Mobile Device Management policies

Modified on Tue, 12 Nov at 11:09 AM

Mobile Device Management policies

Policies allow TeamViewer's Mobile Device Management (MDM) solution to define requirements for devices, as well as what will happen if a device does not comply with the set requirements. Each policy consists of a set of rules and a compliance action (what happens if the rule is violated).

This article applies to all TeamViewer Mobile Device Management customers.

How to access MDM policies

Accessing the MDM policy portal is done within TeamViewer Remote or the Web app. To begin, navigate to the Remote Management tab and select Go to Settings, found under the Mobile Device Management section.

image.png

To manage or alter policies, select Manage Policies at the upper right corner of the settings window. This will redirect you to the Ivanti portal.

image.png

Note: If you cannot see the Policies page, it might be that you do not have the required permissions. Viewing of the portal requires the Device Managment and Device Read-only roles.

How to create MDM policies

Once in the Ivanti portal, admins can create a new policy by clicking the + Add button in the upper right corner.

image.png

When creating any policy, a checkbox is found at the bottom of the window that must be selected in order to proceed. This ensures the admin is aware that any previous policy settings will be reset once the new policy takes place.

image.png

Hint: When creating a new policy, it is recommended to set the policy only with the "Monitor" compliance action for an evaluation period. The policy can then be checked over a period of a few days to be sure it is not matching devices in a way that is not intended.

Tiered Actions

When the policy is created it will begin monitoring, showing the impact on devices. Adding additional actions allows policies to fall into compliance by defining security preferences in the form of rules. You can add actions now, or after you have evaluated any violations.

Hint: Adding the action Wait in between other actions provides a way to allow device users to remediate their device and get it back in compliance before additional actions are taken. As an example, you may want to send a warning message and wait 24 hours before applying a quarantine action.

How to edit/delete MDM policies

The Actions column provides both options for editing or deleting an MDM policy.

image.png
  • To edit a policy, click the blue pencil icon
  • To delete a policy, click the red minus symbol

Types of MDM policies

Hint: Regardless of policy type, all policies provide the ability to be notified when the device comes back into compliance!

image.png

TeamViewer MDM policies provide complete control in many situations. Within the policy, you can also set multiple parameters. We currently provide the following MDM policy parameters:

Compromised Devices

The Compromised Devices policy allows TeamViewer to take action if a compromised device (jailbroken iPhone or rooted Android device) is detected. When detected, TeamViewer can take the following actions:

1. Do Nothing

TeamViewer will take no actions. Compromised devices will appear in the Dashboard.

2. Send Notification

TeamViewer will send an email or push notification to the affected device/user; can also send both. The policy provides a subject and body text field where you can enter the default message to be sent during an occurrence.

3. Wait

TeamViewer will take no action for a set period of time. Once the time has expired, the next action set in the policy will occur.

Hint: To add multiple actions to a policy, click the blue + icon to the right of the currently applied action.

image.png

4. Restart Device Once

The affected device will be forced to restart once. If any actions have been added after this occurs, the next action will occur once the device is back online.

5. Quarantine

The affected device will be quarantined based on the provided parameters, including the ability to remove applications and configurations, as well as stop specific device actions.

image.png

6. Block

The device will be blocked from access.

7. Retire

The device will be retired per the TeamViewer MDM system.

Note: This action cannot be undone.

Data Protection/Encryption Disabled

The Data Protection/Encryption Disabled policy allows TeamViewer to detect if there is no passcode or the encryption settings have been disabled. When this is detected, TeamViewer MDM can take any/all of the following actions:

  • Monitor (Default action, auto-selected
  • Block
  • Send message to user (Email/Push/Both)
  • Quarantine

International Roaming

The International Roaming policy applies to any device that is detected outside of its home country. This policy is useful in preventing devices from incurring unintentional international roaming charges. When this is detected, TeamViewer MDM can take any/all of the following actions:

  • Monitor (Default action, auto-selected)
  • Block
  • Send message to user (Email/Push/Both)
  • Quarantine

MDM/Device Administration Disabled

The MDM/Device Administration Disabled policy applies to any device that has the relationship between itself and the TeamViewer MDM system severed. When this is detected, TeamViewer MDM can take any/all of the following actions:

  • Monitor (Default action, auto-selected
  • Block
  • Send message to user (Email/Push/Both)
  • Quarantine

Note: If a device is MDM-disabled, it will not be evaluated for any other policies/processing of configurations/apps during check-ins.

Out of Contact/MI Client Out of Contact

The Out of Contact/MI Client Out of Contact policies are two separate policies that work in a similar way. They both apply to any device that has not checked in for a specified amount of time. The time parameters are set within the policies themselves and can be set to either Days or Hours. When no check-in occurs for the designated timeframe, TeamViewer MDM can take any/all of the following actions:

  • Monitor (Default action, auto-selected
  • Block
  • Send message to user (Email/Push/Both)
  • Quarantine

Custom Policy

The Custom Policy allows even more control of the devices within the MDM network and includes a multitude of parameters and conditions. This offers the ability for similar alerts and actions to be taken as seen in the above policies, but with the ability to track many other features.

Learn more about Custom Policy parameters

Allowed Apps

The Allow Apps policy controls which apps are allowed on managed devices. This policy will set up an allowlist and a blocklist, and specific apps can be authorized from the App Store/Play Store or entered manually. When an app is flagged to be against the policy, TeamViewer MDM can take any/all of the following actions:

  • Monitor (Default action, auto-selected
  • Block
  • Send message to user (Email/Push/Both)
  • Quarantine

Note: For this policy to work, devices must have Privacy Configurations that enable the collection of all installed apps on the device. Without this, false positives will be reported since there is no way of enforcing which apps should be allowed, disallowed, or required.

Learn more about Allowed Apps

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article