Compliance Control of iOS MDM devices

Compliance Control lets you monitor iOS MDM devices for compliance with corporate security requirements and take actions if non-compliance is found. Compliance Control is based on a list of rules. Each rule includes the following components:

Status (whether the rule is enabled or disabled).
Non-compliance criteria (for example, absence of the specified apps or the operating system version).
Responses performed on the device if the user does not correct the non-compliance issue within the set time period (for example, wipe corporate data or send an email message to the user).

To create a rule for checking devices for compliance with a policy:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select iOS and go to the Security controls section.
On the Compliance Control card, click Settings.
The Compliance Control window opens.
Enable the settings using the Compliance Control toggle switch.
Click Add.
The Add rule wizard starts. This wizard will help you create a set of rules for checking the device compliance with the policy. Navigate through the wizard using the Next and Back buttons.

Step 1. Criterion for non-compliance

Click Add criterion to specify the non-compliance criterion to trigger the rule.

The following criteria are available:

List of installed apps
The list of apps on the device contains forbidden apps or does not contain required apps.

For this criterion, select a condition (Contains or Does not contain) and specify the Bundle ID of the app. How to get the bundle ID of an app
To get the bundle ID of a built-in iPhone or iPad app,

Follow the instructions in the Apple documentation.

To get the bundle ID of any iPhone or iPad app:
1. Open the App Store.
2. Find the required app and open its page.
  The app's URL ends with its numerical identifier (for example, https://apps.apple.com/us/app/google-chrome/id535886823).
3. Copy this identifier (without the letters "id").
4. Open the web page https://itunes.apple.com/lookup?id=<copied identifier>.
  This downloads a text file.
5. Open the downloaded file and find the "bundleId" fragment in it.
The text that directly follows this fragment is the bundle ID of the required app.

To get the bundle ID of an app that has been added to Kaspersky Security Center:
1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Apps.
2. Click iOS apps.
  In the list of apps that opens, app identifiers are displayed in the Bundle ID column.
Operating system version
The version of the operating system on the device is outside the allowed range.

For this criterion, select a condition (Equal to, Not equal to, Earlier than, Earlier than or equal to, Later than, or Later than or equal to) and specify the iOS version.

Note that the Equal to and Not equal to operators check for a full match of the operating system version with the specified value. For instance, if you specify iOS 15 in the rule, but the device is running iOS 15.2, the Equal to criterion is not met. If you need to specify a range of versions, you can create two criteria and use the Earlier than and Later than operators.
Supervision status
The supervision status of the device is not the one required.

For this criterion, select the device operating mode (Supervised or Basic control).
Device type
The device type is not the one required.

For this criterion, select a device type (iPhone or iPad).
Device model
The device model is not the one required.

For this criterion, select a condition (Equal to or Not equal to) and specify models that will be checked or excluded from the check, respectively.

To specify a model, in the Model identifier field select the required model from the list or enter a value manually. The list contains mobile device codes and their matching product names. For example, if you want to add all iPhone 14 models, type "iPhone 14". In this case, you can select any of the available models: "iPhone 14", "iPhone 14 Plus", "iPhone 14 Pro", "iPhone 14 Pro Max".

In some cases, the same product name may correspond to several mobile device codes (for example, the "iPhone 7" product name corresponds to two mobile device codes, "iPhone 9.1" and "iPhone 9.3"). Be sure that you select all of the mobile device codes that correspond to the required models.

If you enter a value that is not on the list, nothing will be found. However, you can click Add: "<value>" under the field to add the entered value to the criterion.

If you specify the criteria that contradict each other (for example, Device type is set to iPhone but the list of values of Device model, with the Equal to operator selected, contains an iPad model), an error message is displayed. You cannot save a rule with such criteria.
Roaming
The device roaming status is not the one required.

For this criterion, select a condition (Device is roaming or Device is not roaming).
Password on device
A password is not set or not compliant with the settings specified in the Screen unlock settings card.

