You create automated actions in XenMobile to program a reaction to events, user or device properties, or the existence of apps on user devices. When you create an automated action, you establish the effect on the user's device when it is connected to XenMobile based on triggers in the action. When an event is triggered, you can send a notification to the user to correct an issue before more serious action is taken.
For example, if you want to detect an app that you have previously blacklisted (for example, Words with Friends), you can specify a trigger that sets the user's device out of compliance when Words with Friends is detected on their device. The action then notifies them that they must remove the app to bring their device back into compliance. You can set a time limit for how long to wait for the user to comply before taking more serious action, such as selectively wiping the device.
In cases in which a user's device is put into an out of compliance state, and then the user fixes the device so that the device is in compliance, you will need to configure a policy to deploy a package that resets the device into a compliant state.
The effects that you set to happen automatically range from the following:
- Fully or selectively wiping the device.
- Setting the device to out of compliance.
- Revoking the device.
- Sending a notification to the user to correct an issue before more severe action is taken.
This article explains how to add, edit, and filter automated actions in XenMobile, as well as how to configure app lock and app wipe actions for MAM-only mode.
1. From the XenMobile console, click Configure > Actions. The Actions page appears.
2. On the Actions page, do one of the following:
- Click Add to add a new action.
- Select an existing action to edit or delete. Click the option you want to use.
Note: When you select the check box next to an action, the options menu appears above the action list; when you click anywhere else in the list, the options menu appears on the right side of the listing.
3. The Action Information page appears.
4. On the Action Information page, enter or modify the following information:
- Name: Type a name to uniquely identify the action. This field is required.
- Description: Describe what the action is meant to do.
5. Click Next. The Action details page appears.
Note: The following example shows how to set up an Event trigger. If you select a different trigger, the resulting options will be different from those shown here.
6. On the Action details page, enter or modify the following information:
- In the Trigger list, click the event trigger type for this action. The meaning of each trigger is as follows:
- Event: Reacts to a predefined event.
- Device property: Checks for a device attribute on the device gathered in MDM mode and reacts to it. For more information, see Device property names and values.
- User property: Reacts to a user attribute, usually from Active Directory.
- Installed app name: Reacts to an app being installed. Doesn't apply to MAM-only mode. Requires the app inventory policy to be enabled on the device. The app inventory policy is enabled on all platforms by default. For details, see To add an app inventory device policy.
7. In the next list, click the response to the trigger.
8. In the Action list, click the action to be performed when the trigger criterion is met. Except for Send notification, you choose a time frame in which users can resolve the issue that caused the trigger. If the issue isn't resolved within that time frame, the selected action is taken. For a definition of the actions, see Security actions.
If you pick Send notification, the remainder of this procedure explains how to send a notification action.
9. In the next list, select the template to use for the notification. Notification templates relevant to the selected event appear, unless a template doesn't yet exist for the notification type. In that case, you are prompted to configure a template with the message: No template for this event type. Create template using Notification Template in Settings.
Note: Before you can notify users, you must have configured notification servers in Settings for SMTP and SMS so that XenMobile can send the messages, see Notifications in XenMobile. Also, set up any notification templates you plan to use before proceeding. For details on setting up notification templates, see To create or update notification templates in XenMobile.
Note: After you select the template, you can preview the notification by clicking Preview notification message.
10. In the following fields, set the delay in days, hours, or minutes before taking action and the interval at which the action repeats until the user addresses the triggering issue.
11. In Summary, verify that you created the automated action as you intended.
12. After you configure the action details, you can configure deployment rules for each platform individually. To do so, complete step 13 for each platform you choose.
13. Configure deployment rules
- Expand Deployment Rules. The Base tab appears by default.
- In the lists, click options to determine when the action should be deployed.
- You can choose to deploy the action when all conditions are met or when any conditions are met. The default option is All.
- Click New Rule to define the conditions.
- In the lists, click the conditions, such as Device ownership and BYOD.
- Click New Rule again if you want to add more conditions. You can add as many conditions as you would like.
- Click the Advanced tab to combine the rules with Boolean options.
- The conditions you chose on the Base tab appear.
- You can use more advanced Boolean logic to combine, edit, or add rules.
- Click AND, OR, or NOT.
- In the lists that appear, choose the conditions that you want to add to the rule and then click the Plus sign (+) on the right-hand side to add the condition to the rule.
At any time, you can click to select a condition and then click EDIT to change the condition or Delete to remove the condition.
- Click New Rule again if you want to add more conditions.
In this example, the device ownership must be BYOD, the device local encryption must be True, the device must be passcode compliant, and the device mobile country code cannot be only Andorra.
14. When you are done configuring the platform deployment rules for the action, click Next. The Actions assignment page appears, where you assign the action to a delivery group or groups. This step is optional.
15. Next to Choose delivery groups, type to find a delivery group or select a group or groups in the list to which you want to assign the policy. The groups you select appear in the right-hand Delivery groups to receive app assignment list.
16. Expand Deployment Schedule and then configure the following settings:
Note: The deployment schedule you configure is the same for all platforms. Any changes you make apply to all platforms, except for Deploy for always on connection, which does not apply to iOS.
17. Click Next. The Summary page appears, where you can verify the action configuration.
18. Click Save to save the action.
App lock and App wipe actions for MAM-only mode
You can wipe or lock apps on a device in response to all four categories of triggers listed in the XenMobile console: event, device property, user property and installed app name.
To configure automatic app wipe or app lock
1. In the XenMobile console, click Configure > Actions.
2. On the Actions page, click Add.
3. On the Action Information page, enter a name for the action and an optional description.
4. On the Action Details page, select the trigger you want.
5. In Action, select an action.
For this step, keep the following conditions in mind:
When the trigger type is Event and the value is not Active Directory disabled user, the App wipe and App lock actions will not appear.
When the trigger type is Device property and the value is MDM lost mode enabled, the following actions will not appear:
- Selectively wipe the device
- Completely wipe the device
- Revoke the device
For each option, a 1 hour delay is automatically set, but you can select the delay period in minutes, hours or days. The delay gives users time to fix an issue if possible before the action is carried out. You can learn more about the App wipe and App lock actions in the topic on Configure roles with RBAC.
If you set the trigger to event, the repeat interval is automatically a minimum of 1 hour. The device must carry out a refresh of the policies to synchronize with the server for the notification to come in. Typically, a device synchronizes with the server when users sign on or manually refresh their policies through Secure Hub.
An additional delay of approximately 1 hour may occur before any action is carried out, to allow the Active Directory database to synchronize with XenMobile.
6. Configure deployment rules and then click Next.
7. Configure delivery group assignments and a deployment schedule and then click Next.
8. Click Save.
To check app lock or app wipe status
1. Go to Manage > Devices, click a device and then click Show more.
2. Scroll to Device App Wipe and Device App Lock.
After a device gets wiped, the user is prompted to enter a PIN code. If the user forgets the code, you can look it up in the Device Details.