Manage device configuration policies

When you use the CyberArk Identity for mobile device management (see Mobile Device Management or single sign-on only), the CyberArk Identity provides mobile device configuration policies you can set by using either Admin Portal or the Active Directory Group Policy Management Editor. See List of device configuration policies for a full list of the group policies available for Android, iOS, and macOS devices.

(see Select the policy service for device management)

Users can see the policies enabled on their Android devices on the Setup tab in the application and on their iOS devices and OS X devices in the Settings application’s General/Profiles screen.

This section contains the following topics:

Use the Admin Portal to set device configuration policies

You use device configuration policies to configure the settings in Android devices and profiles in iOS devices when the user enrolls the device. To set device configuration policies when you use the CyberArk Cloud Directory policy service for device policy management, you create a new policy set or modify an existing policy set and then apply the policy set to a role (see Manage policy sets). CyberArk Identity then installs the policy set in the devices enrolled by the users belonging to the role. You can mix different types of devices in the same policy set.

CyberArk Identity installs the policies initially when the user enrolls the device. The policies are updated when the push delay period expires (see Select the policy service for device management to set the period) or you can force an update after you make a change with an Admin Portal command (see Use device management commands) to push the update immediately.

The CyberArk Identity automatically updates the devices when you make changes too. You can set how long it waits after you finish editing the policy in the when you select the for Device Policy Management (see Select the policy service for device management).

Click the drop-down list to enable or disable the policy. Click the information bubble for the configuration options.

The drop down menu provides the following options:

  • -- (Not configured): Select to keep the default value.

    This is the default for all policies. The setting set by the device vendor remains in effect. Users can change this setting using the device’s Settings screen if your device policies allow them to modify settings.

    The default setting can vary from one vendor to another.

    If the same policy is set in a policy set higher up on the Policies page, the previous setting is applied. See Reconcile policy settings in hierarchical policy sets and group policy objects for the details.

  • Yes: Select to enable the feature or service.

    When you set the policy to “Yes,” it allows the user to use that feature or service. For example, if you set the “Permit camera use” policy in Common Mobile Settings to “Yes,” the user is allowed to take pictures with the device’s camera.

  • No: Select to disable the feature or service.

    When you set the policy to “No,” the user is denied use of the feature or service. For example, if you set the “Permit camera use” policy to “No,” the user is not allowed to take pictures with the device’s camera.

Some policies require additional configuration after you enable them. For example, after you enable a Wi-Fi policy, you have to specify the SSID, password, and other communication properties. For these policies, the Admin Portal displays an Add button and lets you create one or more profiles for that policy. the Admin Portal lists the profiles so you can manage them.

Use the Group Policy Management Editor to set mobile device policies

You use device configuration policies to configure the settings in Android devices and profiles in iOS devices when the user enrolls the device. To set device configuration policies when you use Active Directory group policy for device policy management, you create a new or modify an existing group policy object (GPO) by using the Group Policy Management Editor and then link the GPO to an Active Directory organizational unit.

You then specify the organizational unit in the Device Enrollment Settings (see Enroll devices. You can specify different policies for different roles by creating a separate GPO and linking it to a different organizational unit for each role—see Permissions for managing mobile device objects in Active Directory.

If you select Active Directory to set mobile device policies, the CyberArk Identity does not install the group policy object settings in devices that are enrolled by users with CyberArk Cloud Directory accounts. If you have some users with Active Directory accounts and others with CyberArk Cloud Directory accounts, select the CyberArk Cloud Directory policy service to define mobile device policies.

CyberArk Identity installs the policies initially when the user enrolls the device. After that, the connector polls Active Directory for changes to the group policy object on a periodic basis. If it finds a change it updates the devices. You set the update interval when you configure the Device Policy Management (see Select the policy service for device management).

It can take up to 10 minutes after polling for the connector to install the new profiles on all affected devices. However, if you make a lot of policy changes (for example, more than 20) the connector might issue the profile updates in multiple batches rather than all at once.

Alternatively, you can force an update after you make a change with an Admin Portal command (see Use device management commands) to push the update immediately.

Create administrator consoles

To create administrator consoles, you use the same procedure to download the CyberArk Identity Connector installation wizard to the host Windows server and then run the wizard. However, you do not install the connector. Instead, you install either or both of the console extensions.

Refer to Install the CyberArk Identity Connector for more information about installing the console extensions.

The host computer must be joined to the same Active Directory domain controller as the connectors in the same trust domain or forest.

Enable policies in the Windows Group Policy Management Editor

CyberArk Identity mobile device policies are listed alongside the Windows group policies in the Group Policy Management Editor. You can mix different types of devices (for example, Android and iOS devices) in the same group policy object.

