syarbrou
Enthusiast
Enthusiast

How Compliance Policies Work?

Jump to solution
I was curious the flow of compliance policies and connectivity required.  In this case, with iOS.  So say I have a compliance policy that says, if the device hasn't checked in for 2 days Enterprise Wipe it.  This will sound stupid, but does the device have to check-in for this activity to work?  Basically what I'm trying to understand, does compliance policies live on the device and if it becomes non-compliant the resulting action just happens?  It doesn't have to go back to WS1 to verify it's non-compliant and then WS1 has to trigger an action on the device?   Same question for any other compliance policy should they all work differently.

Side question, why does the compliance policies only have enterprise wipe and not device wipe?

Thanks.

Steve
Labels (1)
0 Kudos
1 Solution

Accepted Solutions
JohnMarler
Enthusiast
Enthusiast

That is not a stupid question at all. In my experience, all compliance policies require the device to be powered on, with and internet connection, enrolled, and communicating with the console for it to actually perform the compliance action. With that said, a command will be sent from the console as defined in the policy, even if the device is not meeting those requirements, then it should take place on the device the next time is powered on/internet connection, etc. Your example of device check in for 2 days, then sent enterprise wipe. Let's say a device is turned off for 7 days. The command from the console will still be sent after 2 days(as defined in the policy), but it wont actually take place on the device until it is powered on with internet connection (7 days later in this example). So, it does not live on the device. As for the other question, I am not 100% sure why device wipe is not an option, but I would assume this is a limitation by apple.


View solution in original post

0 Kudos
2 Replies
JohnMarler
Enthusiast
Enthusiast

That is not a stupid question at all. In my experience, all compliance policies require the device to be powered on, with and internet connection, enrolled, and communicating with the console for it to actually perform the compliance action. With that said, a command will be sent from the console as defined in the policy, even if the device is not meeting those requirements, then it should take place on the device the next time is powered on/internet connection, etc. Your example of device check in for 2 days, then sent enterprise wipe. Let's say a device is turned off for 7 days. The command from the console will still be sent after 2 days(as defined in the policy), but it wont actually take place on the device until it is powered on with internet connection (7 days later in this example). So, it does not live on the device. As for the other question, I am not 100% sure why device wipe is not an option, but I would assume this is a limitation by apple.


View solution in original post

0 Kudos
syarbrou
Enthusiast
Enthusiast
Thanks John.  That is really helpful but unfortunate.  Though the more I think about it, for my situation, if I can't show in the console the compliance action happened successfully, then it probably doesn't do me any good.  Kind of the, ' if it's not documented, it didn't happen'  thing. So if it wipes but I have no record in the console, how do I prove it wiped?  🙂

Thanks again.

Steve
0 Kudos