Working with Policies
This section contains the following topics:
Implement policies
Policies define requirements for devices, as well as what will happen if a device does not comply with requirements. Each policy consists of a rule and a compliance action (what happens if the rule is violated). Use the Policies page to select, set up, and distribute policies.
The following policy types are available:
Type |
What It Does |
||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Compromised Devices |
Flags devices that have been jailbroken (iOS) To view the violation reason why the system flagged an Android device as compromised due to rooting:
To view the violation reason why the system flagged an Android device as compromised due to rooting:
|
||||||||||||||||||||
Flags macOS devices that do not have a passcode or encryption enabled. |
|||||||||||||||||||||
Flags devices that might be incurring international roaming charges. Status is refreshed when the device checks in. For iOS, the service uses the roaming flag as set and reported by iOS. The compliance action is triggered by the first violation only. |
|||||||||||||||||||||
MDM/Device Administration Disabled |
If the device is MDM-disabled, then it will not be evaluated for any other policies or delta processing of configurations or apps further during check-ins. |
||||||||||||||||||||
Out of Contact |
Flags devices that have been out of contact with Ivanti Neurons for MDM for the specified time range. Choose the actions to take if the device has not checked in for a specified range of hours (2-3 to 23-24) or number of days. |
||||||||||||||||||||
MI Client Out of Contact (iOS only) |
Flags Ivanti Neurons for MDM clients that have been out of contact with Ivanti Neurons for MDM for the specified time range. Choose the actions to take if the client has not checked in for a specified range of hours (2-3 to 23-24) or number of days. This is also applicable for devices registered via iReg. The policy marks a device as non-compliant if there is no client or if the client has not checked-in for a defined period of time. |
||||||||||||||||||||
Flags devices that violate rules about which apps are allowed or required. |
|||||||||||||||||||||
Creates a custom policy based on conditions and related actions you specify. |
Compliance Actions
The following compliance actions are available:
Compliance Action |
What It Does |
---|---|
Monitor |
Flags the device in the Ivanti Neurons for MDM Devices page. By default, this action is turned on. |
Block |
Instructs Access and /or Sentry to block a device if the device tries to access a resource via Sentry or Access after the policy has been violated as of the last check-in details. |
Send message to user |
In addition to the existing policies, the "Use the Compliance Policy Email Template" toggle is now available for the following policies as well: |
Quarantine |
|
Additional Quarantine Actions (Optional): |
Quarantine Managed Applications - Removes Ivanti Neurons for MDM managed apps from the device and enables the Block New App Downloads option to block the apps from being re-installed on the device. Select one of the following options:
On certain devices, the Quarantine action will not remove the application from the device due to certain device limitations. By default, this option is selected (for all three: All Applications, Remove all apps except the following and Designated Applications) and cannot be de-selected. This blocks the apps from being re-installed on the device. Remove configurations - Removes Ivanti Neurons for MDM configurations from the device. Select one of the following options:
Push Designated Configurations - Distribute designated configurations as part of custom compliance. This list contains configurations meeting the following criteria:
Remove Content - Removes all content and media associated with the apps distributed by Ivanti Neurons for MDM from the device. Suspend Personal Apps - Suspend apps on the personal side of the quarantined device to indicate that device user needs to address the compliance issues on the device to make it functional. Supported on Android 11+ Devices provisioned as a Work Profile on Company Owned Device. |
Finding an existing policy
You can use filters and the search feature in the Policies page to find one or more existing policies.
Procedure
- Go to Policies.
- To filter a list of policies that match certain criteria, click Filters.
- Select one or more filter criteria.
- To search for an existing policy by its name, enter the policy name in the Search field.
Adding a policy
Procedure
-
Go to Policies.
-
Click +Add (upper right).
-
Select a policy type.
-
Complete the settings.
-
Select the device groups you want to receive this policy.
You can distribute to a maximum of 100 configuration files at once.
-
Click Done.
Editing a policy
Procedure
- Go to Policies.
- For the required policy, click the Edit (pencil) icon under the Actions column.
- Make your changes.
- Save the changes.
Deleting a policy
Procedure
- Go to Policies.
- For the required policy, click the Remove icon under the Actions column.
- Click Yes to confirm.
If you cannot see the Policies page, it might be that you do not have the required permissions. You need one of the following roles:
-
Device Management
-
Device Read Only
For more information, see Prioritize policies.