Out of Complaince and automated actions.. reasons to mark out of compliance??

[James Selix]

Question for my fellow XM10 masterminds..   B)

 

I've been the admin of our system before citrix owned xenmobile (ie zenprise days.. ) however.. i'm a little at a loss on how to figure out why a few random devices are getting marked as out of compliant so here goes....

 

We have migrated out 400+ devices from Xenmobile 9 to Xenmobile 10.3.5. We have configured three out of compliance automated actions; these three actions will mark a device as being out of compliance if: 1. Device is jailbroken or ooted, 2. non-compliant passcode (4 digit pin minimal) or 3. AD user account is disabled.

I have one user who has an iPhone on 9.3.1 and who's device this weekend was marked as out of compliance however his user account was not diabled in AD, his device shows a compliant passcode and policy and device is not jailbroken or rooted. I see no way to see what flagged his device as out of compliant. ALSO, we had never setup an automated action to move out of compliant devices back to compliant: THIS NEEDS TO BE ADDED TO THE GUIDES ON YOUR WEBSITE!! I only found that information once i searched for more info on how out of compliancy works. 

 

We noticed this issue on marking devices as not compliant on iOS devices mainly and I have been resolving by just changing the device property in the console on XM10.3.5.

 

Thoughts?

 

[Brian Schmidt Pedersen1709153674]

I know this is an old post, but I'm gonna reply anyway, in case others stumble into similar issues and are looking for an answer.

 

You should be able to see which automated action was triggered by editing the device in question, going to Delivery Groups, then under details look through the actions. You will see a "Automated action issued: SPECIFIC DETAILS HERE" if an automated action was triggered.

 

If the device is set as out of compliance using the  Network Access Control settings, then it will not show in the Delivery Groups overview. Typical scenarios here are:

 

Anonymous Devices (will happen if user is disabled in AD).

Inactive Devices (been inactive the configured number of days; Settings, Server Properties, device.inactivity.days.threshold).

The rest is more or less self-explanatory.

 

The most likely reason is that a false positive has occurred on the jailbreak detection, which will set the device out of compliance and leave it there even though the device afterwards is correctly detected as not jailbroken. My experience is that this most often happen after an iOS upgrade or sometimes even a Secure Hub upgrade.

 

As to your note about automatically set a device "in compliance" again, you have to be really careful doing this. You'll have to make sure the condition that set a device in compliance takes into account ALL the possible scenarios that would set a device out of compliance, so that you don't have a) conflicting actions and b) don't set a device in compliance which should be out of compliance.

[John Francis1709160537]

On 10/18/2017 at 6:41 AM, Brian Schmidt Pedersen1709153674 said:

I know this is an old post, but I'm gonna reply anyway, in case others stumble into similar issues and are looking for an answer.

 

You should be able to see which automated action was triggered by editing the device in question, going to Delivery Groups, then under details look through the actions. You will see a "Automated action issued: SPECIFIC DETAILS HERE" if an automated action was triggered.

 

If the device is set as out of compliance using the  Network Access Control settings, then it will not show in the Delivery Groups overview. Typical scenarios here are:

 

Anonymous Devices (will happen if user is disabled in AD).

Inactive Devices (been inactive the configured number of days; Settings, Server Properties, device.inactivity.days.threshold).

The rest is more or less self-explanatory.

 

The most likely reason is that a false positive has occurred on the jailbreak detection, which will set the device out of compliance and leave it there even though the device afterwards is correctly detected as not jailbroken. My experience is that this most often happen after an iOS upgrade or sometimes even a Secure Hub upgrade.

 

As to your note about automatically set a device "in compliance" again, you have to be really careful doing this. You'll have to make sure the condition that set a device in compliance takes into account ALL the possible scenarios that would set a device out of compliance, so that you don't have a) conflicting actions and b) don't set a device in compliance which should be out of compliance.

 

 

I have a similar scenario were we have 2 users whose device is showing following error.  One with an iPhone and one with Android (Samsung Galaxy)

 

" Compliance Error"  Your device is out of compliance.  Please contact your administrator.  No device PIN/Passcode.  

 

I checked the Device Details and in Actions it shows "SelectiveWipeWhenADUsersAccountIsDisabled" and the Last deployed time stamp shows 8/5/2020 9:08 am same with another users and SelectiveWipeWhenADUsersAccountIsDisabled was deployed on a different date. She was the first one who had this issue. 

 

How can fix this?

 

 

 

 

Edited August 5, 2020 by jfranci418
corrected some info