Lesson 4 - Configuring your mobile security policies



  • Enforcing a passcode and encryption
  • Enforcing device restrictions
  • Enforcing compliance policies


 In this lesson, you will learn how AirWatch enables IT administrators to enforce passcode and encryption policies, device restrictions, and compliance policies automatically.

Enforcing a passcode  

 Watch the Video!

AirWatch utilizes configuration profiles to enforce passcode policies on devices. Configuration profiles can be assigned to devices based on organization group, device model, operating system, ownership and other attributes.


To create a passcode policy:


 1. Click on Passcode and Encryption from the Getting Started Wizard or navigate to Devices > Profiles > List View and click Add.
 2. Select your device platform. In this example we will use Apple iOS.


3. Complete the fields in the General tab. A description of each field is found below.



The name of the profile to be displayed in the Web Console. Make this relevant to the payload so you can identify the profile later


A description of what the profile does, used for future reference


Managed will remove the profile when the device is unenrolled. Manual will leave the profile installed when the device is unenrolled

Assignment Type

Auto pushes out profile to all devices automatically. Optional lets the administrator manually push the profile to selected devices

Allow Removal

"Always" allows users to remove the profile. "With Autorization" allows users to remove the profile with a code created by the administrator. "Never" does not allow users to remove the profile unless the device is unenrolled.

Managed By

The Organization Group that administrators must be associated with in order to edit/delete this profile. 

Assigned Smart Groups

The Smart Group(s) that will receive this profile. Any devices that enroll into these groups will receive the profile.

Additional Assignment Criteria

Assign the profile based on user groups, device location, and time of day.

4. Select the Passcode payload from the left column.

5. Click the Configure button and select the values for the passcode requirement. A few of the options are explained in the table belowprofile_passcodeEx.PNG

Allow Simple Value Permits the use of ascending, descending, or repeating values
Require alphanumeric value Require the Passcode to contain at least one letter
Auto-Lock Device automatically locks when this time period expires (minutes)
Passcode history The number of unique passcodes required before reuse
Grace period for device lock Amount of time device can be locked without requiring a passcode on unlock (minutes)
Maximum number of failed attempts The number of failed passcode entries allowed before the device erases all data

6. Click the Save & Publish button to make the profile effective and push down to any assigned enrolled devices. 


Enforcing device restrictions  

 Watch the Video!

AirWatch allows you to limit how employees are allowed to use their device by locking down native functionality through restriction profiles.  Using a restriction profile, you can remove access to the camera, iTunes and Google Play stores, iCloud, Youtube, and many other items.


To create a restriction policy:

1. Click on Restrictions from the Getting Started Wizard or navigate to Devices > Profiles > List View and click Add.

2. Select your device platform. In this example we will use Android.

3. Complete the General tab as described above, select the Restrictions Payload, and click Configure

4. In this example we have restricted the use of the camera.

5. Once you have selected the desired restrictions, click Save and Publish to push the profile to any enrolled devices.


Note: Some restrictions require a specific OS version or Android OEM.  These requirements are on the right side of the screen shown next to the restriction.  For example, restricting the camera on Android devices requires the device to be Android 4.0 and above, Lenovo v1+,Samsung SAFE v2+, and Intel 1.0+.




Enforcing Compliance Policies  

 Watch the Video!

The AirWatch Compliance Engine is an automated tool that helps you ensure all devices adhere to your policies. Administrators configure policies and actions to be taken automatically as devices are detected as non-compliant.


To create a compliance policy:

1. Click on Compliance Policies from the Getting Started Wizard or navigate to Device > Compliance Policies > List View and click Add.  Select the desired compliance platform.



 2. Configure the rule you would like to enforce.  In the below example, this rule will check to see if a passcode is present on the device. Click Next.




3. Select the Actions you want to take if a device has violated the rules you configured.  In this example, the user will immediately be notified that they are non-compliant and AirWatch will request the device to check in and send a status update.  If the device is still listed as non-compliant after 4 hours, AirWatch will remove the user's email profile to restrict access to company email.  Click Next.



4. Select the devices this policy will apply to.  In this example, all Apple devices in the World Wide Enterprises Smart Group will be subject to this policy. Click Next.



5. Give your compliance policy and name and description.  Click Finish and Activate to begin evaluating the compliance status of any enrolled devices.
Have more questions? Submit a request


Article is closed for comments.