You open the group policy object for editing and then expand the CyberArk Identity Management Settings categories to expose the individual policies. Double-click the policy to enable and configure it. Click the Explain tab for the configuration instructions.

By default all mobile device policies are set to “Policy not configured.” Alternatively, a policy can be set to “Policy enabled” or “Policy disabled.” These settings are defined as follows:

  • Policy not configured: Select this to leave the device in its default setting.

    This is the default for all policies. The setting set by the device vendor remains in effect. Users can change this setting using the device’s Settings screen if your device policies allow them to modify settings.

    The default setting can vary from one vendor to another.

    If the same policy is set in a parent group policy object or group policy object linked to a parent domain, the policy set in the parent is applied. See Reconcile policy settings in hierarchical policy sets and group policy objects for the details.

  • Policy enabled: Select this to set the policy.

    “Policy enabled” has different options, depending upon the policy. For many policies, it means that you are “turning on” this feature and setting associated values or properties. For example, you enable passcode history so that the device saves the passcodes over time and then configure how many passcodes you want to save. Or, you enable a virtual private network (VPN) policy and specify the server and VPN type.

    For other policies, you enable the policy and set it to “True” or “False.”

    True: This means that you are going to impose the policy and you are going to allow it. For example, you enable Bluetooth access policy to say “I am setting this policy” and then set it to “True” to allow the user to have Bluetooth access.

    False: This means that you are going to impose this policy and you are not going to allow it. For example, you enable Bluetooth access policy to say “I am setting this policy” and then set it to “False” to stop the user from using Bluetooth.

  • Policy disabled: Select this to defer setting this policy.

    When you set the policy to this state, the device reverts to its default setting, regardless of the settings set by the user or a parent group policy object. The default setting can be different for different device vendors.

To enable a mobile device policy setting in the Group Policy Management Editor:

  1. Open the Windows Group Policy Management administrative tool.
  2. Right-click the group policy object and select Edit to open the Group Policy Management Editor.

    Alternatively, you can create a new group policy object by right-clicking the domain and selecting Create a GPO in this domain, and Link it here.

  3. Expand CyberArk Identity Management Settings.

  4. Double-click a group policy to open the Properties window.

    Use the Policy tab to enable the policy. Click the Explain tab for an explanation of the policy and its options.

  5. Click Policy enabled.

  6. Select the options you want and enter or select the required values.

  7. Click OK or Apply to save the setting.

Reconcile policy settings in hierarchical policy sets and group policy objects

You can create hierarchical policy sets and group policy objects to apply different mobile device policies to different sets of users. For example, if you are using the CyberArk Cloud Directory policy service, you can create multiple policy sets and then arrange them from bottom to top to set base and then role-specific policies (see Apply hierarchical policy sets ), respectively. If you are using Active Directory, you can use the Default Domain Policy and then create separate GPOs to link to different organizational units.

Use the CyberArk Cloud Directory policy service

If you are using the CyberArk Cloud Directory policy service, the policy options are “Yes,” “No,” and “--” (not configured). If the policy is set to not configured, the device-default is used.

When you set the same policy differently in multiple policy sets, the setting in the higher policy sets on the Policies page replaces the setting in a lower policy set. The following table lists the policy setting from the lower policy set in the rows and the policy setting from the upper policy set in the columns and the setting that results on the device in the individual cell.

 

 

 

Upper policy set

 

 

 

Yes

No

--

Lower policy set

Yes

Yes

No

Yes

No

Yes

No

No

--

Yes

No

--

Notice that the upper policy set supersedes the lower except when the upper is set to “not configured.” In this case, the lower setting is applied.

Use Active Directory

If you are using Active Directory, the policy options are “Policy not configured,” “Policy enabled,” and “Policy disabled.” Active Directory settings are different from the CyberArk Cloud Directory policy service policy options because the “Policy enabled” setting is used to both allow and deny use of the feature or service and “Policy disabled” means “revert to the device default.”

The following table lists the policy setting from the parent GPO in the columns and the policy setting from the child set in the rows and the applied setting in the individual cell.

 

 

 

Parent GPO Setting

 

 

 

Policy enabled

Policy disabled

Policy not configured

Child GPO Setting

Policy enabled

Policy enabled*

Policy enabled

Policy enabled

Policy disabled

Policy disabled

Policy disabled

Policy disabled

Policy not configured

Policy enabled

Policy disabled

Policy not configured

* The applied setting in this cell can be misleading. Although the policy is enabled in both cases, if the parent GPO policy is set to “True” and the child GPO policy is set to “False,” the setting applied is “False.” If you wanted to keep the setting set in the parent, you would set the child to “Policy not configured.” (Setting to “Policy disabled” restores the default setting.) This is the only cell in which the state can be misleading.