Working with Policies

Creating a Policy

When you create a policy, you define specific users and device types to which the policy applies:

Each policy applies to users listed as its User tags.

Each policy can have one of three Device User Mode settings:

BYO: The policy is applied to a user’s BYO devices only.

Corporate Owned: The policy is applied to a user’s corporate owned devices only.

Both (BYO and Corporate Owned): The policy is applied to all of a user’s devices.

This enables a user to have different policies for different device types.

This section details the steps to create a new policy:

1.Select the Workspaces menu.

2.Select the Policies tab.

3.Click Add to add a new policy.

The Add Policy dialog appears.

4.Specify the Policy Name.

Policy names are not unique. Policies are unique based on their search criteria.

5.Specify the User tags and LDAP Group for the policy. For example:

6.Select the required Device Owner Mode. This property determines whether this policy is applied to a user’s devices that are BYO, corporate owned, or both. For example:

7.Click Save.

The policy is created with an edited state.

8.You can now add applications and properties to the policy before applying the policy to mobile devices. For example:

9.After you have completed editing the policy, click Publish.

The policy's state changes from edited to publishing and then published.

This applies the policy to all mobile devices that use the policy.

Understanding Policy Properties

This section describes all supported policy properties for a workspace.

Passcode

Different Passcode properties are used for iOS and Android.

Android for Work supports two levels of passcode challenge to protect the data in the device and the Workspace:

Workspace Managed Device Passcode - This applies passcode policies only to Workspace managed devices enrolled with a Work Profile. This passcode will need to be entered each time the device is unlocked and can be applied in addition to the Work Profile Passcode.

Work Profile Passcode - This applies passcode policies only to Workspace apps, so users do not have to enter complex passwords each time they unlock their device when enrolled with a Work Profile. The Work Profile passcode ensures that the end users can access their private apps while keeping corporate app data protected without the use of wrapping technologies. The Work Profile Passcode is supported on Android 7.0 and above.

The following properties are supported by both Android and iOS:

Expiration Days – The number of days for which the passcode can remain unchanged.

Lock Timeout – The time in seconds where the Workspace will be locked if no Workspace app was in foreground.

Max Tries (iOS Factory Reset) – The number of allowed failed attempts to enter the passcode at the device's lock screen.

Numeric Only – Boolean. If True, the user must to set a PIN.

Passcode History – When the user changes the passcode, it must be unique within the most recent specified number of entries in the history.

Passcode Length – The minimum overall length of the passcode.

Require Special – The minimum count of special characters in a passcode.

For Android, this is used for Workspace Managed Device Passcodes only.

The following properties are supported by Android only:

(Work Profile) Expiration Days – The number of days for which the passcode can remain unchanged.

(Work Profile) Lock Timeout – The time in seconds where the Workspace will be locked if no Workspace app was in the foreground.

(Work Profile) Max Tries – The number of allowed failed attempts to enter the passcode at the device's lock screen.

(Work Profile) Numeric Only – Boolean. If True, the user is forced to set a PIN.

(Work Profile) Passcode History – When the user changes the passcode, it must be unique within the most recent specified number of entries in the history.

(Work Profile) Passcode Length – The minimum overall length of the passcode.

(Work Profile) Require Letters – The minimum count of letters in a passcode.

(Work Profile) Require Lowercase – The minimum count of lowercase letters in a passcode.

(Work Profile) Require Non-Letters – The minimum count of numbers and symbols in a passcode.

(Work Profile) Require Number – The minimum count of numbers in a passcode.

(Work Profile) Require Special – The minimum count of special characters in a passcode.

(Work Profile) Require Uppercase – The minimum count of uppercase letters in a passcode.

(Work Profile) Screenlock Password Quality – The screen unlock mechanism. This can be set to none, biometric, password, pattern, pin, pin_complex, alpha, alphanumeric and complex.

If the device uses a different screen lock type to the one specified by the console, the device is flagged as non-compliant.

If the screen unlock type is password, then Passcode Length and Passcode History policies are enforced.

If the screen unlock type is pin or pin_complex, then Passcode History policies are enforced.

Require Letters – The minimum count of letters in a Workspace Managed Device passcode.

