3 Replies Latest reply on Jun 19, 2012 8:14 AM by isi

    iPhone - what does "compliant" really mean?

      Hello all,


      i've stumbled over a very strange issue with compliant vs. not compliant:


      i have an iPhone 4 which, according to all settings _must_ be compliant, but is shown as non-compliant and so is denied ActiveSync access.

      Compliance Override works for that, so it's not a catastrophy, but it made me thinking what constitutes "non-compliance"...


      The same issue is on an iPhone 3GS, but as this is from an employee who moved on to brighter pastures some time ago, it's not current and wasn't upgraded while in the drawer, which may account for it...


      EMM is 10.1.1 (upgraded without a hitch from 9.7), distributed setup, and working for the other iPhones as well as for my single test-Android. "Upgrade iOS MDM Access Rights" was done on all iPhones a week ago, problem showed up two days ago, so ~4 days in between the migration and the problem showing up...


      So, regarding the iPhone 4,


      - it's adhering to all policy settings.

      - all compliance settings are ok, checked between policy and device details, as well as on the phone (restrictions, passcode rules...)

      - it has lots of pending actions

      - i did update the configuration via the client, which cleanly reinstalls both profiles, i can check and install one of the recommended apps, everything works, the iPhone "just" is "not compliant"


      so, obvious solution from the usual sources <g> is uninstall and re-provision, which i will do later...


      But still, what's going on and what constitutes "compliance"?


      The only visible thing i found is that

      - it has the current client

      - in the applications list, usually i see the EMM client version as "version=4.7.2", "short version=43487"

        On this iPhone, i get "version=43487", and no short version... The same "issue" is on the 3GS, just with the client version "39584", the older client when it was installed...


      looks like this: EMM-wrong_version.png, where it should

      look like that:      EMM-correct_version.png




      So, the questions remain:


      - first, what constitutes "compliance", and


      - second, where can i lookup why _exactly_ EMM thinks a phone is not compliant?



        • 1. Re: iPhone - what does "compliant" really mean?

          Well, i mixed up "version" and "short version", as version is 43487 in both cases and the "short version" missing on the problematic iPhone is 4.7.2...


          As an addon - on the respective iPhone i get no Short Version at all, not from a single app...

          • 2. Re: iPhone - what does "compliant" really mean?

            McAfee® Enterprise Mobility Management 10.1

            Product Guide - Page 22

            About device compliance


            Device compliance is determined based on the following predefined parameters.


            A device is considered compliant if the following is true:

            •The device has the current version of the McAfee EMM software installed.

            •The device has the current security policy installed.

            •The iOS device has the correct device certificate that was issued during provisioning.


            A device is considered noncompliant if one or more of the following is true:

            •The device does not contain the McAfee EMM software.

            •The security policy has been updated and the device does not yet have the new policy.

            •The device has not checked in since the software or security policy was last updated.

            •The device has been hard-reset because of a company policy, and the device no longer contains the
            McAfee EMM software.

            •The device has been jailbroken (iOS) or rooted (Android).

            • 3. Re: iPhone - what does "compliant" really mean?



              thanks!  I did suspect RTFM was the solution, but somehow i missed that page :-(


              "The security policy has been updated and the device does not yet have the new policy." was the reason. Which happened due to the pending tasks...


              Re-provisioning alone didn't solve the issue, only deleting and reinstalling the EMM Agent, and then re-provisioning it the iPhone worked again as "compliant"... :-(


              So, the recommended approach worked, but i didn't find out _why_ the "Pending operations" ran up, even while the iPhone could connect, could be disconnected and connected again...



              Also, now the versioning is correct again: Zwischenablage1.png


              So, thanks again!



              Nachricht geändert durch isi on 19.06.12 08:14:30 CDT