Creating MTD compliance policies

The EPMM solution provides protection for three threat types - Device, Network, and Applications. Depending on the importance for your organization, each threat can be configured in Ivanti Mobile Endpoint Security (MES) Console with low, medium, or high severity level.

For each threat level, you can create compliance policies based on the threat severity. The administrator can choose from a list of compliance actions to be taken against violating devices. This allows the administrator to better manage access control.

MES determines the device threat level based on the threats detected on the device, and updates the device threat level via the device custom attribute IvantiMTDThreatLevel in MDM.

The compliance actions are evaluated during the regularly scheduled client check-in event, and the selected compliance actions are enforced on the client when the device is determined to be non-compliant with policy.

With tiered compliance actions, you can customize the policy to include up to three levels of action to better manage compliance actions: Low, Medium, and High.

As a best practice, you should have the following compliance policy rules:

  • For Low threat levels - monitor, send initial notification.

  • For Medium threat levels - monitor, send block action notification, block

  • For High threat levels - monitor, send block notification, block, send quarantine notification, quarantine

By default, there are two existing compliance actions available – Block Email, AppConnect Apps, and Send Alert, and Send Alert. It is a best practice to create additional compliance actions that will be used specifically for MTD, for example:

  • MTD Notify -(based on the "Send Alert" compliance action)

  • MTD Block - (based on the "Block Email, App Connect apps and Send Alert" compliance action)

  • MTD Quarantine - (see Quarantine compliance action)

  • MTD Tiered Compliance 4 hours -(see Tiered compliance action - 4 hours)

Quarantine compliance action

  1. In the Ivanti EPMM Admin Portal, select Policies & Configs > Compliance Actions.

  2. Select the Add+ button. The Add Compliance Action dialog box opens.

    1. Name: Enter "MTD Quarantine."
    2. Enforce Compliance Actions Locally on Devices: Select the check box to enforce the compliance actions on the device.

  3. In the Tier 1 section, fill out the following fields:

    1. Alert: Select the check box to send a compliance notification or alert to the device user.
    2. Block Access: Select the check box to block email access and AppConnect apps on the device. This selection does not apply to macOS devices.

    3. Select Quarantine the device to quarantine the device.

    4. Select Remove All Configurations to remove all configuration settings from an Android or iOS device.

    5. Select Do not remove Wi-Fi settings for all devices (iOS, macOS, and Android only) to allow all iOS and Android devices to maintain their connection to Wi-Fi.

    6. Select Remove iBooks, content, managed apps, and block new app downloads to remove iBooks, content and managed apps from these devices as well as to block downloads of new apps.

  4. Select Save.

Tiered compliance action - 4 hours

  1. Select the Add+ button. The Add Compliance Action dialog box opens.
  2. Name: Enter "MTD Tiered Compliance 4 hours."
  3. Enforce Compliance Actions Locally on Devices: Select the check box to enforce the compliance actions on the device.

  4. In the Tier 1 section, fill out the following fields:

    1. Alert: Select the check box to send a compliance notification or alert to the device user.

  5. Select the expand (+) button at the bottom of the dialog box. Tier 2 selections display.

    1. Set the Wait time to 4 Hours.
    2. Alert: Select the check box to send a compliance notification or alert to the device user.

  6. Select the expand (+) button at the bottom of the dialog box. Tier 3 selections display.

    1. Set the Wait time to 4 Hours.
    2. Alert: Select the check box to send a compliance notification or alert to the device user.
    3. Block Access: Select the check box to block email access and AppConnect apps on the device. This selection does not apply to macOS devices.

  7. Select the expand (+) button at the bottom of the dialog box. Tier 4 selections display.

    1. Set the Wait time to 4 Hours.
    2. Select Quarantine the device to quarantine the device; the section expands.
    3. Select Remove All Configurations to remove all configuration settings from an Android or iOS device.
    4. Select Do not remove Wi-Fi settings for all devices (iOS, macOS, and Android only) to allow all iOS and Android devices to maintain their connection to Wi-Fi.
    5. Select Remove iBooks, content, managed apps, and block new app downloads to remove iBooks, content and managed apps from these devices as well as to block downloads of new apps.
  8. Select Save.

Creating compliance policy rules

  1. In Ivanti EPMM admin portal, go to Policies & Configs > Compliance Policies.
  2. Click the Compliance Policy Rule tab and then click Add+.

  3. Enter " Notify" in the Rule Name field.

  4. Set the Status to Enabled.

  5. (Optional) Enter a description of the rule, for example, "MTD Notify Rule."

  6. In the Condition expression field, enter this expression:

    "custom.device.ivantiMTDThreatLevel" = "low"

  7. In the Compliance Actions field, select from the drop-down: MTD Notify.

  8. (Optional) In the Message field, enter text for alerts generated by violations of the policy rule.

  9. Click Save. The Notify rule displays in the Compliance Policy Rule tab.

    Repeat steps 1-9 using the parameters below for creating additional compliance policy rules.

    Table 4.  Recommended policies
    Rule Name field Condition expression field Compliance Actions field

    Block

    "custom.device.ivantiMTDThreatLevel" = "medium"

    MTD Block

    Quarantine

    "custom.device.ivantiMTDThreatLevel" = "high"

    MTD Quarantine

    Tiered Compliance4hours

    "custom.device.ivantiMTDThreatLevel" = "high"

    MTD Tiered Compliance 4 hours

Creating compliance policy groups

Compliance policy groups are used to apply the group's rules to devices matching the label.

  1. Select Policies & Configs > Compliance Policies.
  2. Click on the Compliance Policy Group tab and then click on Add+.
  3. Enter "MTDBlock" into the Group Name field.
  4. Keep the default Status of Enabled.
  5. (Optional) Enter a description of the group name, for example, "MTDBlock."
  6. In the Available Rules field, move the "Block" rule to the Selected Rules section. (Action is "Block Email, AppConnect apps, and Send Alert.")
  7. Click Save. The MTDBlock group displays in the Compliance Policy Group tab.

  8. Repeat steps 2-7 using the parameters below for creating additional compliance policy groups.

    Table 5.  Compliance policy rule group examples
    Group Name field Status Rule Name Action Name

    MTDNotify

    Enabled

    Notifiy

    Send Alert

    MTDQuarantine

    Enabled

    Quarantine

    Quarantine

    MTDTiered23hours

    Enabled

    TieredCompliance23hours

    Tiered Compliance 23 hours

    MTDTiered4hours

    Enabled

    TieredCompliance4hours

    Tiered Compliance 4 hours

  9. Apply labels. Every rule group (MTDBlock, MTDNotify, etc.) needs to be assigned to the appropriate label to manage the device threat level.

When you have finished, you should have five compliance policy rules displayed in the Compliance Policy Group tab.