Managing device policies

Coro implements device management through policies. In a policy, you can implement restrictions on a device or enforce certain operating conditions.

Device policies in Coro work with labels. When you create a policy, you assign one or more labels to it. Then, by assigning labels to devices you determine the policies that should apply.

Viewing device policies

To view device policies:

  1. Access the Mobile Device Management module .
  2. From the Mobile Device Management page, select the Policies tab:

    Policies tab

Coro presents all currently defined policies grouped by device type. Expand or collapse device type sections to view associated policies, including the labels applied in each case and the last modified timestamp.

On this tab, you can:

  • Add a new policy; see Creating a device policy .
  • Filter the page to view policies with selected labels. Choose to filter on policies that contain Any labels in the list, or policies that contain Combined labels that you select.
  • Sort the policy list in ascending or descending order of last modified date, as indicated by the arrow next to the column heading.
  • Search for a policy by name.

Use the three-dot actions menu adjacent to each policy to edit or delete that policy.

Policy types

Coro includes the following policy types:

For reference, the following table shows policy availability across device types in Coro MDM:

Device type Allowed Apps Compliant Apps Passcode Restrictions
iOS - BYOD No Yes Yes
iOS - Supervised Yes No Yes
iOS - MAID Device No Yes Yes
iOS - MAID User No No Yes
Android - BYOD Yes No Yes
Android - Supervised Yes No Yes

Allowed and compliant application lists

In an application policy, you define and assign application lists to enrolled devices that, depending on the device type, can either:

  • Actively enforce application installation and usage restrictions ( Allowed Apps )
  • Report usage non-compliance ( Compliant Apps )

For supervised iOS and iPadOS devices, a policy does not prevent excluded applications from being seen in the Apple App Store, nor does it prevent installation. However, a policy does prevent the user from being able to run an installed application that is not part of the policy Allowlist. For BYOD iOS/iPadOS and iOS MAID Device enrollments, a policy cannot be enforced at all. However, Coro can retrieve an installed application list from the device and report where policy contraventions occur on the Devices page.

For company-owned Android devices, an applied policy completely prevents the user from viewing excluded applications in the Google Play Store or installing anything not on the policy Allowlist. This is also true for BYOD Android devices, although this is limited to the installed Work profile.

note

The Personal profile on a BYOD Android device is completely unaffected and continues with normal unrestricted access to apps in the Google Play Store.

Passcode and password restrictions

Coro MDM enables admin users to set a passcode policy on iOS/iPadOS devices, or a password policy on Android devices.

Passcodes and passwords lock a device from unauthorized access and keep an organization's data secure. Security unlock features such as fingerprint or face-recognition are typically supported by association with an underlying passcode; however, only the passcode/password is affected by this policy.

Passcode/password policy settings include:

  • Enforcing strength and complexity rules.
  • Setting the maximum number of failed attempts before which a device wipe occurs.
  • Setting the maximum inactivity timeout period, after which the device screen is locked (iOS/iPadOS devices only).
  • Enforcing password unlock once per 24 hour period (Android devices only).
  • Setting the maximum passcode/password age, after which a new value must be set.
note

Admin users can remotely set passwords on Android devices, and remotely clear passcodes on iOS devices enrolled in Coro MDM. For more information, see Managing devices.

Creating a device policy

Before you set up a device policy, make sure you know the Bundle IDs (iOS/iPadOS) or Package names (Android) of the applications to add.

To create a device policy:

  1. From the Policies tab, select + ADD POLICY .
  2. Use the dropdown to select the device type for your new policy:

    Selecting a device type for a new policy

    Coro displays the Create policy dialog, starting at the Enter Policy Name step:

    note

    The screenshots used in this procedure represent creating a policy for iOS BYOD devices. Other device types use the same or similar steps, with differences noted.