Require Lowercase – The minimum count of lowercase letters in a Workspace Managed Device passcode.

Require Non-Letters – The minimum count of numbers and symbols in a Workspace Managed Device passcode.

Require Number – The minimum count of numbers in a Workspace Managed Device passcode.

Require Uppercase – The minimum count of uppercase letters in a Workspace Managed Device passcode.

Screenlock Password Quality – The screen unlock mechanism. This can be set to none, biometric, password, pattern, pin, pin_complex, alpha, alphanumeric and complex.

If the device uses a different screen lock type to the one specified by the policy, the device is flagged as non-compliant.

If the screen unlock type is password, then Passcode Length and Passcode History policies are enforced.

If the screen unlock type is pin or pin_complex, then Passcode History policies are enforced.

The following properties are supported by iOS only:

iOS Allow Simple – Boolean. If True, a simple passcode is allowed. A simple passcode is defined as containing repeated characters, or increasing/decreasing characters. For example: 123 or CBA.

iOS Force Pin – Boolean. If True, the user is forced to set a PIN. Simply setting this value (and not others) forces the user to enter a passcode.

iOS Max Grace Period – The maximum grace period, in minutes, to unlock the phone without entering a passcode.

iOS Max Inactivity – The number of minutes for which the device can be idle (without being unlocked by the user) before it gets locked by the system.

Single Sign On

These properties support single sign-on using Kerberos authentication from iOS devices at iOS v7 or above.

For full details of this functionality, see Configuring Kerberos-Based Authentication.

The following properties are supported by iOS only:

Account Name – The name for the account.

Authentication Realm – The Kerberos realm name. This value is case sensitive.

Enabled – Boolean. If True, Kerberos authentication is enabled.

Package names allowed to use Kerberos Auth – (Optional) A newline-separated list of applications identifiers that are allowed to use this login. Each line of this property represents an application. For example:

com.microsoft.outlook
com.google.mail.

If this field not specified, all app identifiers match automatically for this login.

Principal Name – The Kerberos principal name. It is best practice to set to the macro string value <USER_USERNAME>. This macro value is automatically replaced with the user’s name when connecting to a device.

URL Prefix Matches to use Kerberos Auth – A newline-separated list of URLs prefixes that must be matched to use this account for Kerberos authentication over HTTP. Each line of this property represents a URL, and must begin with either http:// or https://. For example:

http://demo.pwskerb.example1
http://demo.pwskerb.example2

Kerberos authentication for the user will be performed manually once, on the first match of any of the listed URLs. For all subsequent uses of any URL, Kerberos authentication will be performed automatically.

ActiveSync

All ActiveSync properties are supported by both Android and iOS. See also iOS ActiveSync.

Activesync Accept All Certs – Boolean. If True, the Workspace email client will accept an untrusted server certificate.

Activesync Allow Authentication via Certificate. Boolean. If True, the use of the following workspace properties is enabled. See Enterprise PKI Integration for full details.

Use SCEP to request certificate for Android ActiveSync from external PKI server.

Use SCEP to request certificate for iOS ActiveSync from external PKI server.

Use Windows CA server CAWE to request ActiveSync certificates for both Android and iOS devices.

Activesync Domain – The domain set for the Workspace ActiveSync connection. The ActiveSync domain must be the Enterprise domain, which should be the same as the Exchange Server domain.

Activesync Server – If the proxy uses PCS, this property should be set to ActiveSync Server Proxy address of the Pulse Connect Secure (PCS). Otherwise, this can be left blank.

Activesync Server Proxy – This must be set to Security Appliance if PCS is used. Otherwise, it should be set to None.

Activesync Ssl – If the Workspace client will connect to the ActiveSync server using an SSL connection, this should be set to True.

Activesync Userid Field – If the ActiveSync Server Proxy uses PCS, this must be set to username. Otherwise, it should be set to email.

UPN Domain Name – The domain set for constructed UPN method of login authentication.

Use Constructed UPN for Workspace Email – Boolean. If True, the constructed UPN is used for ActiveSync email, and Office365 users will be able to use UPN as the login username instead of using their email addresses.

