Compliance control of iOS MDM devices with corporate security requirements

Compliance Control allows you to monitor iOS MDM devices for compliance with corporate security requirements and take actions if non-compliance is found. Compliance Control is based on a list of rules. Each rule includes the following components:

• Status (whether the rule is enabled or disabled).
• Non-compliance criteria (for example, absence of the specified apps or operating system version).
• Actions performed on the device if non-compliance is found (for example, wipe corporate data or send an email message to the user).

To create a rule:

1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking.
4. In the policy Properties window, select the Compliance Control section.
5. In the Compliance Control rules section, click Add.

   The Compliance Control Rule Wizard starts.

6. Select the Enable rule check box if you want to activate the rule. If the check box is cleared, the rule is disabled.
7. In the Non-compliance criteria tab, click Add criterion and select a non-compliance criterion for the rule. You can add multiple criteria. They are combined by the AND logical operator.

   The following criteria are available:

   • List of apps on device

     Checks whether the list of apps on the device contains forbidden apps or does not contain required apps.

     For this criterion, you need to select a check type (Contains or Does not contain) and specify app IDs.

   • Operating system version

     Checks the version of the operating system on the device.

     For this criterion, you need to select a comparison operator (Equal, Not equal, Less than, or Greater than) and specify the iOS version.

     Note that the Equal and Not equal operators check for a full match of the operating system version with the specified value. For instance, if you specify 15 in the rule, but the device is running iOS 15.2, the Equal criterion is not met. If you need to specify a range of versions, you can create two criteria and use the Less than and Greater than operators.

   • Management mode

     Checks the device's management mode.

     For this criterion, you need to select a mode (Supervised device or Non-supervised device).

8. In the Actions tab, specify actions to be performed on the device if all specified non-compliance criteria are detected. Add an action in one of the following ways:
   • Click the Add action button if the action should be taken on the device immediately after non-compliance is detected.
   • Click the Add postponed action button if you want to also set a time period in which the user can fix the non-compliance. If the non-compliance is not fixed within this period, the action is performed on the device.

   The following actions are available:

   • Send email message to user

     The device user is informed about the non-compliance by email.

     For this action, you need to specify the user's email address(es) and the email message.

   • Install profile

     The configuration profile is installed on the device. This action is performed by sending the Install profile command.

     For this action, you need to specify the ID of the configuration profile to be installed.

   • Delete profile

     The configuration profile is deleted from the device. This action is performed by sending the Remove profile command.

     For this action, you need to specify the ID of the configuration profile to be removed.

   • Delete all profiles

     All previously installed configuration profiles are deleted from the device.

   • Wipe corporate data

     All installed configuration profiles, provisioning profiles, the iOS MDM profile, and applications for which the Remove together with iOS MDM profile check box has been selected are removed from the device. This action is performed by sending the Wipe corporate data command.

9. Click the Save button to save the rule and close the wizard.

   The new rule appears in the list in the Compliance Control rules section.

10. Click the Apply button to save the changes you have made to the policy and exit the policy properties window.

Mobile device settings are configured after the next device synchronization with the Kaspersky Security Center.

Page top