A common function that MaaS360 customers utilize is location tracking for their corporate owned devices. This may be used to track down a lost or stolen device or even monitor a delivery vehicle. Each platform, whether it is iOS, Android, Windows or MacOS behaves slightly differently, however all offer the ability to track location.
The major difference is whether the Administrator can force Location Services on for different devices. Android devices in “Device Owner” mode and corporate owned Windows computers can have Location Services turned on during enrollment and set up so that an end user cannot disable that function.
Apple, on the other hand, leans toward end-user privacy and even on corporate owned devices the user is allowed to disable Location Services. Since this functionality is set by Apple, MaaS360 cannot require that Location Services is enabled, however, using Groups and Compliance Rules, MaaS360 does allow Administrators to take action to ensure it is re-enabled.
The following process will work for any device that has “Location Services” disabled, whether it is an iOS or MacOS device or Android device in Profile Owner mode.
To initiate the process, you’ll create a group to identify devices that have "Location Services" disabled, which will automatically update anytime a user disables “Location Services.” Compliance rules will then be used to alert the device owner along with the Administrators and can be configured for additional steps, up to and including a device wipe command.
- Go into your MaaS360 Portal and hover over the "Devices" tab and then select "Advanced Search."
- Set up your search as follows, and click “Search” at the bottom:
- Search for - Active Devices
- With Device Type(s) - Check all
- Last Reported - Last 30 Days
- Search Criteria - All Conditions (AND)
- Condition 1 - Location Information > Use of Location Services > Equal to > Disabled
- This will pull up a list of all devices that currently have “Location Services” disabled. You can now create a group by clicking "Create New Device Group."
- Name your group something you will remember, such as "Location Services Disabled" and click “Save.” You now have a group that contains all devices with Location Services disabled. Keep in mind, any device that disables locations services in the future will automatically be added to this group.
- The next step is to create Compliance Rules that will be applied to this newly created group. Back in the Portal, hover over the "Security" tab and click on "Compliance Rules."
- Click "Add Rule Set" and give it a name you'll remember, such as "Location Services Rule,” leave “Copy From” blank and click "Continue."
- In the "Basic Settings" section, double check the email address(es) in "Event Notification Recipients" to ensure the correct Administrators will receive the notification. Also be aware that the device owner will also get a notification.
- On the left side, click "Group Based Rules," click “New Rule” and under Configure Group Based Rules, enter a Rule Name that you will remember, such as "Location Disabled," then choose the group you created above ("Location Services Disabled" if you took the suggestion in step #5.)
- Under the "Enforcement Action" section, you can determine what actions you will take. In the example below, we start with sending the user two alerts and then selectively wiping the device.
- Next to “#1. When detected in the group” choose “Alert.” Check all three boxes to email the user, notify the device and alert Administrators. Enter the message you would like to send to the user, which in this example we will say “Please re-enable Location Services on this device within 24 hours to maintain corporate access.”
- To add another notification, click the (+) next to “Alert.” In this example, we’ll set the rule to wait 12 hours, then send another alert. Next to #2, choose “12,” “Hours” and “Alert.” To change the text of the alert, click the blue text in the lower left that says, “Customize for each action” and enter “Please re-enable Location Services on this device within 12 hours to maintain corporate access.”
- The final step we will take in this example is to selectively wipe the device. Once again, click the (+) next to “Alert” in section #3 choose “12” “Hours” and “Selective Wipe.” It should be noticed that the amount of time you set is the time from when the previous enforcement was taken – So, in this case it is 12 hours from the last alert. In the bottom section, next to #3 type in “Re-enable Location Services on your device and the selective wipe will be automatically revoked.”
- Click "Save."
- Click the back arrow in the upper left section of the screen to go back to your Compliance Rules, find the new rule and click on the blue "Assign.”
- In the pop-up window, choose whether to apply the rule to all devices, or only specific groups of devices. In this example, we’ll choose “All Devices” to apply to all current devices and check “Auto assign to new devices,” to ensure newly enrolled devices will also be monitored. Then click “Submit.”
- The next window will display a summary of the actions and the number of devices that will be affected... click "Continue."
It can take up to 30 minutes to take effect, but then those devices with Location Services disabled will now start through the rule workflow you set up. Anyone that disables Location Services will consequently be added to the group as well.
Hopefully this has helped you create a Compliance Rule to monitor devices that have disabled Location Services, but also demonstrated the usefulness and flexibility of Compliance Rules. Additional information on Compliance Rules in MaaS360 can be found within our documentation, at https://www.ibm.com/docs/en/maas360?topic=security-applying-compliance-rules-devices.