Use Pulse One for authentication (Override Active Sync Server) – The following values are supported:

True – Pulse One will be used as authentication server for ActiveSync connections, and it will override the configured ActiveSync server settings.

False – existing ActiveSync server settings will be used for ActiveSync connections.

App Visibility

All App Visibility properties are supported by both Android and iOS:

Aggregate Duration Hours – The aggregation window (in hours) for collecting app visibility metrics on the mobile device. The default is 1, the maximum is 72. At the end of this window, a new set of metrics is started. Metric sets are retained by the mobile device and sent to the server on a schedule defined by Report Frequency Hours.

Aggregate Duration Hours should not be greater than Report Frequency Hours.

Enable App Visibility Supporting –Boolean. If True, app visibility reporting is performed by the mobile device, and reported to the server.

Network Access – This defines when metrics can be sent by the mobile device to the server. This allows the IT Admin to limit usage of mobile data. Supported settings are Wifi Only and Wifi And Cellular.

Report Frequency Hours – The frequency (in hours) at which the mobile device sends collected metrics to the server. The default is 1, the maximum is 72. IT Admin can increase this value to decrease how often metrics are sent to the server. Metrics are collected by the mobile device on a schedule defined by Aggregate Duration Hours.

Report Frequency Hours should not be less than Aggregate Duration Hours.

Space

All Space properties are supported by Android only:

Allow Art – Boolean. If True, Android devices that run ART can be provisioned.

Android Email Auto Config Enabled – Boolean. If True, the Workspace ActiveSync account will be configured on Android devices.

Android Email Manual Config Allowed – Boolean. If True, the user can change the ActiveSync account settings in the Workspace.

Crash Count – The number of times an app can crash in the Crash Period Sec time frame before the application is disabled.

Crash Grace Time Sec – The number of seconds the Workspace will wait before allowing the app to restart.

Crash Period Sec – The time frame for watching for repeated app crashes.

Debug – Policy update explicitly uses the Debug policy in the console to "refresh_sec=10". The normal policy property for policy refresh has a resolution of 1 hour. This can be set to smaller periods of time.

Error Reporting Level – The detail of the logging information sent to the server when the user sends a debug log. The can be set to 1, 2 or 3.

Heartbeat Time Sec – The number of seconds between connection heartbeats.

Policy Expiration days – The number of days after which a Workspace is considered to be out of compliance. The Workspace is blocked for not contacting the server. The blocked user can contact the Workspace administrator to extend the policy expiration days.

Android Restrictions

All Android Restrictions properties are supported by Android only:

Allow Screenshot – Boolean. If True, the use of the screenshot function is supported.

This property is used by corporate devices only.

Allow to use Camera – Boolean. If True, the use of the camera is supported.

This property is used by corporate devices only.

Block Unknown Sources – Boolean. If True, users cannot install apps from unknown sources such as third-party app stores, file-sharing utilities, web browsers, and email attachments.

Default Runtime Permission – Sets the chosen value as default for all permissions for all apps on a policy. The supported values are prompt, grant and deny.

If the administrator modifies the runtime permission from grant to deny and enforces the policy on an existing provisioned device, the user must clear the cache on all managed apps.

Disallow Cross Profile Copy Paste – Boolean. If True, users cannot copy the contents of this work profile and paste into other profiles. Users can still copy the contents of other profiles and paste into this work profile.

iOS Restrictions

All iOS Restrictions properties are supported by iOS only:

Blacklist Package Names – Users cannot use the apps listed in this policy on their iOS device.

This policy is applicable only to Supervised iOS devices with iOS version of 10.0 or later.

iOS Allow Air Drop – Boolean. If True, Air Drop is enabled.

This policy is applicable only to Supervised iOS devices with iOS version of 10.0 or later.

iOS Allow Camera – Boolean. If True, the camera is enabled.