    Adding a new iOS BYOD policy

  3. Enter a name for the policy, then select NEXT to continue.
  4. In the Select Policy Type step, use the dropdown to view and select from the available policy types:

    Selecting a policy type

    Select from:

    • Allowed Apps : For enrolled device types where application installation and usage is enforceable.
    • Compliant Apps : For enrolled devices types where application usage is not enforceable but can be reported on.
    • Passcode/password restrictions : For enforcing a passcode policy on the enrolled device.

    For more details, see Managing device policies.

    Select NEXT to continue.

  5. In the Define Action step, Coro shows settings according to the selected policy type.

    For Allowed Apps and Compliant Apps policies:

    • Enter one or more application Bundle IDs (iOS/iPadOS) or Package names (Android) into the box provided. Coro searches for and displays a list of matching applications. Select a matching application or choose to add the bundle ID/package name as entered:

      Adding applications

    • To remove an entry, select the delete option:

      Removing an added application

    For Passcode Restrictions (iOS/iPadOS devices only):

    • Enable or disable each parameter as required. For enabled parameters, configure the associated settings:

      Setting passcode restriction parameters

    • Settings include:
      • Enforce passcode strength . Select a predefined level:
        • Strong : Alphanumeric, at least 16 characters long, and including six special characters.
        • Medium : Alphanumeric, at least ten characters long, and including four special characters.
        • Simple : Any non-empty passcode.
      • Max Failed Attempts : The maximum number of failed attempts before a device wipe occurs. Enter a number in the range 2 to 11.
      • Max Inactivity : The maximum inactivity timeout period, after which the device screen is locked. Enter a mumber of minutes in the range 0 to 15.
      • Max PIN Age in days : The maximum passcode age, after which a new passcode must be set. Enter a number of days in the range 1 to 730.

    For Password Restrictions (Android devices only):

    • Enable or disable each parameter as required. For enabled parameters, configure the associated settings:

      Setting password restriction parameters

    • Settings include:
      • Enforce password strength . Select a predefined level:
        • Strong : Alphanumeric, at least 16 characters long, and including six special characters.
        • Medium : Alphanumeric, at least ten characters long, and including four special characters.
        • Simple : Alphanumeric, at least six characters long.
      • Max Failed Attempts : The maximum number of failed attempts before a device wipe occurs. Enter a number in the range 0 to 20 (0 means the setting has no effect).
      • Require Password Unlock : Once every 24 hours, the device user must enter a password to unlock the device (rather than using biometric or pattern unlocking).
      • Password Expiration Timeout : The maximum password age, after which a new value must be set. Enter a number of days in the range 1 to 730. If the user fails to set the password inside the timeout period, Coro deletes the work profile from the device.

    Select NEXT to continue.

  6. In the Assign Labels step, use the dropdown to select one or more device group labels to apply to this policy:

    Assigning labels to the policy

    Alternatively, create a label by typing it directly into the box:

    Adding a new label to the policy

    Important

    You must select at least one label for your policy. This is the mechanism through which policies are applied to devices.

  7. To save your policy, select SAVE .

Applying a device policy

After you have defined a device policy, apply it to your mobile devices through adding the corresponding label to your devices. For more details, see Adding and removing device labels.

Policies associated with a label are assigned immediately to connected devices, although Coro recommends allowing a short time for all affected devices to be fully updated. Devices must be connected to the internet for the policy to take effect.

note

For Android devices only: If you subsequently edit an assigned policy by removing or replacing allowed applications, devices affected by the change are updated automatically without notice to the user when next online. That is, installed applications no longer allowed after the policy update are automatically uninstalled and cease to be visible in the Google Play Store.

Deleting a device policy

You can permanently delete a device policy through the Policies tab.

Perform the following steps:

  1. Locate the policy to delete from the list.
  2. Select the adjacent three-dot actions menu. Then, select Delete :

    Delete policy

    Coro presents a confirmation dialog. If you proceed, the policy is deleted and unnassigned from devices.

  3. To delete the policy, select DELETE .