Organizations use mobile security policies to empower users by provisioning apps to mobile devices and enabling mobile access to corporate file shares. Policies also protect sensitive data by restricting users' actions and access based on role assignments. System Administrators assign policies to roles, not directly to individual users. For each individual user, Mobile Security Manager merges the policies assigned to the user's roles (the applicable policies) and arrives at the Effective Policy, which is the merge of all policy elements across the applicable policies. The Effective Policy is the policy that is enforced on the device or Workspace. To view a user's Effective Policy, use the Mobile Devices page to search for and view details about the devices or Workspaces registered to the user. For details, see "Devices Page Help."
The following topics are covered:
Use the Policy Search page to:
Search for a policy.
View a policy.
Open the Policy Management View that you use to create or edit a policy.
The Policy Search View page is arranged in the following sections:
Use the Search controls to create a query based on filter conditions. The controls are described in the following table.
| Element | Description |
|---|---|
|
Search |
Type a search term and press the search button. You can search by role name, policy name, or policy description. Role name search is case sensitive. If you are searching by role name, enter the whole name using the exact sequence of upper and lowercase characters.
You cannot use wildcards but partial matches will return results, for example: cal will return results for "Calculator." |
|
Add |
Click to open the Create Policy dialog from which you can create a new policy. (Systems Administrators only.) |
Table of Policies (Search Results Section)
This section of the Mobile Security Policies page lists policies that meet the search criteria.
| Element | Description |
|---|---|
|
Name |
The name of the mobile security policy. Click the policy record to expand it and display additional details; click again to hide the policy details. Use the expanded policy management record to edit the policy. |
|
Description |
A short description to help you or another administrator identify this policy in the future. |
|
Roles |
Lists the mobile roles to which the mobile security policy has been added. |
| Actions | Systems Administrators can choose from the following:
|
"How to Perform Common Mobile Security Policy Tasks" in Administering Oracle Mobile Security Suite
Use the Policy Management page and Create Policy page to:
View policy details.
Create, duplicate, or edit a policy.
Delete a policy.
Add a role to a policy; remove a role from a policy.
Only Systems Administrators can create, duplicate, edit, or delete a policy, associate a role with a policy, or remove a role from a policy.
Note:
When policies are in conflict the system typically enforces the most restrictive policy. For details, see "Understanding How the System Enforces Policy Conflicts" in Administering Oracle Mobile Security Suite.The Policy Management (Create Policy) page is arranged in the following sections:
Tip:
When editing a policy, click Apply to save your changes, or click Revert to reset the page to the last saved version.In the Create Policy wizard, click Next to proceed to the next configuration page; click Finish to save the policy and close the wizard; click Cancel to close the wizard without saving.
Enter or view the policy name and description.
| Element | Description |
|---|---|
|
Policy Name |
The name of the mobile security policy. |
|
Description |
A short description to help you or another administrator identify this policy in the future. |
Use the Roles tab to:
View the roles currently assigned to the policy.
Add one or more roles to the policy.
Remove one or more roles from the policy.
Exclude a child role from the policy. Do this to exempt a role from a policy that applies to a parent role.
Only Systems Administrators can use the Roles tab to add or remove roles, or exclude child roles.
| Element | Description |
|---|---|
|
View |
Click View > Detach to open the table in a larger window. |
|
Add |
Click to add a new Role Name row to the table. |
|
Remove |
Click a Role Name row to select it (the row should be highlighted), then click Remove to delete the row. |
|
Role Name |
When adding a role to a policy, type the role name or click the search feature. |
|
Description |
A short description to help you or another administrator identify this role in the future. |
| Element | Description |
|---|---|
|
View |
Click View > Detach to open the table in a larger window. |
|
Add |
Click to add a new Excluded Child Role Name row to the table. |
|
Remove |
Click an Excluded Child Role Name row to select it (the row should be highlighted), then click Remove to delete the row. |
|
Role Name |
Type the name of the child role(s) to exclude. For example, if you need to exempt VPs from a policy that covers the Employees (parent) role, add the Vice Presidents (child) role as an excluded role. Note that when entering a role name, auto-complete returns all matching role names, not just the names of valid child roles. |
Use the Enrollment tab to view the enrollment and compliance settings assigned to the policy. Only Systems Administrators can edit enrollment/compliance settings. The Enrollment tab is arranged in the following sections:
| Element | Description |
|---|---|
|
Selected Roles |
The roles that this policy will affect. Click the Roles tab to add and remove roles. |
|
Specify enrollment/compliance details for this policy |
To specify enrollment/compliance details for this policy, select the check box. Keep in mind that when multiple policies are assigned to a role, the policies are merged. If enrollment/compliance details are specified for this policy, the values will be merged with the enrollment/compliance values from other policies.