This property is used by corporate devices only.

iOS Allow Cloud Backup – Boolean. If True, iCloud backup is enabled.

iOS Allow Cloud Keychain Sync – Boolean. If True, iCloud keychain sync is enabled.

iOS Allow Enterprise Book Backup – Boolean. If True, the backup of enterprise books is enabled.

iOS Allow Enterprise Book Metadata Sync – Boolean. If True, the synchronization of enterprise book metadata is enabled.

iOS Allow Handoff – Boolean. If True, the continuity feature is enabled.

iOS Allow Managed App Cloud Sync – Boolean. If True, the management app can use cloud sync.

iOS Allow Modifying Bluetooth Settings - Boolean. If True, Bluetooth settings can be changed.

This policy is applicable only to Supervised iOS devices with iOS version of 10.0 or later.

iOS Allow Open From Managed To Unmanaged – Boolean. If True, documents in managed apps and accounts also open in other managed apps and accounts.

iOS Allow Open From Unmanaged To Managed – Boolean. If True, documents in unmanaged apps and accounts will also open in other unmanaged apps and accounts.

iOS Allow Screen Shot – Boolean. If True, device Screen Shots are enabled.

This property is used by corporate devices only.

iOS Allow Siri – Boolean. If True, Siri is enabled.

iOS Allow Siri While Locked – Boolean. If True, Siri is enabled when the device is locked.

Device

All Device properties are supported by Android only:

Device Ownership – This property is unused at this release. Please do not use.

Enable Bug Report Boolean. If True, the user will be able to send bug reports.

VPN

Different VPN properties are used for iOS and Android.

The following properties are supported by both Android and iOS:

Enable Location Awareness – Boolean. If True, when the user is connected to the corporate WiFi, the VPN on-demand functionality will disconnect the VPN.

Vpn Certificate Auth – Boolean. If True, the VPN connection will perform certificate authentication using the Workspace client certificate.

Vpn Connection Name – A user-visible description of the VPN account.

Vpn Enabled – Boolean. If True, a VPN configuration will be sent down to the Workspace.

Vpn Group – The VPN group name. This extends IPsec architecture to support PCS that is shared by a group of security appliances.

Vpn Host – The VPN server host name (or IP address).

Vpn Numeric Password – Boolean. If True, the Workspace will present the user with a PIN pad rather than a keyboard to enter their password.

Vpn Realm – The Realm that the Workspace users will use.

Vpn Role – The Role that the Workspace users will use.

Vpn Save Password – Boolean. If True, the Workspace will cache the password used to connect to the VPN server.

Vpn Userid Field – The Username set in the VPN configuration. This is either:

username - the user’s user name is used.

work email - or user’s corporate email address is used.

The following policies are supported by Android only:

On-Demand VPN Timeout (minutes) – The amount of time (in minutes) during which no traffic is sent over the active tunnel by the application. After this time is elapsed, the tunnel is brought down, and the device starts monitoring for any further traffic.

Stealth Mode – Boolean. If True, a UI-less VPN profile uses the certificate in Keystore for authentication, and the Pulse client does not come into foreground during VPN setup. The sign-in URL configured on Pulse Connect Secure server must be configured for certificate authentication.

Vpn Connection Type – The type of VPN being used. Connection types supported are manual, onDemand and alwaysOn.

Vpn Verify Certificate – Boolean. If True, the VPN client will only accept trusted certificates. If False, the VPN client will accept untrusted certificates.

The following properties are supported by iOS only:

Use L3 VPN – Boolean. If True, L3 VPN UDP support is enabled.

Vpn Safari Domains – Specifies only those domains that trigger the VPN connection.

Wifi

All Wifi properties are supported by both Android and iOS:

Enterprise Wifi Inner Authentication – The protocol used to authenticate the username and password. Supported protocols are PAP, CHAP, MSCHAP or MSCHAPv2.

Enterprise Wifi Outer Identity – An alternate username that is used outside the encrypted tunnel (for example: “anonymous”) to conceal the user’s identity in unencrypted packets.

Wifi Enabled – Boolean. If True, the device will automatically join the network using WiFi.

Wifi Password – The password for the WiFi network, completed by admin. If this is not set, the user is prompted during connection.

Wifi Protocol – The protocol used to connect to the WiFi Network. The options are WEP, WPA2,
WPA2-Enterprise-EAP-TLS, WPA2-Enterprise-EAP-TTLS, and WPA2-Enterprise-EAP-PEAP.

