IBM Security MaaS360

 View Only

How to Use MaaS360 Compliance Rules

By Eamonn O'Mahony posted Thu April 25, 2019 02:48 AM

  


In this blog post we are going to discuss Compliance Rules. These can be found under the Security menu in your MaaS60 portal (Security > Compliance Rules).  

Just the same way as you want to prevent users from doing certain things, and use policies to switch settings on or off, you may need to take corrective action. The question is, how do you supervise the console so that when a user does something unexpected, you can take corrective action? The answer is that you don’t have to – the portal does it for you!

To set configurations and control what a user can do, you can use Security Policies. So if you want to force encryption, a screen-lock passcode, or location sharing, you can use the device policy to do this. But if you want unexpected user behaviour to be followed up, you can use a Compliance rule to take automatic corrective action

Compliance rules can be used to ‘set and forget’ – take corrective action if a device changes state, or if a user takes an action that you wouldn’t have wanted. I hear you asking – why don’t we just switch things off, why do we have to let users do these things? The answer lies in whether you want to completely lock the user down or allow them to continue working.

Let’s look at device encryption, which can be important in order to protect organisational data such as email and documents. For example, connecting a mobile device to a device which does not have the encryption keys, will prevent the connected device from being able to read the data. So extracted or exported emails or documents could not be read.

If you have set the Security policy to require encryption, the user may or may not have accepted and enforced it, depending on the device and enrollment type. After the Security policy is applied, and the user is asked to encrypt their device, they may have options to cancel. So you may wish to put in a Compliance rule which forces the encryption by taking corrective action if not applied after a certain amount of time. Here we will create a Compliance rule setting which will take corrective action for Encryption not enforced. 

Setting up a Compliance Rule

1. From within the MaaS360 portal, go to Security – Compliance rules and then click Add Rule Set.

MaaS360 Compliance Rules, image 1
2. Click on the second tab on the left – Enforcement Rules

3. Scroll down to the section on Encryption. In the section called “Trigger Action on Hardware Encryption level,” choose the type of encryption to be verified.

MaaS360 Compliance Rules, image 2

4. Now choose an Enforcement action. You can add a number of them, with intervals, so that for example the user gets a number of alerts, followed by a final corrective action. This gives them time to do what you are expecting them to.

MaaS360 Compliance Rules, image 3

5. In the screenshot above you can see we have chosen a number of alerts, and finally to Remove Control so that MaaS360 configuration will be removed. There are a number of other actions you can takeFinally click Save, enter your password, and go to the device (individually) or device group, and from Actions menu choose Set Compliance Rule.

MaaS360 Compliance Rules, image 4

6. Once the device refreshes into the portal it should pull down the rule and set the configuration. If you want to ‘force’ this you can do so via the Request Data Refresh menu option both on the portal and within the MaaS360 application.


Once the device refreshes into the portal it should pull down the rule and set the configuration. If you want to ‘force’ this you can do so via the Request Data Refresh menu option both on the portal and within the MaaS360 application.


Another Use for Compliance Rules


You may be looking for Compliance Rule types and not able to find them. For example, if you want users with low battery to note that they need to charge their devices, how do you do this? What a nice thing of an admin to let their users know before they leave the office!

Here’s my solution:

1. First we want to find out where the information is getting updated on the portal. In this case, Battery Charge is already a standard field which is updated when the device sends updates to the portal. This particular case has a field on the “Hardware & OS” tab of the device inventory. So go to Devices > Inventory, open a sample device, and check on which tab and field the information can be found. In this case the Battery Level field shows a percentage. Note that the inventory page is “Hardware & OS” so this should be the category we are using when searching for the field.

MaaS360 Compliance Rules, image 5

2. Now we’re going to create a device group on the basis of this field. We will say that if battery level goes below 20%, the device should come into the group.

3. Click on Devices > Advanced Search. Using the search criteria: Hardware Inventory > Battery Level > Less Than > 20. Now click Search.

MaaS360 Compliance Rules, image 6
4. The new window should show us the devices that currently match this search criteria. It may be that there are no devices currently matching – that’s OK – we just need to create the device group anyway. So click Create New Device Group.

MaaS360 Compliance Rules, image 7
5. In the Device Group Details window, you can now type in a new name, for example “Battery below 20%.” This should be self-explanatory and easy to locate. If you use management of devices where some admins can only see certain users or devices, click the “Administrative Access Control” box.

6. Now click Save. The device group is created and the portal will run a search in the background to evaluate group membership, on a regular basis.

7. Now you can create the new rule set, or add the rule to the existing rule set as described earlier. This is using the ‘Group Based Rules’ option within the rule set. The logic here is that once a device is detected as having a state change (battery charge level), it will be added to the device group. After this the portal will check for the rule that the device group should run, and run it once devices have been detected as matching the criteria. Open the existing rule set or create a new one as appropriate, following the steps earlier.

MaaS360 Compliance Rules, image 8
8. See that in the drop-down we have chosen the device group, and the blank text box on the left can be used to identify the corrective action > Prompt to charge. In addition you can set the Message which should come into the MaaS360 application and the user will see it in the form of a pop-up message or on the notification area at the top.

9. To test this, allow an enrolled device to go below battery charge. The device should have the MaaS360 app running and if you want to ‘force’ the update you can use Update Device Data both on the portal and in the MaaS360 app, or just wait for this to update automatically.



Things to Remember about Compliance Rules


Testing Compliance rules: As always for policies and compliance rules, you may want to test this on a smaller number of devices so that you can observe the full impact, prior to rolling out into production. If so it may be useful to create a test rule, and only assign to specific devices.

Adding and removing compliance actions: To add more actions just click the + sign to the right of the 1st action. If you’ve added too many, just click the – sign to remove.

Rule set: Please note that we refer to a ‘Rule Set’ which is a group of rule settings all in one place. So your Application Compliance, Device Compliance, and so on can all be configured in one place.

Assigning a Compliance rule to devices or users: You can assign a Compliance Rule Set to a device group or user group, and you can set it as default so that unless otherwise specified, all devices will receive it.  To do this on the device, go to Devices > Inventory, open the device, and from the actions on the right, drop-down and select Change Rule Set. Alternatively, to do this for a group of devices or users, go to Devices > Groups or Users > Groups, choose the group, and selecting the menu option “More”, choose Change Rule Set.

Set and forget: Because the compliance rules will work automatically, you don’t need to log into the MaaS360 console on your days off!

Updating device inventory information on portal: Depending on your device type it may send in updated information to the portal more or less frequently. Android allows you to configure this. For iOS devices please remember that the MaaS360 app should be running in the background so the users should start it up on starting up the device.

Block: The Block action is very specific and effectively means you block a user’s ability to synchronise their mail account on their device. This is where you have set up Cloud Extender integration with Microsoft Exchange, IBM Traveler or Microsoft Office365, to take actions under AutoQuarantine or similar approaches. This allows you to ‘force’ a block action on the mail server preventing the user from synching any further email. To learn more about this please have a look at our training video on the IBM Security Learning Academy.

 

Further Information on Compliance Rules


8-minute ‘How-to’ video: https://www.securitylearningacademy.com/course/view.php?id=3938

Full 30-minute IBM Security Learning Academy training course: https://www.securitylearningacademy.com/course/view.php?id=4044






#MaaS360
0 comments
27 views

Permalink