To create a policy without specifying enrollment/compliance values, clear the option box. |
| Element | Description |
|---|---|
|
Platforms |
Indicates the device platforms that are eligible for enrollment under this policy. Clear an option to exclude it. |
|
Minimum Version |
Indicates the oldest version of the platform software that is eligible for enrollment under this policy. For example, for iOS, setting a value of 8.0 will block iOS 7.0.4 from enrolling. |
|
Maximum Number of Devices Per User |
Indicates the most devices that a user can enroll under this policy. |
|
Inactivity Duration |
Indicates the number of days since the device/Workspace has been in contact with the Mobile Security Manager before the device is considered to be inactive. Inactivity Duration can be used in combination with Inactivity Duration Action (in the Additional Compliance Rules section at the bottom of the page) to trigger a security action. |
| Element | Description |
|---|---|
|
Invite Template |
Indicates the e-mail template that is used to invite users to enroll in the mobile security management system. Notification templates are managed on the Mobile Security Manager Settings page. |
|
Identity Certificate |
Indicates the certificate template that will be used when generating certificates in the Workspace app to identify and authenticate users. Certificate templates are managed on the Mobile Security Manager Settings page. |
|
Additional Certificates |
Indicates the certificate template that will be used when generating certificates in the Workspace app for additional purposes such as signing and encryption. |
|
Allow Client Specific Builds |
Select to choose the Workspace app builds that are allowed to register with the Mobile Security Manager. This is to ensure that Workspace app builds for other Oracle customers or from public app stores are not allowed to be registered with this Mobile Security Manager deployment. |
|
Allow Client Builds |
The set of Workspace app builds that are allowed to register with the Mobile Security Manager. |
Additional Compliance Rules On managed devices (MDM+MAM deployments), compliance rule checks occur (1) during the enrollment process, (2) whenever the device Sync command is issued from the MSM server, and (3) every night at a set time when the ComplianceCheckTrigger scheduled job runs and flags non-compliant devices. On unmanaged devices (MAM-only deployments), compliance rule checks happen (1) during the enrollment process, (2) whenever a policy is updated, and (3) every night when the ComplianceCheckTrigger scheduled job runs on the device and evaluates all enrolled devices for policy compliance.
| Element | Description |
|---|---|
|
Device Criteria Violation |
Indicates the security action to take if the policy parameters specified in the Device Criteria section are violated. Note that Inactivity Duration is a separate security action.
This compliance rule applies to both managed and unmanaged devices. Note that the Wipe action is different for managed and unmanaged devices.
|
|
Device Jailbroken |
Indicates the security action to take if the device operating system is found to be jailbroken.
This compliance rule applies to both managed and unmanaged devices. Note that the Wipe action is different for managed and unmanaged devices.
|
|
Blacklisted Apps Installed |
Indicates the security action to take if an app marked as Blacklisted is installed. This compliance rule applies to managed devices, only.
|
|
Inactivity Duration Action |
Indicates the security action to take if the Inactivity Duration value is exceeded. This compliance rule applies to both managed and unmanaged devices.
This compliance rule applies to both managed and unmanaged devices. Note that the Wipe action is different for managed and unmanaged devices.
|
|
Passcode Compliance Action |
Indicates the security action to take if the device passcode value is out of compliance with the policy. If the iOS Clear Passcode command is issued, the user must enter a compliant passcode within the time allotted by the Passcode Expiration setting (defined under Server Settings). The default value is 60 minutes. If a passcode is not entered in time, the device is marked as non-compliant and the system carries out the Passcode Compliance Action.
This compliance rule applies to both managed and unmanaged devices. Note that the Wipe action is different for managed and unmanaged devices.
|
Use the Device tab to view device-specific settings assigned to the policy. Only Systems Administrators can define an MDM policy and edit device-specific settings.
Note:
Use the Device tab to define an MDM policy. Only specify device details if the policy is intended for managed devices. If an unmanaged device tries to run an MDM policy, it will report an error on the device.The Device tab is arranged in the following sections:
| Element | Description |
|---|---|
|
Selected Roles |
The roles that this policy will affect. Click the Roles tab to add and remove roles. |
|
Specify device details for this policy |
To specify device settings for this policy, select the option box. Keep in mind that when multiple policies are assigned to a role, the policies are merged. If device settings are specified for this policy, the values will be merged with the device settings from other policies. For MAM-only devices, do not specify device policy settings.