Wifi Ssid – The SSID of the WiFi network.

Wifi Username – The username for the WiFi network, completed by admin. If this is not set, the user is prompted during connection.

iOS ActiveSync

All iOS ActiveSync properties are supported by iOS only:

iOS Activesync Enabled – Boolean. If True, the Workspace ActiveSync account will be configured on iOS devices.

iOS Activesync Name – A user-visible name of the email account, shown in the Mail and Settings applications.

iOS Activesync Prevent Move – Boolean. If True, messages cannot be moved out of this email account into another account.

iOS Activesync Prevent Send By 3rd Party Apps – Boolean. If True, the Workspace email account is not available for sending mail in third-party applications.

iOS App Lock

All iOS App Lock properties are supported by iOS only:

iOS Lock to the App Identifier – Enables the iOS device to be put into kiosk mode, which limits the apps and usage of some system functions. This text field is an iOS App Lock payload, and is outside the scope of this document. Please refer to Apple’s own documentation.

iOS POP/IMAP

All iOS POP/IMAP properties are supported by iOS only:

iOS Email Description – A user-visible description of the email account, shown in the Mail and Settings applications.

iOS Email Disable Mail Recents Syncing – Boolean. If True, the Workspace email account is excluded from address Recents syncing.

iOS Email Enabled – Boolean. If True, an IMAP or POP email account will be configured on iOS devices.

iOS Email Incoming Auth – The authentication scheme for incoming mail. Supported schemes are None, Password, MD5 Challenge-Response, NTLM, and HTTP MD5 Digest.

iOS Email Incoming Host – The incoming mail server host name (or IP address).

iOS Email Incoming Port – The incoming mail server port number. If no port number is specified, the default port for a given protocol is used.

iOS Email Incoming Use Ssl – Boolean. If True, the incoming mail server uses SSL for authentication.

iOS Email Outgoing Auth – The authentication scheme for outgoing mail. Supported schemes are None, Password, MD5 Challenge-Response, NTLM, and HTTP MD5 Digest.

iOS Email Outgoing Host – The outgoing mail server host name (or IP address).

iOS Email Outgoing Port – The outgoing mail server port number.

iOS Email Outgoing Use Ssl – Boolean. If True, the outgoing mail server uses SSL for authentication.

iOS Email Prevent Move – Boolean. If True, messages may not be moved out of this email account into another account.

iOS Email Prevent Send By 3rd Party Apps – Boolean. If True, the Workspace email account is not available for sending mail in third-party applications.

iOS Email Type – The type of email account, either IMAP or POP.

iOS Email Username – The Username that is set in the Email configuration. This is either:

username - the user’s user name is used.

work email - or user’s corporate email address is used.

iOS Managed Domains

All iOS Managed Domains properties are supported by iOS only:

iOS Managed Email Domains – The domain set for the Workspace ActiveSync connection. The ActiveSync domain must be the enterprise domain which should be same as the exchange server domain.

iOS Managed Web Domains – The domains that are viewed as internal to the organization.

CA Certificate

All CA Certificate properties are supported by iOS only:

iOS Trusted CA Certificate Enabled – Boolean. If True, enables the SSL trust for the root CA certificate. For details about uploading CA Certificate from Pulse Workspace console, see Adding a CA Certificate.

Compliance

Different Compliance properties are used for iOS and Android.

The following Compliance properties are supported by Android only:

Android Pulse Client Denied To Use Location Service – This property determines whether refusing the use of this service on a device makes the device non-compliant. There are three supported compliance settings:

Allow. If the user declines the location service, the device is flagged as non-compliant, but the user’s access is not restricted.

Restrict VPN. If the user declines the location service, the device is flagged as non-compliant and access to the VPN from the device is restricted.

Wipe. If the user declines the location service, the device is flagged as non-compliant and the workspace will be wiped from the device.

Block. If the user declines the location service, the device is flagged as non-compliant, and access to the device is prevented.

Lock. If the user declines the location service, the device is flagged as non-compliant, and access to the device is prevented.

Rooted Detection The action the client should take when it detects a Rooted device. The following actions are supported:

Allow – The Rooted device is flagged as non-compliant, but the user’s access is not restricted.

