Category filter
How to create a compliance policy for devices?
Configuring compliance policies before enrolling devices lays a strong security foundation. If a device fails to meet the configured compliance criteria during its Mobile Device Management (MDM) lifecycle, it becomes non-compliant. Admins can effectively identify and address compliance violations from the device details page.
Compliance policies in Hexnode UEM allow administrators to define a set of rules and regulations that ensure devices comply with organizational requirements. These policies can be configured for multiple platforms, such as iOS, iPadOS, Windows, macOS, Android, visionOS, Linux, and ChromeOS.
Hexnode offers both basic and advanced compliance configuration settings. Basic settings allow administrators to select from a predefined set of compliance requirements, enabling quick detection of common device vulnerabilities. Advanced settings, on the other hand, offer granular control, allowing administrators to define custom compliance rules using a wide range of device attributes. It enables the creation of compliance policies tailored to each device platform.
This document will guide you through the process of creating and assigning compliance policies in Hexnode UEM.
Note:
When two conflicting compliance policies are associated with a device, the most recently applied policy will take effect.
Creating a Compliance policy in Hexnode
To create a compliance policy in Hexnode UEM:
- Log in to your Hexnode UEM console.
- Navigate to Policies > Compliance Policies.
- Choose an existing policy or click New Policy to create a new one.
- Enter the basic details for the policy:
- Policy Name: A name to identify the policy being configured. This is a mandatory field.
- Description: A brief description of the policy. This is optional, with a maximum character limit of 500.
- You will then be presented with two types of settings:
- Basic Settings: Admins are provided with a set of predefined compliance settings to choose from.
- Advanced Settings: These provide a wider range of configurable factors to define compliance criteria, also curated based on the selected platform.
Note:
Upon device enrollment, each platform is assigned a default compliance policy with all basic settings enabled. When an administrator applies a new compliance policy, it overrides the default compliance policy settings on the associated devices.
| Settings | Description | Supported Devices |
|---|---|---|
| MDM app/profile is removed from device | Device will be marked as non-compliant if the Hexnode MDM app is removed from the device. |
|
| Device will be marked as non-compliant if the MDM profile is removed from the device. |
|
|
| Policy is removed from device | Device will be marked as non-compliant if the policy is removed from the device. |
|
| Device becomes inactive | Device will be marked as non-compliant if it has not been scanned for a particular number of days as specified under Admin > General Settings > Inactivity Settings. |
|
| Device is not encrypted | Device will be marked as non-compliant if the device is not encrypted. |
|
| Device is not password compliant | Device will be marked as non-compliant if there is no password set on the device or if the device does not meet the password requirements as per the password policy. |
|
| Device is not application compliant | Device will be marked as non-compliant if any of the required apps are missing or if it has apps blocklisted in it. |
|
| Device moves out of geofence | Device will be marked as non-compliant if the device moves out of the Geofence as specified under Admin > Geofencing. |
|
| Device is jailbroken | Device will be marked as non-compliant if the device is identified as jailbroken. |
|
Advanced Settings
The Advanced settings provide administrators with granular controls over device compliance evaluation curated by various device attributes. The following table lists all the available device attributes along with their description.
| Attribute | Description |
|---|---|
| Activation Lock | It represents whether Activation Lock is enabled or disabled on iOS and macOS devices. |
| Agent Type (Android only) | It represents the management framework such as General Android or Samsung Knox on Android devices. |
| Agent Version | It represents the version of the Hexnode agent app installed on the device. |
| Available Internal Storage (GB) | It represents the remaining storage capacity available for use on the device. |
| Battery Level (percentage) | It represents the current battery percentage remaining on the device. |
| BitLocker (Windows only) | It represents whether the device’s drive is encrypted using BitLocker. |
| Blocklisted Apps Count | It represents the number of blocklisted applications installed on the device. Applicable only when a Blocklist policy is associated with the device. |
| Chrome Version (ChromeOS only) | It represents the version of the Chrome operating system running on the device. |
| Device Encryption | It represents the encryption status of the device. |
| Device Model | It represents the model identifier of the device hardware.
