How To: XenMobile MDM 8.5 Deployment Part 3: Policies

In this 3rd part of my 7 part series on XenMobile MDM 8.5 we will focus on policies. Policies within MDM allow you to control a multitude of features on your end users mobile devices, including: WiFi, Email, VPN, Location Services, most all functionality of the device (camera, FaceTime, etc), AppStore access, etc. Most configuration variations you do to control and limit/restrict/configure your end users devices will be done from this tab. This tab is also the location where we can create some automated actions that include notifying your users when they have fallen out of compliance.

If you would like to read the other parts in this article series please go to:

In this article I was to cover a “base” set of policy configurations that will give you a feel of how the policies work in general. By no means does this cover the breadth of what you can do with MDM, but it at least gives you a glimpse.

I want to accomplish the following in this article:

  1. Set a passcode policy on the device
  2. Block iCloud from syncing documents
  3. Preconfigure a WiFi network on my device (so that your users could come into the office with WiFi already configured and never have been given the password)
  4. Blacklist Dropbox, Box, and SkyDrive applications
  5. Notify the user their device as Out of Compliance (OoC) if those apps are installed
  6. Mark the device as OoC in the dashboard
Later in this series we will build upon the policies by adding applications to push to our users and ultimately roll it all together in a Deployment. For the purposes of this article (and the fact I’m a die hard Apple fan) the only devices I own are Apple..so this will all be iOS based. If your Android, first off I’m sorry, and second off it should still be similar😉.

Configure a Passcode Policy

Step 1. Navigate to the web console (usually http/s://mobile.yourdomain.com/zdm and login.
MDM3-0000
Step 2. Navigate to the “Policies” tab, then iOS->Configuration. You should have two policies that were installed by default with the console, one of them being a Passcode policy. Highlight it and click “Edit”
MDM3-0001
Step 3. Leave these settings as default, click on the “Policy” tab.
MDM3-0003
Step 4. Modify to suit your requirements. Here I am requiring a passcode, allowing simple passwords, minimum length of at least 4, and auto-locking the device after 2 minutes of inactivity. When you are done click “Update”.
MDM3-0004

Block iCloud

Step 1. Continuing on the Policies->iOS->Configuration selection, click “New Configuration” to get a drop down, from that select “Profiles and Settings”->Restriction

MDM3-0005

Step 2. Give your policy a descriptive Identifier, Display name, and Description.

MDM3-0007

Step 3. Uncheck “Allow device backup to iCloud”. Click “Create” when done.

MDM3-0008

Preconfigure WiFi

Step 1. Step 1. Continuing on the Policies->iOS->Configuration selection, click “New Configuration” to get a drop down, from that select “Profiles and Settings”->Wi-Fi

MDM3-0009

Step 2. Give your policy a descriptive Identifier, Display name, and Description. Click the “Wi-Fi” tab.

MDM3-0010

Step 3. Input your SSID, check “Automatically connect to the target network” and enter in the password. Click “Create” when done.

MDM3-0011

Blacklist Cloud Storage Apps

Step 1. Continuing on the Policies tab, select Any Policies->Global->Application Access Policy. Click “New Application Access Policy”.

MDM3-0012

Step 2. Enter in an appropriate name and description. Since these are apps we do NOT want to allow, select the “Forbidden” radio button and “iOS” for the OS type. Click the “New App” button and enter in the app name and App identifier (if known). TIP: To find an app identifier (usually in format com.appdomain.appname) I  have found that getting a device synced (which we’ll do later in the series) and then looking at its properties and installed applications will give you that info if the app is installed.

Once all the apps are in click “Create”

MDM3-0019

Notify User of Blacklisted Apps/Out of Compliance

Step 1. Staying on the Policies tab, go to Global->Automated Actions. Click “New”

MDM3-0014

Step 2. Enter in a descriptive name, here we are using “Forbidden Apps”. Enter in a description. We will set the trigger type to “Event” and the event to be “Device noncompliance of B/W app policy”. This particular trigger nullifies a condition so it will be grayed out, select the Action of Notify and the template to be NonCompliant Blacklist / Whitelist. Set to a delay of 5 minutes and repeating alert every hour.  Click “Create” . Then Repeat per Step 3 below.

MDM3-0017

Step 3. Input a name, description, and trigger type “Event” with the event being “Device noncompliance of B/W app policy”. For the Action this time, set it to “Set as Out of Compliance” with a value of True to mark the device as OoC. I set no delay. Click “Create”.

MDM3-0018

Thats it. We have now accomplished what we set out to do at the beginning of this article. Now, of course none of this matters until we actually deploy and are in control of a device but that doesn’t come until later. Now I should point out, that without a NetScaler Connector in place in front of your email all of this is really for naught..we can’t penalize the client for being OoC on the above beyond doing a selective wipe and yanking all of the data we pushed to the device back off. I hope to cover NetScaler Connector in a different series as it is definitely an integral part but beyond the scope of this series.

Think of Policies as the building blocks of your device management house. Every possible lockdown/whitelist/config you will do needs to be lined out as a Policy. So depending on how wide of a user base and varied their needs, this could be very intensive or just a few key things you want to manage. The point is, every option you want to do..line it out as a policy. Later in this series you will see how Policies and Applications roll up into Deployments which is ultimately how we manage our devices. It will become clearer as we progress, I promise.

XenMobile MDM is a HUGE product and capable of so many things. I encourage you to read THIS on how Automated actions work and THIS on the different Trigger types and events. Stay tuned for our next topic where we cover Applications! Including pushing them and wrapping them (or lack thereof with MDM Edition).

If you would like to read the other parts in this article series please go to:

3 thoughts on “How To: XenMobile MDM 8.5 Deployment Part 3: Policies

  1. Pingback: How To: #XenMobile #MDM 8.5 Deployment Part 3: Policies – #Citrix | The IT Melting Pot!

  2. Set as Out of Compliance” with a value of True to mark the device as OoC, I want to know if the device has been marked QoC, what condition it will back to not QoC? Using rule or …? Please help this, thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s