Restrict VPN – The Rooted device is flagged as non-compliant and VPN access is removed.

Lock. The Rooted device is flagged as non-compliant, and access to the device is prevented.

Wipe – The Rooted device is flagged as non-compliant and will be wiped.

USB Debugging Determines the action the client should take when it detects that USB debugging has been enabled. The actions are:

Allow – The device is flagged as non-compliant, but the user’s access is not restricted.

Restrict VPN – The device is flagged as non-compliant, and VPN access is removed.

Block – The device is flagged as non-compliant and all network access is removed.

Lock – The device is flagged as non-compliant and is locked.

Wipe – The device is flagged as non-compliant and will be wiped.

The following Compliance properties are supported by iOS only:

iOS Pulse Client Denied To Use Location Service – This property determines whether refusing the use of this service on a device makes the device non-compliant. There are three supported compliance settings:

Allow. If the user declines the location service, the device is flagged as non-compliant, but the user’s access is not restricted.

Restrict VPN. If the user declines the location service, the device is flagged as non-compliant and access to the VPN from the device is restricted.

Wipe. If the user declines the location service, the device is flagged as non-compliant and the workspace will be wiped from the device.

Jail Break Detection – The action the client should take when it detects a “jailbreak” device. The following actions are supported:

Allow – The “jailbreak” device is flagged as non-compliant, but the user’s access is not restricted.

Restrict VPN – The “jailbreak” device is flagged as non-compliant, and VPN access is removed.

Wipe – The “jailbreak” device is flagged as non-compliant and will be wiped.

Minimum OS Version – Sets the minimum iOS version.

Minimum Pulse Client Version – Sets the minimum Pulse Client version.

Non-Compliant OS Version Action – If the user provisions a device that has an iOS version lower than the Minimum OS Version policy, the device becomes a non-compliant device. Actions for a non-compliant device can be one of the following:

Allow – The device is flagged as non-compliant, but the user’s access is not restricted.

Restrict VPN – The device is restricted from VPN access.

Wipe - The profile is wiped off from the user's device.

Non-Compliant Pulse Client Version Action – If the user provisions a device that has Pulse Client version lower than the Minimum Pulse Client Version policy, the device becomes a non-compliant device. Actions for a non-compliant device can be one of the following:

Allow – The device is flagged as non-compliant, but the user’s access is not restricted.

Restrict VPN – The device is restricted from VPN access.

Wipe – The workspace is wiped off from the user's device.

Nine

The Nine Work email app, provided by Google apps, synchronizes with Exchange Server using ActiveSync, and it is based on Android for Work.

All Nine properties are supported by Android only:

License Number – License to use Nine Work email app.

Mail+

All Mail+ properties are supported by iOS only:

Mailplus Allow Open In – Boolean. If True, the user can open documents in other apps.

Mailplus Allow Print – Boolean. If True, the user can print mails.

Mailplus Auto Config Enabled – Boolean. If True, the Mail+ app configures automatically.

Mailplus Disable Copy Paste – Boolean. If True, users cannot use copy and paste. This prevents the user from inadvertently sending sensitive information to third party apps.

Mailplus License Key – The Mail+ license key, which is provided by iKonic Apps.

Mailplus Passcode Allow Simple – Boolean. If True, passcode complexity can be simple.

Mailplus Passcode Alpha Numeric Required – Boolean. If True, passcodes require alphanumeric characters.

Mailplus Passcode Enabled – Boolean. If True, a Mail+ app passcode is supported. This value takes precedence over ActiveSync policies. This does not affect the device passcode.

Mailplus Passcode Length – The minimum overall length of the passcode.

Mailplus Passcode Require Special – The minimum count of special characters in a passcode.

Mailplus Passcode Time Out – The idle time in seconds after which the Mail+ app will be locked or will run in the background.

VPN On Demand

VPN on Demand (VOD) is currently supported by iOS devices running as managed clients, see Understanding Managed Devices and Managed Clients.

VPN OnDemand Enabled – Boolean. If True, VPN on Demand is enabled, see Configuring Managed Clients.