In WSO2 EMM, administrators can define policies, which include a set of configurations. WSO2 EMM policies are enforced on the EMM users' devices when new users register with the EMM.The EMM policy settings will vary based on the mobile OS type. For more information, see EMM policy settings.
Check out the following sections to manage policies.
Policy enforcement criteria
The following section describes how policies will be enforced on devices that register with EMM:
- Step 1: Filtering based on the Platform (device type)
The policies will be filtered based on the mobile platform so it matches the platform of the registered device.
- Step 2: Filtering based on the device ownership type
Next, the policies will be filtered based on the device ownership type (BYOD or COPE) so it matches the device ownership type of the registered device.
- Step 3: Filtering based on the user role or name
The policies will be filtered again to match the device owners username or role.
- Step 4: Enforcing the policy
Finally, the policy having the highest priority out of the pool of filtered policies will be enforced on the registered device.
Click here to see an example on how it works.
Use case: The Organization MobX uses WSO2 EMM, and they allow the employees to bring their own mobile devices to work. The devices need to be registered with EMM, and MobX has a set of policies that needs be applied on the registered devices to keep inline with the Organization rules and requirements. Tom joins eMax as a Marketing officer, and his personal mobile device is an Android device.
When Tom registers with EMM, the policy that suites best will be enforced on his device as shown below:
- Initially, EMM will filter out all the policies that are configured for the Android platform.
- Out of the filtered policies, EMM will then filter the policies that are configured for BYOD devices.
- Next, it will filter the policies that are configured for the marketing role.
- After filtering out the policies EMM identifies that there are 5 policies that can be applied to Tom's device. Therefore EMM will check for the policy with the highest priority and then enforce the policy on Tom's device.
Administrators are able to monitor the compliance status of all the devices connected to the EMM server. At the time of configuration, the administrators will be able to specify the compliance monitoring period, which will define the time interval between two compliance monitoring instances. EMM will carryout the admin defined actions (i.e., acknowledge, warning and enforce) when a device is non-compliant with the assigned policy. If the enforced action is selected for a given policy and a user by passes the policy, EMM will re-enforce the policy back again on the users device. (Example: The camera is disabled via the camera restriction policy and the enforce action was selected as the compliance type. If a user through some mechanism enables the camera in the device then the camera restriction policy will be re-enforced on the device again so that the camera on the device will be disabled again.)
This section describes the terminology used in EMM when defining policies, so you will be familiar with the terms to better understand the steps defined under each sub section under managing policies.
The functionalities supported by each device type.
A profile in the context of EMM refers to a collection features that is supported by each device type. These features can be configured using the different configuration options.
- Publish policies
When a policy is published it will be in the active state. The active policies will be applied to the devices that register with EMM based on the Policy enforcement criteria.
- Unpublish policies
When a policy is unpublished it will be in the non-active state. Such policies will not be considered when applying policies to the device that registers with EMM.
If you save a policy it will be in the non-active state. Therefore, it will not be taken into account when the EMM server filters policies, to enforce a suitable policy on a device that registers with the EMM.
- Save and publish
If you save and publish a policy it will be in the active state. The active policies will be applied to new devices that enroll with EMM based on the Policy enforcement criteria.
Policies in the active state will be applied to the new device that registers with EMM based on the policy enforcement criteria . In a situation where you need to make changes to existing policies (removing, activating, deactivating and updating) or add new policies, the existing devices will not receive these changes immediately. Once all the required changes are made you can click Apply changes to push the policy changes to the existing devices.
The EMM does not notify the end user of the devices each time a change is made to a policy because the notification servers will be flooded unnecessarily with the policy changing messages. Therefore after all the required changes are made to the policies you can click apply changes to notify the user in one go.