Privacy policies

Note the following:

  • Privacy policies are supported on Windows 10 devices.
  • Privacy policies are not supported on macOS devices.
  • Location and Apps privacy settings currently apply only to iOS devices.

Privacy policies specify which files to synchronize with Ivanti EPMM and whether activity or content should be synchronized for each type of data. Privacy policies also specify which information the Ivanti Mobile@Work app should include in its log.

To create a privacy policy, go to Policies & Configs > Policies. Click Add New > Privacy. Use the following guidelines to create or edit privacy policies:

The following table summarizes fields and descriptions in the Privacy Policy window.

Table 25.  Privacy policy fields
Item Description Default Policy Setting

Name

Required. Enter a descriptive name for this policy. This is the text that will be displayed to identify this policy throughout the Admin Portal. This name must be unique within this policy type.

Tip: Though using the same name for different policy types is allowed (e.g., Executive), consider keeping the names unique to ensure clearer log entries.

Default Privacy Policy

Status

Select Active to turn on this policy. Select Inactive to turn off this policy.

Active

Priority

Specifies the priority of this custom policy relative to the other custom policies of the same type. This priority determines which policy is applied if more than one policy is associated with a specific device. Select Higher than or Lower than, then select an existing policy from the drop-down list. For example, to give Policy A a higher priority than Policy B, you would select “Higher than” and “Policy B”.

Because this priority applies only to custom policies, this field is not enabled when you create the first custom policy of a given type.

 

Description

Enter an explanation of the purpose of this policy.

Default Privacy Policy

Apps

  • All Apps: Instructs the device to return the status of all the installed non-system apps on devices with this policy.

  • App Catalog apps: Instructs the device to return the installed status of only the apps in Apps@Work on devices with this policy. App Control rules are not applied.

Essentially, the client first checks if it's a system app. If it is, the client skips that app from the reporting list. If it's not a system app, then:

  • All apps allowed by the privacy policy will report all of the installed non-system apps.

  • Otherwise, the client reports only apps existing in the App Catalog.

App Catalog Apps

SMS Log

For Android devices only:

Specify synchronization for SMS:

Sync Content - Clear Text: Select to archive mobile data in Ivanti EPMM.

Sync Content - Encrypted: Select to archive the mobile data in encrypted format.

None: Select to collect no SMS data.

None

Call Log

For Android devices only:

Specify synchronization for Call:

Sync - Clear Text: Archive mobile data.

Sync - Encrypted: Archive the same data in encrypted format.

None: Do not collect Call statistics or store Call data.

None

iOS Location-Based Wakeups

For iOS devices only:

iOS 6 and earlier devices use Significant Location Change for background wakeups. These wakeups impact jailbreak detection and updates to certain policies.

The significant location change service provides a low-power way to get the current location of an iOS device and be notified when significant changes occur. This feature governs whether the OS can periodically bring Ivanti Mobile@Work into memory.

The following options are available:

Enabled on iOS 6 and earlier: Recommended if you want to support devices running iOS 6 and earler.

Enabled: Select this only if you want to continue using SLC.

Disabled: Select this only if you want to discontinue use of SLC, regardless of the device version. Selecting this option greatly reduces the likelihood that jailbreaks will be detected on devices that do not support silent APNS or are running Ivanti Mobile@Work 6.0 and earlier supported releases.

On iOS 8, 8.1, and 8.1.1, disabling Location Services in the OS or in Ivanti Mobile@Work may result in device users receiving a notification indicating that the current configuration requires enabling access to Location Services.

In Ivanti EPMM, a setting in the Default Privacy Policy allows toggling location based wakeups on or off. If this setting is enabled, and a user disables Location Services or disallows Location Services for Ivanti Mobile@Work, they will receive the notification. This notification does not mean that the device is out of compliance, rather, it indicates that Ivanti EPMM has enabled location-based wake ups, which the device will be unable to perform.

Disabled

Location

Specify which location data, if any, is stored on Ivanti EPMM.

The Sync Cell Tower option is only available to Android devices.

None: No location data is stored.

Sync Cell Tower: Cell tower data is stored.

Sync GPS if available: GPS data is stored.

None

Collect Roaming Status

When enabled, roaming information is collected from the device and roaming status displays in Device & Users > Devices on the Device Details panel.

