Device inventory

The device inventory list shows all enrolled devices.

Device Compliance

What is compliance?

The compliance state of a device is an indicator thsat shows if a device meets the assigned security policy.

As you may already know, a policy is a set of configurations which enables you to allow or deny certain features or applications on your users devices.

In some cases however, the user or the device is still able to perform operations which are not allowed by your configured policy (primarily possible on Android devices).

The Relution application on the device is able to monitor this security violation and notifies the Relution server when a new violation has occured.

As long as a violation exists on the device, it will remain in a “non-compliant” state.

This can have several effects on the device, e.g. the Relution Secure Mail Gateway denies all connection attempts from this device to the Exchange Gateway or the unavailability of managed applications.

The violation is also visible to the user on their device and if possible the Relution application provides them the possibility to resolve the security violation by pressing a simple button within the application (depending on the violation, only on Android devices)

The word compliance and the compliance status thus represent the conformity of a device according to the permissions you granted it (with the use of a policy).

Getting compliant

Android

In order to resolve compliance violations on the device you need to go to the “Compliance” view inside the Android application. The violated configuration is displayed accordingly and can be viewed in detail by clicking on it. The application provides a button which allows you to resolve the corresponding violation.

image image

iOS

On iOS devices, compliance violations are much more less likely to appear as policies are natively supported by the operating system. Violations on iOS are primarily reported by the operating system due to errors when failing to enforce a policy.

The user cannot produce violations by operating the device or changing its configuration (except jailbraking the device).

Device states

Device states give you the most basic information about the device, it’s health and current capabilities. You can use it to filter classes of devices and perform various actions on them, therefore it is important to know what a specific state stands for and how you can change it.

A device can be in one of the following states in Relution environment:

  • COMPLIANT

    The device is active, responsive, correctly configured and enforces the configured policy. This is the correct and desired state, when a device is managed without a problem.

  • NONCOMPLIANT

    The device is active, responsive, but it has open violation(s) which has not been resolved yet, hence it does not enforce the configured policy. Some Relution services may not be available to the device as long as the violation exists. Often a manual action is required by the device user or Device Manager, in order to resolve the violation(s) and get back to COMPLIANT state.

  • INACTIVE

    The device has not connected to the server or answered to the availability check of the Relution server for the defined amount of time. The time period for both settings (availability check & inactivity interval) can be configured inside the Device Management section of the settings.

  • WITHDRAW_PENDING

    The device user decided on their own to withdraw the device from the MDM, therefore MDM sent WITHDRAW action to the device, but it was not processed yet. This is a temporary device state. From the MDM point of view, the device behaves like in WITHDRAWN state and cannot be managed any longer. After the WITHDRAW action is confirmed, the device will change to WITHDRAWN state.

    If the device is not responding and it is clear that it can be deleted, the Device Manager can clean-up such device by deleting it once more, but in this case the WITHDRAW action won’t be executed.

    NOTE: WITHDRAW_PENDING is applicable only for certain Android client versions

  • WITHDRAWN

    The device user decided on their own to withdraw the device from the MDM and thus the device cannot be managed any longer. The user can do it by removing the Provisioning Profile (iOS) or by disabling the administration privileges of the Relution Client App (Android). This state is technically equal to DELETED state and Relution Device Manager can only delete such device. If the user wants to be managed again, they have to enroll their device to the MDM once again.

  • DELETION_PENDING

    The Device Manager deleted the device from the MDM, this includes sending a WITHDRAW action to the device. Till the WITHDRAW action is processed, the device stays in this temporary device state. From the MDM point of view, the device behaves like in DELETED state and cannot be managed any longer. After the WITHDRAW action is confirmed, the device will change to DELETED state.

    If the device is not responding and it is clear that it can be deleted, the Device Manager can clean-up such device by deleting it once more, but in this case the WITHDRAW action won’t be executed.

  • DELETED

    The device has been marked as deleted. It is not displayed in the device inventory unless you modify the filter to include deleted devices. Deleted devices will be removed from the database upon a clean up task.

Deletion and withdraw process

As mentioned above, the device can be removed from MDM management in two ways: by device user decision or by manager decision. Please see following diagram for more details.

image

Since the WITHDRAWN and DELETED devices are not managed by MDM, the amount if device information is reduced too. Clear device data step mentioned in the diagram performs following changes:

  • Cancel all unprocessed actions

  • Clear all push information (no push notifications can be sent to the device)

  • Remove ruleset information (it is removed only if the device is changed to DELETED)

  • Remove policy information

  • Clear installed apps

  • Remove all compliance violations

Device details

You are in the group “Administrator” or “Device Manager”.

