Hi!, in this opportunity we will see how to solve a very common issue with the compliance policy.
Explanation of the Issue
The compliance policy for Windows Desktops was configured to enterprise devices when the firewall was disabled. However, users have reported that their Windows 10 endpoints were enterprise wiped even when the firewall was enabled.
After consulting the Workspace ONE administrator who participated in the initial Workspace ONE solution deployment, you collected the following information:
• The company wants to monitor the firewall status and the encryption status of the enrolled Windows 10 endpoints:
– If the firewall status of the Windows 10 endpoint is poor, the company wants to first inform the user and the administrator, then issue an enterprise wipe after 5 days.
– If the encryption status of the Windows 10 endpoint is not encrypted, the company then wants to push an encryption profile to enforce Windows disk encryption.
• When the compliance policy was first created, both compliance rules were configured in the same compliance policy.
Resolution Overview
After examining the Windows 10 endpoint, the Devices Dashboard, and the compliance policy, you found the following causes to the compliance policy issue:
• Both compliance rules are configured in the same compliance policy.
TIP
VMware best practice recommends that each compliance rule is separate. This ensures that you get the best compliance check results and simplifies troubleshooting.
Troubleshooting an Existing Compliance Policy
1. In the Workspace ONE UEM console, navigate to Devices > Compliance Policies > List View. You see the Monitor Firewall and Encryption compliance policy.
2. Click the Monitor Firewall and Encryption blue hyperlink to view details of the selected compliance policy. You notice that both compliance rules are listed in the selected compliance policy.
3. Click X next to the Encryption compliance rule to remove it.
4. Click Next. Examine the compliance actions and escalation.
5. Click Next.
6. Click Next.
7. On the Summary tab and modify the following general compliance policy information:
• Name: Monitor Windows 10 Firewall
• Description: Monitor the Firewall Status of Windows 10 Endpoints
8. Click Finish & Activate.
Creating New Compliance Policy and Escalations
1. In the Workspace ONE UEM console, navigate to Devices > Compliance Policies > List View.
2. Click Add.
3. Select Windows > Windows Desktop.
4. Click the Rules tab and under the Compliance Rule drop-down menu select Encryption.
5. Ensure that the compliance condition is set to is not encrypted.
6. Click Next.
7. On the Actions tab and click Add Escalation.
8. Modify the new compliance action based on the following parameters:
• After: 5 Days
• Action: Profile
• Action Details: Install Compliance Profile
• Profile: Windows 10 Encryption Compliance
9. Click Next.
10. Under the Assignment tab:
a. Click the empty field next to Smart Groups.
b. Select the All Corporate Devices (Company) smart group from the drop-down menu.
11. Click Next.
12. Under the Summary tab, modify the following general compliance policy information:
• Name: Monitor Windows 10 Encryption
• Description: Monitor the Encryption Status of Windows 10 Endpoints and push Windows 10 Encryption Profile
13. Click Finish & Activate.
Closing Note
I hope it has been useful to you. See you next!