When disabled, Ivanti Mobile@Work for Android does not report any roaming status to Ivanti EPMM. Available in Ivanti Mobile@Work for Android version 7.0 or later.

Disabled

Enable Configuration Profiles

Clear this setting if you do not want Ivanti EPMM to send non-AppConnect-related configurations and certificates to MAM-only iOS devices, including the Apps@Work web clip and certificate.

For more information, see “Configurations and certificates for MAM-only devices” in the Ivanti EPMM Apps@Work Guide.

Enabled

Prompt User to Enable Location Services if Wi-Fi/MTD configuration is pushed (Android enterprise)

Administrators have the ability to prompt device users to enable the device's location setting and to do it silently based on the nature of the device user. This setting is useful if the device user resides in a EU country that has GDPR requirements. If this check box is selected, the device user is prompted to enable the location setting during the registration process. If the device user does not grant permission, the configuration will fail. To resolve this, the device user will need to manually enable the device's location setting, thus triggering a device check-in to get the Wi-Fi / MTD configurations installed onto the device. Applicable only for Work managed device (DO) mode and Managed device with Work profile mode on Android 10+ devices.

Disabled

Disable Auto-Grant Location Permissions for Work Profile Devices

When this option is selected, a warning displays: Wi-Fi and MTD configurations can partially fail on older Android versions and device will fail to be located if user denies permission.

Note the following:

  • If the Privacy Policy > Disable Auto-Grant Location Permissions for Work Profile Devices field is de-selected, then the client will auto-grant Location Permissions, irrespective of configuration being pushed.
  • If the Privacy Policy > Disable Auto-Grant Location Permissions for Work Profile Devices field is selected, then the client will not auto-grant Location Permissions. The client will only seek Location Permissions if it detects configurations that require Location Permissions.
  • Depending upon server-wide settings, Location Permissions is auto-granted for Android 10 and 11 devices to use for Wi-Fi and MTD configuration. Additionally, the administrator may want to locate a device on-demand.

Not applicable to Android 12 devices.

Disabled

App Filters

For iOS apps only

 

iOS Installed App Inventory

All Apps: Instructs devices to report to Ivanti EPMM the apps installed to devices.

Select All Apps: if you are converting unmanaged apps to managed apps. See Ivanti EPMM Apps@Work Guide.

Managed Apps Only (iOS 7 and later): Instructs devices to report to Ivanti EPMM the managed apps installed to devices. For devices running iOS 7 through the most recently released version of iOS as supported by Ivanti EPMM.

Specified Apps Only (iOS 7 and later): Instructs devices to report to Ivanti EPMM the status of installed apps and managed apps whose bundle identifiers you specify here. For devices running iOS 7 through the most recently released version of iOS as supported by Ivanti EPMM.

See the Ivanti EPMM Apps@Work Guide for information about managed apps.

Managed Apps Only (iOS 7 and later)

Windows 10 Inventory

This feature is supported by Windows 10 devices only.

 

App Store Inventory

Displays all the App Store apps installed on the device. The options are Enable and Disable

Disable

Non Store Inventory

Displays all the Non Store apps installed on the device. The options are Enable and Disable

Disable

System Inventory

Displays all the System Inventory apps installed on the device. The options are Enable and Disable

Disable

Win 32 Inventory

Displays all the Win 32 Inventory apps installed on the device. The options are Enable and Disable

For Windows 10 devices with more than 100 apps, the App inventory is updated in the database.

Disable

Android Warning Banner on the Device Reboot

Enable Warning Banner

For Android devices only:

Administrators can add a warning banner that displays upon device reboot. This is helpful for companies that require all approved mobile operating systems, such as Android 9.0, to be managed according to a security baseline / guidance. Device users will see the warning banner upon device reboot and will have to acknowledge it before continuing use of the device.

This feature is applicable only to:

  • Samsung devices with Samsung Knox API 2.2

  • Samsung devices in Work Managed Device mode

  • Samsung devices in Work Profile on Company Owned Device mode

Procedure 

  1. Select the Enable Warning Banner check box. A text box displays.
  2. Enter the text that you want to appear on the device.
  3. Click Save. The default policy will be applied to all smart phones and labels to which no other policy has been applied.

Unchecked