compliance devices that have not checked in with Ivanti EPMM.

Using Ivanti EPMM, you can:

  • Update device compliance status at any time
  • Set the timing for device compliance checks
  • Update the device last check-in and policy update time

Ivanti EPMM receives information regarding device compliance status and last check-in only after devices actually check-in with Ivanti EPMM. While you can request a device check-in using the Admin Portal, many factors can affect whether a device actually checks in, such as network connectivity, or whether a device is switched on or off.

Setting the device compliance check interval

By default, all devices are checked for policy compliance every 24 hours. You can change the time between compliance checks. The Compliance Check Interval setting applies to compliance checks by the server only. Out of compliance conditions include:

  • Device is out of contact for the time limit you set.
  • Device’s root detection logic has found an issue.
  • Device Admin privileges have been lost.
  • Device has been decrypted.
  • Device OS version is below the expected version.

It is best to run LDAP Sync and the compliance check at different times to avoid any potential Ivanti EPMM performance problems.

Procedure 

  1. In the Admin Portal, go to Policies & Configs > Compliance Actions.
  2. Select Preferences.
  3. In Edit Compliance Preferences, select one of the timings for Compliance Check Interval (2, 4, 8, 12 or 24 hours).

    Checking the compliance status of all devices every two or four hours may impact Ivanti EPMM performance.

  1. Select Save.

Updating device compliance status

You can manually request a device check-in to update device compliance status for one device, several devices, or all the devices registered to Ivanti EPMM. Updating device compliance status enables:

  • Administrators to update the compliance status of any device without waiting for the scheduled compliance check to run.
  • Users to return to productive work when a compliance check is resolved, rather than wait for the next scheduled compliance check.
  • Administrators to update the following information about a device:
    • Last check-in, updated when the device checks in
    • Policy update time

Without the ability to update device status, the device in the following example could be locked for almost 24 hours after complying with the defined security policy:

  • A device status is jailbreak when Monday’s daily compliance check is done (the compliance check is set for 24 hours).
  • The device is blocked when this status is detected, due to the defined security policy.
  • The device is brought back into compliance two hours after Monday’s compliance check.
  • The user cannot use the device until the Tuesday daily compliance check is run 22 hours from the time the device is back in compliance.

Procedure 

  1. In the Admin Portal, go to Device & Users > Devices.
  2. Select one or more devices to update.
  3. Select Actions > Check Compliance.
  4. A message is displayed, letting you know that the compliance check has begun.

The compliance status of the chosen devices may not change for one to two minutes after selecting Check Compliance.

To update device compliance information for all devices:

  1. In the Admin Portal, go to Policies & Configs > Compliance Actions.
  2. Select Check Compliance to display a message asking if you want to update compliance status for all devices.
  3. Select Yes to check compliance status for all devices or select No to cancel the action.

The compliance status of the devices may not change for one to two minutes after selecting Check Compliance.

Compliance triggers and actions

Compliance actions, configured by the administrator, may be implemented locally on the device by Ivanti Mobile@Work when certain system events have occurred that cause a compliance verification check, and only when the Enforce Compliance Actions Locally on Devices check box is selected for compliance action. Compliance verification checks also occur at the device check-in interval. Out of compliance conditions include:

  • Out of Contact: the device has had no communication with the Ivanti EPMM server for greater than the time period selected which is specified in days.
  • Compromised: the device is suspected to be rooted or an app has been installed for rooted devices.
  • Device Admin lost: the device administration privileges have been revoked.
  • Decrypted: it has been detected that the device is no longer encrypted
  • OS Version: the version of the operating system on the device is below the expected version.

Server compliance conditions and actions

Server compliance actions resulting from compliance conditions are listed in the table below.

Table 1. Server compliance conditions and actions

Action and OS

Out of Contact

Compromised

Device Admin lost

Decrypted

OS Version

Wipe

(Android only, when enabling Android custom ROM)

Wipe the device when it has been out of contact.

Wipe the device when the device has been compromised.

The device cannot be wiped when the administrator privileges have been removed.

Wipe the device when it has been detected that the device has been decrypted.

Wipe the device when the OS version is less than expected.

Alert

  • Android
  • iOS

Send an alert when the device is out of contact.

You can send alerts to device users, admins, or both users and admins, using SMS, push notifications, or email.

The maximum number of characters allowed is 65,530.

Send an alert when the device has been compromised.

You can send alerts to device users, admins, or both users and admins, using SMS, push notifications, or email. The maximum number of characters allowed is 65,530.

Send an alert when administrator privileges have been removed.

You can send alerts to device users, admins, or both users and admins, using SMS, push notifications, or email. The maximum number of characters allowed is 65,530.

Send an alert when it has been detected that the device as been decrypted.

You can send alerts to device users, admins, or both users and admins, using SMS, push notifications, or email. The maximum number of characters allowed is 65,530.