To create a policy without specifying device settings, clear the option box. |
Restrictions Device restrictions applicable to the device.
| Element | Description |
|---|---|
|
General |
Select an option in this category to disable it; clear a check box to enable it. This applies to all platforms (both iOS and Android devices). |
|
Camera |
Prevents use of the camera. |
|
iOS |
Select an iOS-specific option in this category to disable it; clear a check box in this category to enable it. Refer to the iOS documentation for details about specific functionality. |
|
App Installation |
Removes the App Store icon and prevents users from installing or updating apps using the Apple App Store. |
|
Assistant |
Disables Siri. |
|
Assistance while device locked |
Disables Siri when the device is locked. This restriction is ignored if the device does not have a passcode set. (iOS 5.1 and later) |
|
Cloud Backup |
Prevents backing up the device to iCloud. (iOS 5.0 and later) |
|
Cloud Document Sync |
Prevents document syncing to iCloud. (iOS 5.0 and later) |
|
Cloud Keychain Sync |
Prevents iCloud Keychain synchronization. (iOS 7.0 and later) |
|
Diagnostic Submission |
Prevent diagnostic data from being reported to Apple. (iOS 6.0 and later) |
|
Explicit Content |
Block explicit music or video content purchased from the iTunes Store. |
|
Fingerprint for Unlock |
Disables the TouchID feature, which unlocks the device using fingerprints. (iOS 7.0 and later) |
|
Lock Screen Control Center |
Prevents the Control Center (accessed by swiping up from the bottom of the screen) from appearing on the lock screen. (iOS 7.0 and later) |
|
Lock Screen Notifications View |
Blocks the Notification Center from showing on the lock screen. (iOS 7.0 and later) |
|
Lock Screen Today View |
Blocks the Today View from showing on the lock screen. (iOS 7.0 and later) |
|
Ad Tracking |
Limits ad tracking. |
|
iTunes |
Removes the iTunes icon and prevents access to the iTunes music store. |
|
iTunes Store Password Entry |
Requires the user to enter a valid iTunes password before every transaction. |
|
Untrusted TLS Prompt |
Automatically rejects untrusted HTTPS certificates without prompting the user. (iOS 5.0 and later) |
|
Shared Stream |
Blocks the shared albums or shared Photo Stream feature. (iOS 6.0 and later) |
|
Screenshot |
Prevents users from saving a screen capture of the display. |
|
Safari |
Removes the Safari icon and prevents the use of the Safari Web browser. This also prevents users from opening Web clips. |
|
Photo Stream |
Disables the Photo Stream feature. (iOS 5.0 and later) |
|
Passbook While Locked |
Prevents the Passbook notifications from being shown on the lock screen. (iOS 6.0 and later) |
|
Over-the-air PKI Updates |
Prevents over-the-air PKI updates. This restriction does not disable CRL and OCSP checks. (iOS 7.0 and later) |
Authentication Authentication settings applicable to the device.
Note:
If a password policy is enforced on an iOS device, iOS automatically enables the Auto Lock feature. This iOS feature cannot be overridden or disabled by the user or Mobile Security Manager.| Element | Description |
|---|---|
| Password Required | Select to enable password authentication and activate the form for editing. |
|
Password Minimum Length |
The least number of characters that the system will accept when the user creates a password. |
|
Password History |
The number of passwords that the system will retain to prevent a user from reusing the same passwords. |
|
Maximum Idle Timeout for Auto Lock |
The number of minutes before an inactive device is locked. |
|
Maximum Failed Attempts Before Device Wipe |
Indicates the number of failed authentication attempts allowed before the system deletes the Workspace and the user data that it contains. When the maximum number of attempts is exceeded, the system resets the device to its original factory state by erasing all of the stored settings, data, and applications. |
|
Password Expiry |
Indicates if the user credential should expire after a set number of days.
|
|
Password Expiry Duration |
The number of days that the user credential will remain valid, after which the user must choose a new password. |
|
Password Complexity |
|
| Element | Description |
|---|---|
|
Turn on Device Encryption |
Enables device encryption for Android devices. This option cannot be turned off again once the policy is saved. This option is not available for devices running Android 5.0 (Lollipop) or higher because Device Encryption is always turned on automatically. |
Use the Workspace tab to view Workspace settings assigned to this policy. Only Systems Administrators can specify Workspace settings. The Workspace tab is arranged in the following sections:
| Element | Description |
|---|---|
|
Selected Roles |
The roles that this policy will affect. Click the Roles tab to add and remove roles. |
|
Specify Workspace details for this policy |
To specify Workspace settings for this policy, select the option box. Keep in mind that when multiple policies are assigned to a role, the policies are merged. If Workspace settings are specified for this policy, the values will be merged with the Workspace settings from other policies.
