Authored by santosh.kushwah@ibm.com ,co-authored by vinikum3@in.ibm.com
n It is quite integral part for an organization to have some compliance guidelines for the users and the devices which access corporate resources.
Maas360 provides flexibility to create Multiple Compliance rules under an account . These rules are saved and assigned a precedence based on the order they were saved in. You have the option to change the precedence. Users are allowed to perform various actions on ruleset created like Edit ,Assign ,make as default, Audit and Delete
Precedence : Maas360 allows user to change the precedence of any rules to set. User can select and drag/drop up and down to set the precedence to the rule set and save the precedence. For More details follow link below:
https://www.ibm.com/docs/en/maas360?topic=devices-using-compliance-rules-precedence
Disable All : Will Allow user to disable all the ruleset applied to device and move the ruleset to inactive state.
For detailed description for actions in rule compliance please follow below link
https://www.ibm.com/docs/en/maas360?topic=security-applying-compliance-rules-devices
Procedure to configure compliance rules :
- From the MaaS360 Portal Home page, select Security >> Compliance Rules.
The Compliance Rules window is displayed.
- Click Add Rule Set.
The Add Rule window is displayed.
- Specify the name of the rule set, and which existing rule to use as a basis if any .
- Click Continue.
This will navigate you to rules configuration page with Basic setting tab to be displayed.
Basic Settings : Configure the platforms that the rule set applies to and then enter the email addresses that receive alerts for the rule set.
Configure the rules :
We have 6 type of rules provided that can be configured to restrict the end user with the applied compliance as listed below .
· Enforcement Rules
· Geo-Fencing Rules
· Monitoring Rules
· Expense Monitoring Rules
· Group Based Rules
· Custom Attribute Rules
Enforcement Rules : Maas360 has provided different compliance enforcement that can be applied to mobile devices as below :
1. Enrolment in MDM
2. Specific operating system versions
3. Support for remote wipe
4. Support for block- and file-level encryption, or no encryption
5. Compliance with corporate app policies for allowed, blocked, and required apps
6. Restrictions for jailbroken (iOS), rooted (Android), or Health Attestation Failed (Windows) devices
7. Managing access of blocked devices to corporate resources
Enrolment : Ensure all devices (iOS, macOS, Android, no longer supported, Windows Desktop OS) are enrolled in MDM and advanced management of the device has not been disabled or removed by the user
OS Versions : Ensure that managed devices are up to date with the required OS versions. Please note that version check may be invalid on Rooted or Jailbroken devices. This rule would be enforced on enrolled devices that have the complete OS version information.
Remote Wipe Support: Ensure managed devices support remote wipe capabilities.
Encryption Support: Ensure managed devices support designated levels of encryption.
Application Compliance : Ensure devices are in compliance with application compliance requirements (blocked, allowed 3 apps defined in policies). Application compliance is based on policy settings assigned to managed devices.
Jailbroken (iOS) or Rooted (Android) or Health Attestation Failed (Windows) Devices : Ensure managed devices are not jailbroken or rooted. The MaaS360 iOS Application is required on the device for Jailbreak detection. A Health Attestation policy needs to be enabled for kernel level malware or rootkit detection on Windows devices.
Corporate Resources for Blocked Devices : Ensure that devices blocked on your mail server cannot access corporate resources such as Wi-Fi or VPN.
Geo-Fencing Rules : Configure to enforce location related compliance for mobile devices and specify actions that occur on the device when the device is moved out/checked out from specified geo-fenced location.
Monitoring Rules : Configure to monitor various device state changes, changes to the SIM, when a user's device is roaming, and any operating system version changes.
Expense Monitoring Rules : Configure to take real-time action for expense management, apply changes to mobile data usage, to monitor both roaming and in-network data usage, and to manage usage thresholds.
Group Based Rules : Configure to create rules for previously defined groups (Group is an entity which is collection of devices based on certain criteria from device attribute ) of devices or users. Allows you to select the device/user groups to apply this enforcement on the devices which are under these user/device group .
Custom Attribute Rules : Maas360 allows to perform enforcement action based on the custom attribute defined on the devices where different criteria can be selected based on the attribute type like Boolean will have equals to value ,Text attribute type will have contains, not contains text value matches to custom attribute ..etc. For more details follow the link
https://www.ibm.com/docs/en/maas360?topic=devices-configuring-compliance-rules-based-custom-attributes
Enforcement Actions : Maas360 provides enforcement actions include Alert, Block, Selective Wipe, Change Policy, Wipe, Remove Control, Hide Device, etc. The list of enforcement actions varies for different rules.
