Audit Logs use cases
A wealth of information is available to you in the Audit Logs. Querying the events allows you to monitor your Ivanti EPMM system and resolve problems. You can run queries for one type of event, several types of events, or as many as you like. All you need to do is check the events you want to track, and then specify a time frame. The default time frame is the time between the last time the logs were purged and the current time.
For example:
- Use the certificate events to troubleshoot certificate issues. For example, query for certificates that have expired or have been revoked.
- Use the MDM events to troubleshoot MDM activity on devices. For example, query whether an MDM profile was removed, or whether a managed app was installed.
- Use the AppTunnel events to determine whether an administrator manually blocked or allowed AppTunnel on a device.
- Use the device events to determine activity taken on devices, such as unlocking the device, or deleting retired devices.
- Use the app events to determine whether an administrator has changed the app control rules in Ivanti EPMM. A change to app control rules can result in Ivanti EPMM taking, or not taking, compliance actions such as blocking email on devices.
This section presents several scenarios and how you can use the audit logs to resolve the problems they present.
Personal information is wiped from devices
Suppose several of your users report that the personal information on their phones was wiped. How can you figure out how this happened? Using the audit logs, you can check the wipe actions recorded in the logs, and discover:
- Who issued the Wipe commands
- When they occurred
- How many users are impacted
To resolve this problem:
- In the Admin Portal, select Logs.
- Select Audit Logs.
- Click Reset at the bottom of the Filters panel to ensure that the previous search values are cleared.
- In the Filters panel, specify a time interval that you suspect the device wipe(s) happened.
-
Open the Device events list.
-
Select Wipe.
- Click Search.
- View the results of the search to determine:
- When the devices were wiped
- How many devices were wiped
- Which administrator user issued the wipe commands
Users are prompted for email passwords when not necessary
Suppose you set up your Exchange policy to not require your users to provide a password when they log in to email, but your users are still prompted for a password each time they access email.
To check for any changes to the Exchange policy that could cause this problem:
- In the Admin Portal, select Logs.
- Select Audit Logs.
- Click Reset at the bottom of the Filters panel to ensure that the previous search values are cleared.
- In the Filters panel, specify a time interval that you suspect changes to the Exchange policy happened.
-
Open the Configuration events list.
- Select Modify Configuration.
- Click Search.
- View the results of the search to determine:
- What changes were made recently to the Exchange policy
- Which administrator user made the changes
Users are prompted to create passwords
Suppose your users are prompted to create device passwords when that is not how you set up your Ivanti EPMM. You can use the audit logs to discover if this requirement is set and when this change occurred.
To check for changes to mandatory passwords:
- In the Admin Portal, select Logs.
- Select Audit Logs.
- Click Reset at the bottom of the Filters panel to ensure that the previous search values are cleared.
- In the Filters panel, specify a time interval that you suspect changes to the security policy happened.
-
Open the Policy events list.
- Select Modify Policy.
- Click Search.
- View the results of the search to determine:
- What changes, if any, were made recently to the Security policy
- Which administrator user made the changes
Devices have lost their managed apps
If your users report missing managed apps, the cause is usually deleted labels.
For Android devices 11.0 or supported newer versions, the administrator does not have the ability to manage app installs on the personal side.
To determine whether labels were deleted from your Ivanti EPMM:
- In the Admin Portal, select Logs.
- Select Audit Logs.
- Click Reset at the bottom of the Filters panel to ensure that the previous search values are cleared.
- In the Filters panel, specify a time interval that you suspect the labels were deleted.
-
Open the Label events list.
- Select Delete Label.
- Click Search.
- View the results of the search to determine:
- What labels, if any, were deleted recently
- Which administrator user made the changes