To create a policy without specifying Workspace settings, clear the option box. |
Authentication Note: PIN settings only apply for PKI authentication and clients configured for PKINIT authentication.
| Element | Description |
|---|---|
|
Authentication Only |
Select to hide the contents of the Workspace from the user if the Workspace container is being used purely as an authentication client and not for any app UI. |
|
Authentication Frequency |
Specifies how often the user sees the login screen:
|
|
Idle Timeout Period |
The number of minutes before the Workspace is considered to be idle. To be used in combination with the Authentication Frequency - Idle Timeout setting. |
|
Account Lockout Threshold |
The number of failed authentication attempts allowed before the Account Lockout Action is triggered. |
|
Account Lockout Action |
The action to take when the Account Lockout Threshold has been exceeded:
|
|
Shared Workspace Mode |
Configures how the Secure Workspace functions on a device that is shared by multiple users. Choose from the following:
|
|
PIN History |
The number of user credentials that the system will retain to prevent a user from reusing the same PIN. |
|
PIN Minimum Length |
The least number of characters that the system will accept when the user creates a PIN. |
|
PIN Expiry |
Indicates if the user credential should expire after a set number of days.
|
|
PIN Expiry Duration |
The number of days that the user credential will remain valid, after which the user must choose a new PIN. If the user does not change the PIN, the device is marked as non-compliant. |
|
PIN Complexity |
Indicates if minimum requirements are enforced when users create PIN values. |
|
PIN Complexity Min Checks |
A number between 1 and 4 that indicates how many of the following Pin must contain... requirements must be satisfied.
If the number of options selected below is greater than the PIN Complexity Min Checks value, users may set their PIN with any combination of options that meets the requirements. For example, if PIN Complexity Min Checks is 2 and all four complexity types are selected, a PIN with any combination of two or more of the requirements is acceptable. |
|
PIN must contain lowercase |
A check mark indicates that the PIN must include at least one lowercase letter. |
|
PIN must contain uppercase |
A check mark indicates that the PIN must include at least one uppercase letter. |
|
PIN must contain special character |
A check mark indicates that the PIN must include at least one special character. |
|
PIN must contain numeric |
A check mark indicates that the PIN must include at least one numeric character. |
Workspace/ Apps The Workspace settings to allow or block. Except for File Sharing and Copy/Paste, allowed items have a check mark.
| Element | Description |
|---|---|
|
Location Settings |
Allows device location coordinates to be collected from the device if the user has allowed location services during installation. If disabled, the user is not asked to accept location services during installation and user location is not tracked. |
|
Offline Access |
Allows the user to access the information already in the container when the user is offline. If disabled, users cannot access the Secure Workspace unless they are online and logged in.