For this criterion, select a condition (Not set, Set but not compliant, or Set and compliant).
Free storage on device
The amount of free space on the device is less than the specified threshold.

For this criterion, specify the threshold amount of free space (Less than or equal to), and then select the measurement unit (MB or GB).
Device is not encrypted
The device is not encrypted.

Data encryption is enabled by default on password-locked iOS devices (Settings > Touch ID / Face ID and Password > Enable Password). Also, the hardware encryption on a device must be set to At block and file level (you can check this setting in the device properties: go to Assets (Devices) → Mobile → Devices, and then select the required device).
Actions with SIM card
The device SIM card has been replaced or removed compared to the previous check state, or an additional SIM card has been inserted.

For this criterion, select a condition (The SIM card must not be replaced or removed or The SIM card must not be replaced or removed; additional SIM cards must not be inserted).

On eSIM compatible devices, the non-compliance detection cannot be removed by inserting the previously removed eSIM. This is because the device operating system recognizes each added eSIM as a new one. In this case, delete the compliance control rule from the policy.
Device has not been synchronized for a long time
The last synchronization of the device with iOS MDM Server is checked.

For this criterion, specify the maximum time after the last sync in the Period without synchronization field, and then select the measurement unit (Hours or Days).

We do not recommend that you specify a value less than the value of the Synchronization period (min) setting specified in the iOS MDM Server settings.

Step 2.Responses for non-compliance with security requirements

Add the responses to be performed on the device if the specified non-compliance criterion is detected.

Choose one of the following options:

Add instant response. The response is applied instantly after the non-compliance criterion is detected.
Add deferred response. The response is applied after a deferral period that you can specify in the Deferral period field.
Responses are performed during the compliance rule check, which happens every 40 minutes, and persist until the next synchronization with the iOS MDM Server. To prevent repeating responses from a single non-compliance instance, set the Synchronization period (min) value to 30 minutes in the iOS MDM Server settings.

If you specify responses that contradict each other, an error message is displayed. You cannot save such a rule.

When the non-compliance criteria selected for the rule are no longer detected on the device, you can revert the response by sending the respective command to the device.

The following responses are available:
- Send a message to the user
  The user is informed about the non-compliance by email.
  
  For this response, specify user email addresses in the Email and Alternate email address fields. If necessary, you can also edit the email subject and default text.
  
  Make sure the Email notifications are configured in the Administration Server properties. For detailed information on configuring notifications delivery, refer to the Kaspersky Security Center Help.
- Wipe corporate data
  All installed configuration profiles, provisioning profiles, the device management profile, and apps for which the Remove when device management profile is deleted check box has been selected are removed from the device. This response is performed by sending the Wipe corporate data command.
- Modify profile
  For this response, specify one of the actions:
  - Install profile. The configuration profile is installed on device. This action is performed by sending the Install configuration profile command. For this response, you also need to specify the ID of the profile to be installed.
    Before the profile is installed, it must be added to the list of configuration profiles in the Configuration profiles section of the iOS MDM Server settings.
  - Delete specified profile. The configuration profile is deleted from the device. This response is performed by sending the Delete configuration profile command. For this action, you also need to specify the ID of the profile to be deleted.
  - Delete all profiles. All previously installed configuration profiles are deleted from the device.
    When the non-compliance criteria selected for the rule are no longer detected on the device, you can install the deleted configuration profiles one by one, by sending the respective command to the device.
- Update operating system
  For this response, specify the OS version and one of the actions:
  - Download and install. The device operating system is downloaded and installed.
    If a non-existent operating system version is specified in the Operating system version criterion, the device will upgrade to the latest downloaded operating system.
  - Download only. The device operating system is downloaded.
  - Install only. The previously downloaded operating system is installed.
  This response is only applicable to supervised devices.
- Modify Bluetooth settings
  For this response, specify whether you want to enable or disable Bluetooth on the device.
  