The device details page contains several information about the device and its status.

To view a device’s details, press the arrow button or the name of the device inside the device inventory list.

The displayed data is initially created upon device enrollment. In order to refresh the data the execution of a “refresh device info” action is required.

The device detail page is divided into the following sections:

Note: Information available and displayed about the device can vary depending on the device platform and the device type.

Device information

The device information page displays general information about the device and its compliance status. The menu on the left provides buttons for applying and removing a policy, deleting it from the device inventory, editing its general information and triggering the execution of an action on the device.

image

Networks

Under the networks tab all data concerning cellular, wireless and bluetooth networks and their configuration is collected.

image

System

All data about the configuration and other details about the device itself (hardware/software) is gathered inside the system tab.

image

Security

The security tab allows you to view security relevant information about the device. This includes the root or jailbrake detection, device encryption, etc.

image

Location

This tab is used to display the location of the device on a map. Before the location can be displayed you need to send a “locate device” action. This can be triggered via the regular action workflow or by pressing the “Locate device” button inside the “Location” tab Before you can use the “locate device” action you have to enable this option first in the settings (“device management”).

image

Compliance violations

This view lists all occured policy violations of the selected device. If for example the device user removes the administration rights of Relution, this will be reported in this view. The administrator then can take necessary actions to enforce the compliance of the device again.

image

History

The history tab allows you to trace the actions and policy history of the device. You are able to see if actions have been successfully executed or are still pending. If any errors occur while executing an action their are listed here.

image

Installed apps

The installed apps page holds information about all installed applications on the device. You are able to send a uninstall action to the device by selecting the desired application and pressing the uninstall button. To remotely uninstall applications, there are platform specific limitations:

iOS: The application to remove is a so called managed app. Managed apps are installed either by the user via the Relution app on the device or via the Relution portal by the administrator.

Android: The application is a non-system application.

The possibility of uninstalling an application is displayed by a checkable box in the list.

image

Checking Device Connection

Users and administrators often ask the Relution team why a device did not recieve an action or a policy or why it is not in a desired state. Before calling the help desk or support engineer to ask why a device is not available at the moment, please try to evaluate following points.

General

The most frequent reason is that the network infrastructure is prohibiting a connection to the Relution server.

Problems can be:

  • Does the device have an internet connection via 3G/4G or via wifi?

  • Does the current network infrastructure allow a connection to and from the Relution server? Is there a firewall or are important ports closed? Check the requirements for the network infrastrcuture. You can also check if the Relution server is available from your device, by typing the Relution server URL into the browser of the device. For example https://live.relution.io

  • Is the server running and online?

  • If you use the MDM features, please check if the device is correctly enrolled

    • Did you create an enrollment for the correct platform or did you choose the platform “automatic”

    • Did you follow the enrollment instructions under Enroll Android devices or Enroll iOS devices?

    • Does the user, with which you try to login exist? See User settings

    • Is this user activated in the User settings?

    • Does the user has the according role? Does the user have the right to login? To be able to login to the Enterprise App Store, the user has to be in one of the following groups:

      • Organisation Appstore User

      • Organisation App Reviewer

      • Organisation Developer

      • Organisation Appstore Manager

      • Organisation Administrator

    • Login problems could also appear if you use an ActiveDirectory or other LDAP system. Please carefully read the page about LDAP configurations

To quickly check if the device can connect to the Relution server, open the Relution Portal on your Desktop and navigate to Devices→Inventory. Afterwards, choose the problematic device and have a look a the copliance status.

Try to send an action to the device. A non critical action is the “Refresh device info” action. Apply this action to the device and navigate to the device details. Click on History to check if the action was performed correctly. It can take up to a couple of minutes until the action is executed completely. You have to refresh this view, to get the newest information about the action status.

An issue also could be, that you have incompatible versions of the Relution app and the Relution server. Our team always tries to keep all version compatible to each other, but to be safe, make sure the version have the same two version numbers for example 2.6.x.

iOS devices

To check if the device is correctly enrolled, navigate on the device to Settings→General→Device Management and check if a profile of your organisation is installed.

Please also check if the profile is verified and still valid by clicking on the profile on your device.

Android devices

To check if the device is correctly enrolled, open the installed Relution app on the device. If you are enrolled, you will be logged in automatically. If you use the Enterprise App Store, please log in. Open the menu and navigate to Device information. You will see an overview about the Relution version, the user you are using, the server which the device is connected to, the last contact time and also information about the enrollment state. In the Services tab at the top you can check the state of the push service which is necessary to communicate with the device.