Creating compliance policy rules and device groups

Within Ivanti Mobile Threat Defense Solution for MDM, there are three threat types. Within each type there are severity levels: Critical, Elevated, Normal and Low. Altogether you have:

  • Device - Critical, Elevated, Normal and Low severity levels
  • Network - Critical, Elevated, Normal and Low severity levels
  • App - Critical, Elevated, Normal and Low severity levels

For each threat type, you create compliance policy rules based on the threat severity. Each of the policy types have a predefined condition, with the exception of custom policies, that determines when a device is not compliant. The administrator can choose from a list of compliance actions to be taken against violating devices.

As a best practice, you should have the following compliance policy rules:

  • For Low and Normal threat types - use Send Alert
  • For Elevated threat type - use Block Access and/or Quarantine
  • For Critical threat type - use Quarantine or Tier Compliance:

    • Block - notify
    • Notification
    • Quarantine - remove. If Low, send notification and let user decide what action to take.
    • Tiered Compliance 23 hours
    • Tiered Compliance 4 hours

Important! If a policy has previously been triggered on a device, adding the tiered policy will reset the policy and any compliance actions that had previously been applied. The new custom policy will be applied at the next device check-in.

Example  

A managed Ivanti Go client user connects to hotel Wi-Fi:

  1. Tier 1 - Warn - Ivanti Mobile Threat Defense alerts the device user "You just connected to unsecure Wi-Fi."
  2. Tier 2 - Block - After 2 hours, Ivanti Mobile Threat Defense blocks the user's access to email and AppConnect apps.
  3. Tier 3 - Quarantine - After 4 hours, MTD quarantines and blocks the Wi-Fi; removes user's access to the company network.

Creating standard policies

You can choose from a wide array of Ivanti Neurons for MDM policy templates, that you can use or modify to create robust compliance policies. As an example, let's set up a policy to restart an iOS device if the jail-breaking policy is violated.

For reference and other information about these options, see Policy > Adding a custom policy in the Ivanti Neurons for MDM Administrator Guide.

Procedure 

  1. From the Ivanti Neurons for MDM administrator console, click Policies. The Policies page displays.

  2. Click +Add for policy options. The Choose Policy Type page displays.

  3. Click Compromised Devices. The Compromised Devices menu displays.

  4. Give the policy a useful name in the Name field. Add an optional description, if you desire.

  5. From the Choose Actions section, click Monitor to configure tiered compliance actions.

    Ivanti Sentry version 9.0.0 or later is required to utilize the tiered compliance actions.

  6. In the first Actions field, select an option from the menu:

    Figure 1. Tiered compliance action menu

    • Do Nothing (the default) – Take no action.
    • Send Notification – Follow the prompts to create a warning email.
    • Wait – Select the waiting time in minutes, days, or hours.
    • Restart Device Once – When a device goes out of compliance, the device is restarted. This will bring some devices back into compliance.
    • Quarantine – Configure default and optional quarantine actions.
    • Block – Uses Ivanti Sentry to block managed devices from accessing email and AppConnect-enabled applications. Sentry version 9.0.0 or later is required to utilize the block action.
    • Retire – Retires the device. This action cannot be undone.

  7. For example, you might want your first action to be an email or text message to the user. So select Send Notification, and configure your message.

  8. To add more compliance levels, click the plus (+) icon to the right of the action. To delete any level, click the red minus (–).

  9. For the second action, select Restart Device Once. No configuration for this option is needed.

    Figure 2. Restart Device Once option to limit notifications

  10. Click Yes, I understand... after you read how these policies will affect devices.

  11. Click Next. The Distribute page displays.

  12. Select a distribution option.

  13. Click Done. The policy is pushed to devices at the next check-in.

Creating custom policies

This section discusses how to define and create compliance actions using custom policies based on the MTD custom attributes. The compliance actions are evaluated during the regularly scheduled client check-in event, and the selected compliance actions are enforced on the client by Ivanti Neurons for MDM when the device is determined to be non-compliant with policy.

With custom compliance actions, you can create actions to better manage access control. With tiered compliance actions, you can customize them to include up to four levels of action to better manage compliance actions: Critical, Elevated, Normal, and Low.

Procedure 

  1. In Ivanti Neurons for MDM administrator console, go to Policies.
  2. Click + Add.
  3. Select Custom Policy.
  4. Enter mtdnotify as the policy name.
  5. Under Conditions, select Custom Device Attribute.
  6. Select mtdnotify from the drop-down box and set the condition is equal to 1.
  7. Under Choose Actions, select Monitor and Send Email and Push Notification.
  8. Under Email Message fields, enter your preferred subject and body text.
  9. Under Push Notification, enter your preferred message text.
  10. Click Yes,Next, and Done.
  11. Repeat this procedure to add the following policies (and any other custom policies you create) :

    Table 23.  Recommended policies
    Policy Name Custom Device Attribute Attribute

    mtdblock

    mtdblock

    • Monitor
    • Send Email and Push Notification
    • Block

    mtdquarantine

    mtdquarantine

    • Monitor
    • Send Email and Push Notification
    • Quarantine

    mtdtiered4hours

    mtdtiered4hours

    • Monitor
    • Send Email and Push Notification
    • All compliance actions

Creating device groups

You can create and match device groups with custom policies you have created.

Procedure 

  1. In the Ivanti Neurons for MDM administrator console, go to Devices > Device Groups.
  2. Click + Add.
  3. Enter mtdNotify as the device group name.
  4. Under Dynamically Managed groups, select Custom Device Attribute.
  5. Select mtdnotify from the drop-down box and set the condition is equal to 1.
  6. Click Save.
  7. Repeat this procedure to add the following device groups (and any other custom device groups you create):

    Table 24.  Recommended device groups
    Device Group Name Custom Device Attribute

    mtdBlock

    mtdblock

    mtdQuarantine

    mtdquarantine

    mtdTiered4hours

    mtdtiered4hours