Note that Offline Access only applies if the Shared Workspace Mode setting is set to Single User. If Shared Workspace Mode is set to Multi-User, the container is automatically wiped between user sessions. |
|
|
Allows the user to send e-mail messages from the native OS e-mail client. |
|
Instant Messaging |
Allows the user to send instant messages from the Secure Workspace. |
|
Video Chat |
Allows the user to access video chat functionality such as FaceTime. |
|
Social Share |
Allows the user to access social sharing through integrated services such as Facebook or Twitter. |
|
|
Allows Workspace apps to print to a printer. |
|
Redirects to Workspace |
Allows apps outside the Secure Workspace to redirect a URL into the Workspace. |
|
Save to Media Gallery |
Allows photos, images, and videos to be saved to the local media store on the device. |
|
Save to Local Contacts |
Allows user contacts to be saved to the contacts manager on the device. |
|
Redirects from Workspace |
Allows the Secure Workspace to redirect to an app outside the Workspace with a custom URL scheme. |
|
(Restrict) File Sharing |
If checked, restricts the ability of the user to share files outside the Secure Workspace. |
|
(Restrict) Copy/Paste |
If checked, copy and paste is only allowed inside the Secure Container, containerized apps, or between containerized apps, but not to apps outside the Secure Workspace. |
| Element | Description |
|---|---|
|
Browser |
Indicates browser settings as follows:
|
|
Doc Editing |
Indicates doc editing settings as follows:
|
|
File Manager |
Indicates file manager settings as follows:
|
|
File Manager Server-Based URL |
If the File Manager function is enabled, this is the URL of the File Manager service that provides access to network file shares. |
|
PIM |
The PIM (personal information manager) app covers e-mail, calendar, contacts, and notes. Indicates personal information manager settings as follows:
|
|
E-mail Server URL |
Provide the e-mail server URL for the ActiveSync server as it applies to users assigned to this policy. Mobile Security Manager supports different mail servers for different user groups. |
| Basic ActiveSync Authentication | Select to configure basic authentication for Microsoft Exchange ActiveSync. |
|
Configuration Type |
Choose one of the following ActiveSync authentication options:
|
| Element | Description |
|---|---|
|
Time-Fence |
Restrict user access to the Workspace by time of day. Click Add to add a row to the table. In the From column set the time that restricted access should start, and in the To column set the time that the restricted access period should end. Choose a time zone from the Time Zone menu.
To remove a row, select it in the table and click Remove. |
|
Set Geo-Fence by |
Shows the cities, states, or countries where access to the Workspace is allowed. If no Geo-Fence is defined the policy defaults to no geo-location restrictions.
Click Add to add a row to the table. Start typing the location name and then select the name from the menu. To remove a row, select it in the table and click Remove. |
Use the Apps and Configuration tab to view apps and Device Settings assigned to this policy. Only Systems Administrators can edit the settings on the Apps and Configuration tab. The tab is arranged in the following sections:
| Element | Description |
|---|---|
|
Selected Roles |
The roles that this policy will affect. Click the Roles tab to add and remove roles. |
|
Specify Apps and Configuration details for this policy |
To specify apps and/or Device Configuration details for this policy, select the option box. Keep in mind that when multiple policies are assigned to a role, the policies are merged. If catalog details are specified for this policy, the values will be merged with the catalog details from other policies.
To create a policy without specifying catalog details, clear the option box. |
| Element | Description |
|---|---|
|
Add |
Click to add a row to the Apps table, then type the name of the app from the catalog to add for this policy. Apps assigned to the policy can be installed by users whose roles include the policy. |
|
Remove |
Click to remove an app from the policy. |
|
Search and Add Apps... |
Click to open the Add App dialog and search the catalog for an app to add for this policy. Apps assigned to the policy can be installed by users whose roles include the policy. Choose from the following sort options:
Click Refresh to update the screen with any changes made on the (back-end) server. Click Add to add the selected app to the Apps table. Click Cancel to close the Add App dialog without making any changes. |
|
App Name |
The name of the app. |
|
Description |
A brief note regarding the app created by a Mobile Security Manager administrator. |
|
Containerized |
Indicates if the iOS or Android app is containerized. Containerization adds enterprise security services to apps including advanced features such as multi-factor authentication and Windows integrated Authentication (Kerberos or NTLM). |
|
Virtual App Type |
Indicates if the app is a Web App that runs on a remote server and displays in a Web browser, or a Shared Folder App that users can mount on the Workspace. |
|
Platform |
Either iOS or Android. or both. This field applies to Apps, but not Virtual Apps. |
|
Install on Homepage |
Select to automatically provision this app to the user's main screen or homepage, where they see the browser icon. |
|
Upgrade Alert |
Select to alert the user when an app is launched that an update is available. If the option is not selected, a badge on the catalog app indicates that an update is available, but the system does not alert the user otherwise. |
Device Configurations (iOS Only) Device Configurations allow you to pre-configure e-mail, calendar, Wi-Fi, and VPN settings that you can then assign to policies so that they can be automatically provisioned to users' devices upon device enrollment.
Note: Only managed iOS devices support Device Configurations. Device configurations are ignored on Android devices and unmanaged iOS devices.
| Element | Description |
|---|---|
|
Type |
One of the following device configuration types:
For more information, see Chapter 6, "Device Configurations Help." |
|
Configuration Name |
Choose a saved device configuration from the menu. |
|
Configuration Description |
A short description to help you or another administrator identify this configuration in the future. |
"Managing Mobile Security Policies" in Administering Oracle Mobile Security Suite