For example: The device model for the Samsung Galaxy M13 will appear as “SM-M135FU”. You can find the device model of a specific device on the device details page in the Hexnode UEM console. |
| Device Name | It represents the name assigned to the device. |
| Device Status | It represents the activity status of the device, i.e., whether the device is active or not. |
| Enterprise Management Type | It represents the Android device’s management mode, such as Generic Android or Android Enterprise. |
| FileVault (macOS only) | It represents the FileVault encryption status on the macOS device. |
| Firmware Version (ChromeOS only) | It represents the firmware version installed on ChromeOS devices. |
| Geofence | It represents the geographical boundaries set for monitoring and managing device locations. |
| Jailbreak (iOS) | It represents whether the iOS device is jailbroken. |
| Kiosk Mode | It represents whether the device is currently operating in kiosk mode, based on the applied kiosk policy. |
| Location Tracking | It represents whether the device’s location services are enabled and being used for tracking. |
| Manufacturer | It represents the name of the hardware manufacturer of the device. |
| MDM Profile | It represents whether a valid UEM/MDM profile is present and active on the device. |
| Missing Apps Count | It represents the number of required applications that are currently missing from the device. |
| OS Name | It represents the name of the operating system installed on the device. |
| OS Version | It represents the version of the operating system, including any security updates installed on the device. |
| Ownership | It represents whether the device is company-owned or personally-owned. |
| Password Compliance | It represents whether the device meets the configured password policy requirements. |
| Platform Version | It represents the underlying platform version of the device (e.g., Windows build version such as Windows 10, version 21H1). |
| Policy (macOS only) | It represents whether the device remains associated with the applied UEM policy for macOS devices. |
| Processor Name | It represents the name or identifier of the processor used in the device. |
| Supervision (iOS only) | It represents whether the iOS device is supervised, indicating a higher level of management control. |
| TPM Firmware Version | It represents the firmware version of the Trusted Platform Module (TPM) installed on the device. |
| TPM Version | It represents the specification version of the TPM used. |
| Wi-Fi SSID | It represents the name (SSID) of the Wi-Fi network to which the device is currently connected. |
By configuring a combination of criteria, comparator, and appropriate values, admins can configure precise rules that mark devices as non-compliant upon meeting the criteria.
Multiple criteria can be added to a policy using the Add Criteria option. When multiple conditions are involved, administrators can use logical operators ‘AND’ and ‘OR’, to define how the system evaluates the rules. These operators appear to the left of every additional condition following the initial one:
- AND ensures that a device must meet all specified conditions to be considered non-compliant.
- OR allows a device to be marked non-compliant if it satisfies any one of the specified conditions.
The following tables list the supported criteria available for each platform, along with their respective comparators and values. Where applicable, fields may require manual input by the administrator if predefined options are not available.
Android
Android
| Criteria | Comparator(s) | Possible Values |
|---|---|---|
| Agent Type |
|
|
| Agent version |
|
Agent version in decimals. |
| Available internal storage (GB) |
|
Internal storage value as an integer. |
| Battery level (percentage) |
|
Battery percentage value as an integer. |
| Blocklisted apps count |
|
Number of blocklisted apps as an integer. |
| Device encryption |
|
Disabled |
| Device model |
|
Identifier of the device model. |
| Device status |
|
Inactive |
| Enterprise Management Type |
|
|
| Geofence |
|
Disabled |
| Kiosk mode |
|
|
| Location tracking |
|
Disabled |
| Manufacturer |
|
Name of the device manufacturer. |
| Missing apps count |
|
Enter the limit for the number of required apps to be missing from the device for it to be non-compliant. |
| OS version |
|
Desired OS version. |
| Ownership |
|
|
| Password compliance |
|
Disabled |
| Wi-Fi SSID |
|
SSID of the Wi-Fi network. |
iOS
iOS
| Criteria | Comparator(s) | Possible Values |
|---|---|---|
| Activation lock |
|
Disabled |
| Agent version |
|
Agent version in decimals. |
| Available internal storage (GB) |
|
Internal storage value as an integer. |
| Battery level (percentage) |
|
Battery percentage value as an integer. |
| Blocklisted apps count |
|
Number of blocklisted apps as an integer. |
| Device encryption |
|
Disabled |
| Device model |
|
Identifier of the device model. |
| Device status |
|
Inactive |
| Geofence |
|
Disabled |
| Jailbreak |
|
Enabled |
| Kiosk mode |
|
|
| Location tracking |
|
Disabled |
| MDM profile |
|
Removed |
| Missing apps count |
|
Enter the limit for the number of required apps to be missing from the device for it to be non-compliant. |
| OS version |
|
Desired OS version. |
| Ownership |
|
|
| Password compliance |
|
Disabled |
| Supervision |
|
|
Windows
Windows