Send an alert when the OS version is less than expected.

You can send alerts to device users, admins, or both users and admins, using SMS, push notifications, or email. The maximum number of characters allowed is 65,530.

Remove Apps

  • Android
  • iOS
Removal of apps is only possible if the MDM profile is sent by Ivanti EPMM and is present on the device OR if the app settings have the "Remove app when device is quarantined of signed-out" check box selected.

Remove managed apps when the device is out of contact.

Remove managed apps when the device has been compromised.

Managed apps cannot be removed when administrator privileges have been removed.

Remove managed apps when the device has been decrypted.

Remove managed apps when the OS version is less than expected.

Quarantine All

  • Android
  • iOS

All Android Enterprise apps and functionality are hidden, except Downloads, Google Play Store, and Ivanti Mobile@Work.

(Applicable only if the "Quarantine app when device is quarantined" check box is selected.)

Remove all configurations when the device is out of contact.

Remove All configurations when the device has been compromised.

Remove All configurations when administrator privileges have been removed.

Remove All configurations when the device has been decrypted.

Remove All configurations when the OS version is less than expected.

Quarantine All Except Wi-Fi

  • Android
  • iOS
  • macOS

(For Android Enterprise apps, this is applicable only if the "Quarantine app when device is quarantined" check box is selected.)

Remove all configurations except for Wi-Fi.

Remove all configurations except for Wi-Fi when compromised.

Remove all configurations except for Wi-Fi when administrator privileges have been removed.

Remove all configurations except for Wi-Fi when the device has been decrypted.

 

Remove all configurations except for Wi-Fi when the OS version is less than expected.

 

Quarantine All Except Wi-Fi on Wi-Fi Only

  • Android
  • iOS
  • macOS

(Applicable only if the "Quarantine app when device is quarantined" check box is selected.)

Remove all configurations except for Wi-Fi on Wi-Fi only devices.

Remove all configurations except for Wi-Fi on Wi-Fi only devices when compromised.

 

Remove all configurations except for Wi-Fi on Wi-Fi only devices when administrator privileges have been removed.

Remove all configurations except for Wi-Fi on Wi-Fi only devices when the device has been decrypted.

Remove all configurations except for Wi-Fi on Wi-Fi only devices when the OS version is less than expected.

 

Block or retire AppConnect apps

  • iOS
"Block" means blocking access to AppConnect apps.

not applicable

Block (unauthorized) or retire (unauthorize and wipe) AppConnect apps

not applicable

not applicable

not applicable

Local compliance conditions and actions

Local compliance actions do not apply to Mobile Threat Defense functionality included with Ivanti Mobile@Work clients. There are also no local compliance actions for Ivanti Mobile@Work for macOS devices.

Local compliance enforcement actions resulting from compliance conditions are listed in the table below.

Table 2. Local compliance conditions and actions

Situation

OS

Action

When the device can communicate with Ivanti EPMM to perform a Compliance Check

Alert

  • Android
  • iOS

Send an alert when the device is out of contact.

Alerts are sent to device users, admins, or both users and admins, using SMS, push notifications, or email.

 

Block AppConnect apps

  • Android
  • iOS

Blocks access to AppConnect apps.

 

Quarantine

  • iOS

(Applicable only if the "Quarantine app when device is quarantined" check box is selected.)

When the device is out of contact, all configurations, managed apps and iBooks content are removed. New app downloads are disallowed.

 

Quarantine

  • Android

(Applicable only if the "Quarantine app when device is quarantined" check box is selected.)

When the device is out of contact, all configurations and managed apps are removed. New app downloads are disallowed.

 

Quarantine

  • Android Enterprise

All Android Enterprise apps and functionality are hidden, except Downloads, Google Play Store, and Ivanti Mobile@Work.

When the device can NOT communicate with Ivanti EPMM to perform a Compliance check

Alert

  • Android
  • iOS

Send an alert when the device is out of contact.

Alerts are sent to device users, admins, or both users and admins, using SMS, push notifications, or email.

 

Block AppConnect apps

  • Android
  • iOS

Blocks access to AppConnect apps.

 

Quarantine

  • iOS

(Applicable only if the "Quarantine app when device is quarantined" check box is selected.)

When the device is out of contact, all configurations, managed apps and iBooks content are removed. New app downloads are disallowed.

Quarantine action requires all appConnect apps to be re-installed after the device is back in compliance.

 

Quarantine

  • Android

(Applicable only if the "Quarantine app when device is quarantined" check box is selected.)

When the device is out of contact, all configurations and managed apps are removed. New app downloads are disallowed.

 

Quarantine

  • Android Enterprise

All Android Enterprise apps and functionality are hidden, except Downloads, Google settings, Google Play Store, and Ivanti Mobile@Work.

 

Retire

  • Android Enterprise

The work profile is deleted or the managed device will be factory reset.

This action is not reversible.