When building compliance policies, it is best to keep each rule and policy as simple as possible. For example, if you are looking to check if a device is compromised, contains any of 10 harmful applications and is above a certain OS version, it would be best to separate these into 3 different compliance policies. If a device fails the compliance check for any of these policies, it will update the status of the device from Compliant to Non-Compliant (as well as perform any other actions that are specified in the violated policy). This approach of separating the payloads of each policy will give you much more granularity in defining your rules and resulting actions, as well as make it much simpler to report on the compliance status of your entire device fleet, including exactly why any individual device may be currently non-compliant.
Additionally, when configuring an application check for devices, it is recommended to use an App Group, rather than individually listing every application directly in the compliance policy. This approach is much more efficient, and makes it much simpler to update this list over time, without having to edit and re-deploy the compliance policy after every change.
For example, if you were looking to blacklist 10 specific applications from enrolled devices, follow the steps below:
- In the AirWatch Console, navigate to Apps & Books > Applications > Application Settings > App Groups. Select “Add Group”
- Configure the Application Group. Select the Platform, the type of group, and then enter the applications necessary. In this example, set the type to "Blacklist."
- Once you save the App Group, Navigate in the AirWatch Console to Devices > Compliance Policies > List View. Then add a policy.
- On the rules tab, set single rule for Application List Contains Blacklisted Apps.