Airwatch Security Policies include basic security settings, set and enforce certain precautions, and automating escalations when corrections are not made.
Table of Contents
Ensures all devices abide by company security policies by using the compliance engine, an automated tool by AirWatch. Basic security settings such as having a minimum device lock period and requiring a passcode can be implemented using basic security policies. The admin can also decide to set and enforce certain precautions for certain platforms. Blacklisting certain apps, requiring device check-in intervals, and setting password strength to ensure that devices are safe and in contact with AirWatch with these precautions.
The compliance engine warns or notifies customers to address compliance issues once devices are determined to be out of compliance to prevent disciplinary action on the device. For example, The users are notified whose devices are out of compliance by a message triggered by the compliance engine. The device loses authorization to certain functions and content if corrections are not made in the amount of time specified. As the platform changes, the available compliance policies and actions change as well. Escalations can be automated when corrections are not made. For Instance, The device is locked, and the user is notified to contact the admin. Grace periods, Disciplinary actions, messages, and escalation steps can be configured with the Airwatch Console.The following two methods can measure compliance,:
- Real-Time Compliance(RTC): Determine whether or not the device is compliant with unscheduled samples received from the device. The admin can request samples on demand.
- Engine Compliance: The compliance of a device is primarily determined by the compliance engine. This software algorithm receives and measures scheduled samples in time intervals for the running of the scheduler as defined in the console by the admin.
How to create Airwatch Security Policy
A process comprising four segments actions, assignments, rules, and a Summary. For all platforms, not all features and options are available. The console never presents an option that the device cannot use by basing all available options on the initial platform choice.
By completing the Compliance Policy tabs, configure the compliance engine with automated escalations and profiles.
- Go to Devices, select Compliance Policies, click on ListView and click on Add.
- From the Add Compliance Policy page, select a platform on which to base the compliance policy.
- The rules tab needs to be configured by first matching Any or All of the rules to detect conditions.
- Add rule: To add parameters and additional rules, toggle this option.
- Previous and Next: Select this option to go back to the previous step or advance to the next step.
- The consequences of non-compliance are defined within the enterprise policy by completing the Actions tab. Platform-dependent actions are available.
- When the previous actions does not cause the customer to initiate steps to make the user device compliant, actions and escalations can be specified. An automatic action taken for non-compliant devices is called an escalation.
The types of actions and options can be configured:
- Mark as Non-Compliant in the checkbox: Without marking a device as non-compliant, the admin can perform actions on a device. By observing the following rules, the compliance engine accomplishes this task.
For each newly added Action, by default, The Mark as Not Compliant checkbox is enabled(checked).
Following actions and escalations are also marked as not compliant (checked) if one action has the Mark as Not Compliant option enabled(checked). Editing cannot be done on the subsequent checkboxes.
The subsequent action/escalation has the option enabled by default(checked) and if an action has the Mark as “Not Compliant” then the option disabled (not checked).
The device is officially ‘compliant’ if the device does not pass the compliance rule’s and if an action/escalation has the Mark as “Not Compliant” then the option disabled.
If an action/escalation with the Mark as Not Compliant checkbox enabled is encountered by device status, a device’s status is shown as ‘not compliant. Otherwise, a device’s status is always shown as ‘compliant.’
- Application: A managed application can be blocked or removed. The admin can enforce application compliance by establishing a whitelist, blacklist, or required list of applications.
- Command: A device check-in can be initiated, or an enterprise wipe run command can be given.
- Email: The user from the email can be blocked. The ‘BlockEmail’ action applies if the Email compliance engine works with the Mobile Email Management together. This option can be accessed by email, navigating to Compliance Policies, and selecting Email Policies. Device Compliance policies can be used, such as black listed apps with any Email compliance engine policies, the admin configures. If the device falls out of compliance, email compliance is triggered, with this action selected.
- Notify: Push notification, email, or SMS can be sent to the administrator or device. In the accompanying CC text box, multiple emails may be inserted, provided they are separated by commas. Select an email template for email-related Notify actions by navigating to the drop-down menu. The Message Template page is displayed in a new window by selecting an available link. Customize your message template on this page. Deselect the checkbox to the right of the CC: textbox to enable this drop-down menu.
