Policies allow TeamViewer's Mobile Device Management (MDM) solution to define requirements for devices, as well as what will happen if a device does not comply with the set requirements. Each policy consists of a set of rules and a compliance action (what happens if the rule is violated).
This article applies to all TeamViewer Mobile Device Management customers.
Accessing the MDM policy portal is done within TeamViewer Remote or the Web app. To begin, navigate to the Remote Management tab and select Go to Settings, found under the Mobile Device Management section.
To manage or alter policies, select Manage Policies at the upper right corner of the settings window. This will redirect you to the Ivanti portal.
📌Note: If you cannot see the Policies page, it might be that you do not have the required permissions. Viewing of the portal requires the Device Managment and Device Read-only roles.
Once in the Ivanti portal, admins can create a new policy by clicking the + Add button in the upper right corner.
When creating any policy, a checkbox is found at the bottom of the window that must be selected in order to proceed. This ensures the admin is aware that any previous policy settings will be reset once the new policy takes place.
💡Hint: When creating a new policy, it is recommended to set the policy only with the "Monitor" compliance action for an evaluation period. The policy can then be checked over a period of a few days to be sure it is not matching devices in a way that is not intended.
When the policy is created it will begin monitoring, showing the impact on devices. Adding additional actions allows policies to fall into compliance by defining security preferences in the form of rules. You can add actions now, or after you have evaluated any violations.
💡Hint: Adding the action Wait in between other actions provides a way to allow device users to remediate their device and get it back in compliance before additional actions are taken. As an example, you may want to send a warning message and wait 24 hours before applying a quarantine action.
The Actions column provides both options for editing or deleting an MDM policy.
💡Hint: Regardless of policy type, all policies provide the ability to be notified when the device comes back into compliance!
TeamViewer MDM policies provide complete control in many situations. Within the policy, you can also set multiple parameters. We currently provide the following MDM policy parameters:
The Compromised Devices policy allows TeamViewer to take action if a compromised device (jailbroken iPhone or rooted Android device) is detected. When detected, TeamViewer can take the following actions:
1. Do Nothing
TeamViewer will take no actions. Compromised devices will appear in the Dashboard.
2. Send Notification
TeamViewer will send an email or push notification to the affected device/user; can also send both. The policy provides a subject and body text field where you can enter the default message to be sent during an occurrence.
3. Wait
TeamViewer will take no action for a set period of time. Once the time has expired, the next action set in the policy will occur.
💡Hint: To add multiple actions to a policy, click the blue + icon to the right of the currently applied action.
4. Restart Device Once
The affected device will be forced to restart once. If any actions have been added after this occurs, the next action will occur once the device is back online.
5. Quarantine
The affected device will be quarantined based on the provided parameters, including the ability to remove applications and configurations, as well as stop specific device actions.
6. Block
The device will be blocked from access.
7. Retire
The device will be retired per the TeamViewer MDM system.
📌Note: This action cannot be undone.
The Data Protection/Encryption Disabled policy allows TeamViewer to detect if there is no passcode or the encryption settings have been disabled. When this is detected, TeamViewer MDM can take any/all of the following actions:
The International Roaming policy applies to any device that is detected outside of its home country. This policy is useful in preventing devices from incurring unintentional international roaming charges. When this is detected, TeamViewer MDM can take any/all of the following actions:
The MDM/Device Administration Disabled policy applies to any device that has the relationship between itself and the TeamViewer MDM system severed. When this is detected, TeamViewer MDM can take any/all of the following actions:
📌Note: If a device is MDM-disabled, it will not be evaluated for any other policies/processing of configurations/apps during check-ins.
The Out of Contact/MI Client Out of Contact policies are two separate policies that work in a similar way. They both apply to any device that has not checked in for a specified amount of time. The time parameters are set within the policies themselves and can be set to either Days or Hours. When no check-in occurs for the designated timeframe, TeamViewer MDM can take any/all of the following actions:
The Custom Policy allows even more control of the devices within the MDM network and includes a multitude of parameters and conditions. This offers the ability for similar alerts and actions to be taken as seen in the above policies, but with the ability to track many other features.
📄 Learn more about Custom Policy parameters
The Allow Apps policy controls which apps are allowed on managed devices. This policy will set up an allowlist and a blocklist, and specific apps can be authorized from the App Store/Play Store or entered manually. When an app is flagged to be against the policy, TeamViewer MDM can take any/all of the following actions:
📌Note: For this policy to work, devices must have Privacy Configurations that enable the collection of all installed apps on the device. Without this, false positives will be reported since there is no way of enforcing which apps should be allowed, disallowed, or required.