  This response is only applicable to supervised devices.
- Reset to factory settings
  All data is deleted from the device and the settings are rolled back to their default values. After this response is performed, the device will no longer be managed. To connect the device to Kaspersky Security Center, you must reinstall the device management profile on it.
- Modify apps
  For this response, specify one of the actions:
  - Delete specified app. The specified app is removed from the device.
    You can delete only a managed app. An app is considered managed if it has been installed through Kaspersky Security Center by executing the Install app command.
    
    When the non-compliance criteria selected for the rule are no longer detected on the device, you can revert the response by sending the respective command to the device.
    
    For this action, specify the Bundle ID of the app to be deleted. How to get the bundle ID of an app
    To get the bundle ID of a built-in iPhone or iPad app,
    
    Follow the instructions in the Apple documentation.
    
    To get the bundle ID of any iPhone or iPad app:
    1. Open the App Store.
    2. Find the required app and open its page.
      The app's URL ends with its numerical identifier (for example, https://apps.apple.com/us/app/google-chrome/id535886823).
    3. Copy this identifier (without the letters "id").
    4. Open the web page https://itunes.apple.com/lookup?id=<copied identifier>.
      This downloads a text file.
    5. Open the downloaded file and find the "bundleId" fragment in it.
    The text that directly follows this fragment is the bundle ID of the required app.
    
    To get the bundle ID of an app that has been added to Kaspersky Security Center:
    1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Apps.
    2. Click iOS apps.
      In the list of apps that opens, app identifiers are displayed in the Bundle ID column.
  - Delete all apps. All managed apps are deleted from the device.
    You can delete only managed apps. An app is considered managed if it has been installed through Kaspersky Security Center by executing the Install app command.
    
    When the non-compliance criteria selected for the rule are no longer detected on the device, you can install the deleted apps one by one, by sending the respective command to the device.
    
    For this action, specify the Bundle ID of the apps to be deleted. How to get the bundle ID of an app
    To get the bundle ID of a built-in iPhone or iPad app,
    
    Follow the instructions in the Apple documentation.
    
    To get the bundle ID of any iPhone or iPad app:
    1. Open the App Store.
    2. Find the required app and open its page.
      The app's URL ends with its numerical identifier (for example, https://apps.apple.com/us/app/google-chrome/id535886823).
    3. Copy this identifier (without the letters "id").
    4. Open the web page https://itunes.apple.com/lookup?id=<copied identifier>.
      This downloads a text file.
    5. Open the downloaded file and find the "bundleId" fragment in it.
    The text that directly follows this fragment is the bundle ID of the required app.
    
    To get the bundle ID of an app that has been added to Kaspersky Security Center:
    1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Apps.
    2. Click iOS apps.
      In the list of apps that opens, app identifiers are displayed in the Bundle ID column.
- Delete profile of specified type
  For this response, specify the Profile type to be deleted from the device (for example, Web Clips or Calendar subscriptions).
  
  As soon as the non-compliance criteria selected for the rule are no longer detected on the device, the deleted profiles are automatically restored.
- Modify roaming settings
  For this response, specify whether you want to enable or disable data roaming on the device.

Click Add rule to finish the Add rule wizard. The new rule and its details appear in the list of Compliance Control rules. To temporarily disable a rule, use the toggle switch next to the selected rule.

To enable the automatic wiping of data from devices associated with disabled accounts of Active Directory users, select the Wipe data from devices with disabled Active Directory user accounts check box and choose one of the following actions:

Wipe corporate data
Reset to factory settings
These settings require integration with Microsoft Active Directory.

If you use policy profiles, be sure to enable the wipe data option for the entire policy. When a user account is disabled in Active Directory, it is first removed from the Active Directory user group. As a result, the policy profile is no longer applied to this user account, so the data is not wiped from the device.

Click Save to save the changes you have made.

Page top