- Profile: A specific Compliance Profile, Device Profile, or Device Profiletype installed, Removed, or Blocked. Similar to Auto and Optional device profiles, Compliance profiles are created and saved. Go to Devices, navigate to Profiles & Resources, select Profiles, select Add, and click on Add Profile. A platform is selected, and in the General profile tab, ‘Compliance’ in the Assignment Type drop-down setting is selected. Compliance profiles are applied via the “Actions tab” of the “Add a Compliance Policy” page when an end-user violates a compliance policy. From the drop-down menu, select Install compliance Profile and then click on the previously saved compliance profile.
- Escalations Only:
Add Escalation button: An escalation is created. The admin should practice increasing the security of actions with each additional escalation when adding escalations.
After-time Interval: The escalation can be delayed in minutes, hours, or days.
Perform the following actions: Before the next scheduled action, the following two methods can measure compliance.
The following actions can only be performed on macOS.
When AirWatch detects the change when a user makes their device compliant, Query non-compliant iOS 7+ devices to decrease the delay between these processes.
Go to Groups & Settings, navigate Settings, select Devices & Users, click on Apply, then select MDM Sample Schedule and set the Non-Compliant Device Sample to set this sample.
- To decide which devices are subjected to (and are exlcuded from) the compliance policy, the “Assignment and Summary” tabs of the “Add Compliance Policy” is required to be completed. The policy can then be named, finalized, and activated in the Summary Tab.
- Managed by: The organization group is selected by which this compliance policy is managed.
- Assigned Group: One or more groups can be assigned.
- Exclusions: Select Yes to exclude groups. In the Excluded Groups text box, from the available listing of groups, is selected next.
- View Device Assignment button: A listing of devices can be viewed which are affected by this compliance policy assignment.
While the platform is a criterion within a smart group, precedence is always taken over the smart group’s platform by the platform configured in the device profile or compliance policy. For instance, The profile is only assigned to iOS devices if a device profile is created for the iOS, even if the smart group includes Android devices.
- Click on next after the admin determines the assignment of this policy and the Summary tab is displayed.
- A name and a Description of the compliance policy are provided.
- One of the following is selected:
Finish: Without activating the compliance policy to the assigned devices, save the compliance policy.
Finish and activate: All selected enrolled devices have the policy saved and applied.
View Device Assignment
The View Device Assignment is selected in the Assignment tab while configuring a compliance policy to display the page. Affected(or unaffected) devices are confirmed on this page. The following entries are displayed under the Assignment Status column for the devices that appear in the listing.
- Added: An addition of compliance policy is made to the listed device.
- Removed: Removal of compliance policy is made to the listed device.
- Unchanged: Despite the changes made to the compliance policy, the device remains unaffected.
Publish is selected to finalize the changes and republish any compliance policy if required.
Configuring Airwatch Blacklist Compliance Policy for Apps
A compliance policy can be created on the AirWatch administration web console after configuring AirWatch integration settings to add malicious apps to AirWatch Blacklist.
- Sign in to the AirWatch web console. Go to Devices, select Compliance Policies, click on ListView.
- Choose the platform (Android or Apple iOS) after clicking the add button, select Application List, and Contains Blacklisted App(s) from the drop-down menu.
- Select next
- Configure actions on the Actions tab:
a). Mark as Not Compliant is selected.
b). Notify and Send Email to User is selected from the drop-down menu.
c). Next is selected.
- Within the Assignment tab, the following settings are configured.
- Assigned Groups
- Managed by:
- Next is selected.
- The name and description are configured in the summary tab.
- Finish and Activate are selected.
Mobile Security puts the application into the AirWatch blacklist, detecting malware on the mobile device, and the mobile device will be flagged as uncompliant.
Enforcing Mobile Security Policies
A five-step procedure is required to enforce mobile security policies:
- Choosing a platform: Admin decides on which platform compliance policy is enforced.
- Building your policies: Customizations can be made to cover everything including an application list, compromised status, encryption, manufacturer of device, the model of the device and OS version with passcode, and roaming.
- Defining escalation: Take a tiered approach to those actions or configure time-based actions in minutes, hours, or days.
- Specifying Actions: Send an email only to an Administrator or send push notifications, email, or SMS. Install compliance profiles, remove or block apps, request device check-in, remove or block specific profiles, and perform an enterprise wipe.
- Configuring Assignments: Confirm the assignment by device by assigning compliance policy by organization group or smart group.