Policy Management
In EMM, administrators can define policies, which include a set of configurations. EMM policies are enforced on EMM users' devices, based on the policy hierarchy, when new users register with MDM and also when a policy is edited.Â
Policy management in EMM includes two aspects: MDM aspect and MAM aspect. Administrators will have to create a policy via the MDM Console. At this point, the administrators can define the iOS and Android specific policy settings related to MDM. In addition, they can also define the action that should be taken when an Android-powered device is non-compliant with the policy. EMM will always issue warnings to non-compliant iOS-powered devices. Administrators will be able to add the MAM aspect of a policy, by editing an existing policy via the MAM Console. The MAM aspect of a policy will include, adding blacklisted Android based applications and also the iOS/Android applications that need to be installed when the policy is enforced. When enforcing a new policy, EMM does not remove the mobile applications that were added by the previously enforced policy. Therefore, we do not recommend multiple policies being assigned to a single user.
Policies can be set at various levels, namely user level (L1), platform level (L2) and role level (L3). L3 policies have the lowest priority. L2 policies override L3 policies, while L1 policies override both L2 and L3 policies. In EMM policy merging is not allowed. If a user has multiple policies assigned to it, the policy to be enforced will be selected based on the policy enforcement criteria.
Policy enforcement criteriaÂ
- If a user with multiple policies that belong to the same policy level enrolls with EMM, the last assigned policy is enforced on the user's device.
For example:
The administrator assigns John policy P1, which is a role level policy and later assigns him policy P2, which is another role level. When John enrolls with EMM, policy P2 is enforced on his device as it was the last assigned policy.
 - If a user with multiple policies that belong to different policy levels enrolls with EMM, the policy with the highest priority is enforced on the user's device.
For example:Â
The administrator assigns Jane policy P3, which is a user level policy and later assigns her policy P4, which is a role level policy. When Jane enrolls with EMM, policy P3 is enforced on her device as it has a higher priority over policy P4. - If the administrator edits a policy that has been assigned to a user, and the newly edited policy and the currently assigned policy belong to the same level, then the newly edited policy is enforced on the user's device.
For example:
The administrator assigns Jack policy P5, which is a user level policy and later assigns him policy P6, which is another user level policy. When Jack enrolls with EMM, policy P6 is enforced on his device. When the administrator later edits policy P5, then policy P5 is enforced on Jack's device. - If the administrator edits a policy that has been assigned to a user, and the newly edited policy has a lower priority than the currently assigned policy, then the newly edited policy will not be enforced on the user's device.
For example:
The administrator assigns Jake policy P7, which is a user level policy and later assigns him policy P8, which is a role level policy. When Jake enrolls with EMM, policy P7 is enforced on his device. The administrator later edits policy P8. However, the current policy (P7) that is enforced on Jake's device is not changed as policy P8 has a lower priority when compared to policy P7.
Compliance monitoring
Administrators are able to monitor the compliance status of all the devices connected to the EMM server. At the time of configuration, the administrators will be able to specify the compliance monitoring period, which will define the time interval between two compliance monitoring instances. EMM will carryout the admin defined actions (i.e., acknowledge, warning and enforce) when a device is non-compliant with the MDM aspect of the assigned policy. In addition, EMM will also push pop-up warning messages to Android-powered devices when blacklisted applications are identified, as shown below:
Â