| Criteria | Comparator(s) | Possible Values |
|---|---|---|
| Agent version |
|
Agent version in decimals. |
| Available internal storage (GB) |
|
Internal storage value as an integer. |
| Battery level (percentage) |
|
Battery percentage value as an integer. |
| BitLocker |
|
Disabled |
| Blocklisted apps count |
|
Number of blocklisted apps as an integer. |
| Device encryption |
|
Disabled |
| Device model |
|
Identifier of the device model. |
| Device status |
|
Inactive |
| Geofence |
|
Disabled |
| Kiosk mode |
|
|
| Location tracking |
|
Disabled |
| Manufacturer |
|
Name of the device manufacturer. |
| Missing apps count |
|
Enter the limit for the number of required apps to be missing from the device for it to be non-compliant. |
| OS name |
|
Name of the Operating System. |
| OS version |
|
Desired OS version. |
| Ownership |
|
|
| Processor name |
|
Name of the processor. |
| TPM version |
|
Enter the Trusted Platform Module (TPM) version as a decimal number. |
| Wi-Fi SSID |
|
SSID of the Wi-Fi network. |
macOS
macOS
| Criteria | Comparator(s) | Possible Values |
|---|---|---|
| Activation lock |
|
Disabled |
| Agent version |
|
Agent version in decimals. |
| Available internal storage (GB) |
|
Internal storage value as an integer. |
| Battery level (percentage) |
|
Battery percentage value as an integer. |
| Blocklisted apps count |
|
Number of blocklisted apps as an integer. |
| Device model |
|
Identifier of the device model. |
| Device status |
|
Inactive |
| FileVault |
|
Disabled |
| Geofence |
|
Disabled |
| Location tracking |
|
Disabled |
| MDM profile |
|
Removed |
| Missing apps count |
|
Enter the limit for the number of required apps to be missing from the device for it to be non-compliant. |
| OS version |
|
Desired OS version. |
| Ownership |
|
|
| Password compliance |
|
Disabled |
| Policy |
|
Removed |
| Processor name |
|
Name of the processor. |
Apple TV
Apple TV
| Criteria | Comparator(s) | Possible Values |
|---|---|---|
| Device model |
|
Identifier of the device model. |
| Device status |
|
Inactive |
| Kiosk mode |
|
|
| MDM profile |
|
Removed |
| OS version |
|
Desired OS version. |
| Ownership |
|
|
Linux
Linux
| Criteria | Comparator(s) | Possible Values |
|---|---|---|
| Agent version |
|
Agent version in decimals. |
| Available internal storage (GB) |
|
Internal storage value as an integer. |
| Battery level (percentage) |
|
Battery percentage value as an integer. |
| Blocklisted apps count |
|
Number of blocklisted apps as an integer. |
| Device model |
|
Identifier of the device model. |
| Device status |
|
Inactive |
| Missing apps count |
|
Enter the limit for the number of required apps to be missing from the device for it to be non-compliant. |
| OS name |
|
Name of the Operating System. |
| Processor name |
|
Name of the processor. |
| Wi-Fi SSID |
|
SSID of the Wi-Fi network. |
visionOS
visionOS
| Criteria | Comparator(s) | Possible Values |
|---|---|---|
| Device status |
|
Inactive |
| Geofence |
|
Disabled |
| MDM profile |
|
Removed |
| Missing apps count |
|
Enter the limit for the number of required apps to be missing from the device for it to be non-compliant. |
| OS version |
|
Desired OS version. |
| Ownership |
|
|
ChromeOS
ChromeOS
| Criteria | Comparator(s) | Possible Values |
|---|---|---|
| Battery level (percentage) |
|
Battery percentage value as an integer. |
| Blocklisted apps count |
|
Number of blocklisted apps as an integer. |
| Chrome version |
|
Value of an appropriate ChromeOS version. |
| Device model |
|
Identifier of the device model. |
| Device status |
|
Inactive |
| Firmware version |
|
Value of an appropriate ChromeOS firmware version. |
| Kiosk mode |
|
|
| Manufacturer |
|
Name of the device manufacturer. |
| Ownership |
|
|
| Platform version |
|
Platform version of the ChromeOS device. |
| TPM firmware version |
|
Enter the Trusted Platform Module (TPM) version as a decimal number. |
| Wi-Fi SSID |
|
SSID of the Wi-Fi network. |
Associating compliance policies with devices
Associating the compliance configurations with the targets:
- When the policy is not yet saved,
- Go to Policy Targets within the Policies tab.
- Click on Users > + Add Users, select the required users and click OK to associate the policy with the target users. As a result, when a device is enrolled to a targeted user, the compliance policies will be automatically applied to that user’s devices.
- You can also associate the policy with Devices, Device Groups, User Groups, or Domains from the left pane of the Policy Targets tab.
- When the policy has already been saved,
- From the Policies > Compliance Policies, select the appropriate policy
- Then click on Manage > Associate Targets > choose the target users and click on Associate to associate the policy with the target users. Enroll a device to a targeted user to automatically apply the associated compliance policies.
- You can also associate the policy with Devices, Device Groups, User Groups, or Domains.
Policy Summary
The Policy Summary includes the version of the policy, created date, modified date, target count, and configured settings. To view the Policy Summary:
- Navigate to Policies > Compliance Policies.
- Click on the policy summary icon on the right side of the policy.
- You can view the policy summary here.
- Click Manage at the top right corner to modify or clone the policy.
Need more help?
