Create a Compliance Rule

We will now create another Compliance rule to cause our device to become non-compliant. This way, we can validate the flow in the scenario where device becomes non-compliant.

1. Add a Compliance Policy

Back to the Workspace ONE UEM console in Chrome,

  1. Click Devices.
  2. Click Compliance Policies.
  3. Click List View.
  4. Click Add.

1.1. Select Compliance Platform Type

Click on the Windows icon.

NOTE - Do NOT select Windows Rugged icon.

1.2. Select Compliance Device Type

Click on the Windows Desktop icon.

1.3. Select Encryption

  1. Click the Rules dropdown and select Encryption.
  2. Select is not encrypted.
  3. Click Next.

1.4. Configure Additional Compliance Action

  1. Select Profile from the Actions dropdown.
  2. Ensure Block/Remove All Profiles is selected.
  3. Click Next.

This Action will remove all profiles from the device immediately upon becoming non-compliant.  However, it will leave the device enrolled so that all of the Profiles will be re-installed when the device comes back into compliance.

1.5. Create Compliance Assignment

  1. Select All Devices ([email protected]) for the Assigned Groups.
  2. Click Next.

1.6. Activate the Compliance Rule

Click Finish & Activate.

2. Confirm Device is Non-Compliant

With the new Compliance Policy in place, we will now confirm that our device is showing as non-compliant.  Because our enrolled Windows 10 device is not encrypted, and our Compliance Policy requires devices to be encrypted, it will be marked as non-compliant once the policy applies.

  1. Click Devices
  2. Click List View

2.2. Confirm the Device Shows as Non-Compliant

  1. You may need to scroll right to view the Compliance Status for your Windows 10 device.
  2. Confirm the Windows 10 device shows Non-Compliant for your enrolled device. This may take a few minutes as the compliance check run every 5 minutes.  
  3. If the device does not show Non-Compliant, click on the Refresh icon to refresh the page.

NOTE - You may need to wait several minutes for the Compliance Check to complete since it runs every 5 minutes.  Please continue to refresh every few minutes until you see the device marked as Non-Compliant before proceeding.

2.3. Open the Microsoft Management Console

  1. Click the Windows button.
  2. Enter user certificates and the Search bar will populate.
  3. Click the Manage user certificates option.

2.4. Allow the Microsoft Management Console to make changes

Click Yes when asked if you want to allow this app to make changes to your device.

2.5. Confirm the aduser Certificate is Removed

  1. Click the Personal folder to expand it.
  2. Click the Certificates folder.
  3. Check if the aduser certificate still exists.
  4. If the aduser certificate exists, wait a few minutes and click the Refresh button to check again.  Continue to refresh until you see that the aduser certificate is no longer shown.

Do not continue to the next step until you've confirm that the aduser certificate has been removed.

NOTE - Due to lab scalability and limitations, the aduser certificate may take a few minutes to be removed.

3. Launch the Workspace ONE App

Now that our Windows 10 device is showing as non-compliant, let us return to the Workspace ONE app on the Windows 10 VM and see how the authentication flow has changed for our non-compliant device.

3.1. Launch the Workspace ONE App

  1. Click the Windows button.
  2. Click the Workspace ONE app icon from the start menu.

3.2. Enter the Workspace ONE Server Address (IF NEEDED)

Your Workspace ONE app may have already validated the workspace server URL.  If you are prompted to enter a username rather than a workspace server URL, you can skip this step.

  1. The server address should already be set when launching the Workspace ONE app, enter the value in the Server Address field if it is not already set.
  2. Click Continue.

3.3. Enter Your Username for Workspace ONE

  1. Enter aduser for the username.
  2. Click Next.

3.4. Confirm Authentication Failure

  1. Confirm that authentication into the Workspace ONE app now fails.

    The authentication fails because our encryption Compliance Policy was setup to remove all Profiles should the device become non-compliant.  Since the Windows 10 device we are testing from is not encrypted, the device became non-compliant once the Compliance Check completed and so the Profile containing the certificate used to login to the Workspace ONE portal was revoked.  Without the certificate, the user can no longer login to the Workspace ONE app.
  2. Click the Close button to exit the Workspace ONE app.


Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.