Alert : Send alerts to devices and admin’s when device goes out of compliance (OOC) or does not meet the defined compliance criteria.
Block : When device goes out of compliance (OOC) or does not meet the defined compliance criteria. Sends alerts and block devices to perform any action on devices.
Selective Wipe : Wipes corporate data configured by MaaS360 such as apps, docs, email, and network configurations. Deletes the WIFI profile, Exchange ActiveSync profiles, and web shortcuts configured on the device through the security policies. However, the restrictions imposed by policies remain on the device. This option does not apply to Windows DTM devices.
Change Policy: When device goes out of compliance (OOC) or does not meet the defined compliance criteria. Changes the security policy on the device.
Wipe : Wipes the device to a factory reset state. MaaS360 provides options to clear the Activation lock on iOS devices and clear Factory Reset Protection on Android devices.
Remove Control : Removes the management and control capabilities of MaaS360 from the device. When this action is issued, MaaS360 removes configurations, policy restrictions, and apps marked for removal, and also hides the device record.
Hide Device : Mark the device as Inactive and hides the record. This action should be used to hide old devices that are no longer online.
Note:
1. The Block and the Wipe enforcement actions are available only with the Cloud Extender® integration.
2. Enforcement actions are Skipped if the device is marked for Important Device (Skip Enforcement Action) to Yes but device will go to OOC (Out Of Compliance ). No notification Emails are being sent to devices , End User and Admins.
Configuring multiple Actions for Enforcement actions :
Maas360 provides option to configure set of actions to be performed on the device .Configured actions to be taken at the required time intervals. Time interval specified at any level is taken as the wait time post the previous action.
Email Notifications and Compliance Messages :
Notify User
Notify Admins
Message
Notify User : Maas360 has provided option to notify the user by selecting Email and device Notifications .
If we check Email option then the admins configured in the rule will be notified with the device compliance email.
If we check Device Notifications then the device will be notified with generic message with ruleset name for compliance violations.
Notify Admins : Under this section maas360 provides to as Standard Email list which can be used to add additional people to notify via Email for device compliance status while device goes to OOC and comes back to incompliance .
If you check Standard Email list then a textbox will appear to take input of emails provided with comma separated if multiple people to be notified.
Message : This is the custom message which can be configured to notify admins via Email for device action to be performed on device when device goes to OOC and comes back to Incompliance,
We can add multiple messages based on the actions configured in the compliance ruleset by just clicking on Customize for each action.
Note :
Custom Message are being send via Email only to configured admins in the rules set with their email id . For notification to device will be sent with account specific generic violation message and generic remediation message .
Use Cases :
1. 1. Suppose an organization has a set of devices registered and they want to restrict certain OS version for any of the platforms like Android ,iOS ,Windows ..etc, to do so the admin can create a rule set with compliance enforcement with OS Version Allowed and then admin can create a group of devices for his organization and apply ruleset to that device group.
2. 2. Let us consider, a scenario where customer wants to remove control for couple of devices and want to enrol with some different type of enrolment .In that case remove control is not possible to do one by one so, customer can create a group of devices where all the devices falls into that group .Now customer can create a Rule with group based with action as Remove control .Then apply rule to that device group to perform action as remove control on the devices which falls into that group.
3. 3. User has configured device custom attribute and then created a rule based on those custom attribute .If we apply rule to that device as direct assignment or rule is applied to any device group and that device comes to that device group will go Out Of Compliance immediately due to rule violation.
Sample Notification Emails :
OOC Email Notification sent to configured admins in ruleset :
In Compliance / Remediation. Email :
Sample Device Notification Message :
Out Of Compliance violation Message on device.
In Compliance/Remediation Message on device
Points to remember :
· Device having existing actions are overridden when Compliance Rule with action is applied to device (Action like Alert, Block, Selective Wipe , Change policy , Wipe ,Remove Control, Hide device).
· Multiple Compliance Rule set assigned to various device/users groups having multiple devices ,rules can be applied based on the rules precedence.
· if any ruleset is applied /removed from device then device actions will be shown in device view history.
· Device will remain in OOC , if the rule set is not changed/removed from device.
· Email notification will not be sent if device remains in OOC and if there is no change in actions of the ruleset after it is applied to device.
· Change of Alerts will not happen for rules action when device is already in OOC and another rules set is applied on the device with same configuration .