Venn conducts continuous compliance monitoring in order to actively ensure the security of the devices where users are accessing Blue Border™.
As a Company Manager, you can configure Device Policies, which allow you to communicate expectations and enforce device requirements to access Venn's Blue Border using Security Compliance Checks.
You can set Default Device Policies, which are applied to all Venn users as a baseline. You can also create Policy Overrides, which allow you to set Device Policies that supersede the default policy for a single user or a group of users.
Learn how to view and manage Device Policies for your company.
How Device Policies Work
Device Policies allow you to communicate expectations and enforce device requirements to access Blue Border using Security Compliance Checks. As a Company Manager, you can manage your company's Device Policies on the Device Policy page in Company Admin. Learn how to configure and manage Device Policies for your company.
Default Policy and Policy Overrides
Your company's Default Policy sets the standard device expectations and requirements that apply to all Venn users by default. You can also create Policy Overrides, which allow you to set Device Policies that supersede the default policy for a single user or a group of users. Policy Overrides can be created for an individual user by name, for a user group, or for an IP address.
For example, if you want to require that users' devices have a screen saver timeout setting in place on all devices that are not in your secure data center, you could set up the following using the Screen Saver Timeout Device Policy:
- Default: Set your Screen Saver Timeout Policy to Required
- Override: Create a policy override for your data center's network IP address range and set the Screen Saver Timeout Policy to Recommended or Not Checked for that group
Conditional Access Setting
All defined (required and recommended) Device Policies are checked when users log in to Venn and continuously monitored when they are logged in. You can determine whether or not to implement Conditional Access for your Device Policy, which enforces device requirements to access Blue Border for required Security Compliance Checks.
Conditional Access can be set to:
- Disabled: Users can still access and work within Venn whether or not their device passes or fails the checks.
-
Strict: Users will only be able to access and work within Venn when their devices pass all required compliance checks.
- If a user's device does not pass all required compliance checks when they are logging in to Venn, they will not be able to access Venn until they pass required checks.
- If a user is already logged in when their device goes out of compliance, they will receive a three-minute warning, which gives them time to fix the issue before they are logged out of Venn. The user will not be able to launch any additional apps in Blue Border during the three-minute warning this time.
We recommend disabling conditional access when your company first starts using Venn in order to communicate expectations without barring access to Venn. You can then monitor and work with users to get their devices in compliance before setting conditional access to strict.
Security Compliance Check States
You can choose to set the following states for each Security Compliance Check:
- Not Checked: Policy will not be checked
- Recommended: Policy will be checked when users log in to Venn and continuously monitored when they are logged in; users will not be prevented from accessing Venn on their device if they fail this check when Conditional Access is set to Strict
- Required: Policy will be checked when users log in to Venn and continuously monitored when they are logged in; users will be prevented from accessing Venn on their device if they fail this check when Conditional Access is set to Strict
Compliance Status is reported to the user and tracked in Company Admin.
Available Device Policies for Desktops and Laptops
Compliance Check | Check Description | Remediation Instructions for Users |
---|---|---|
Antivirus installed |
Requires the installation of antivirus software to protect devices against malware. |
No Antivirus Installed |
Antivirus Threat Status |
Requires that the installed antivirus software is not reporting an unresolved threat on a device. |
Virus Detected |
Antivirus Real-Time Protection |
Requires antivirus software to be actively protecting devices at all times. |
Antivirus Real-Time Protection Disabled |
Antivirus Definitions |
Requires antivirus software to be updated with the latest threat detection definitions in order to protect against known threats. You need to set the number of days a user has to update the antivirus definitions. |
Antivirus Signatures Are Out of Date |
Encryption |
Requires hard drive encryption to be enabled in order to prevent access to sensitive data in the event a device is lost or stolen. |
Hard Drive Encryption Disabled |
Operating system auto-update |
Requires operating systems to be set to update automatically. You need to specify the period of time that updates should have last been applied. This will ensure the latest operating system updates and security patches are applied, keeping the device secure. |
Operating System Auto-Update Disabled |
Unauthorized applications |
The unauthorized application check adds an additional layer of protection for your organization by allowing administrators to specify applications that should not be installed on your device. |
|
Login password | Requires a device to have a login password set to protect against unauthorized access. | Login Does Not Require Password |
Screen saver enabled |
Requires that a screen saver be set on the device to protect sensitive data when the device is not actively being used. |
Screensaver Disabled, Lock Disabled, or Timeout Not Acceptable |
Screen saver lock (Windows platform only) |
Requires a password to resume working after the screen saver has engaged to protect devices from physical access. This should be used in conjunction with the “Screen saver timeout” check. |
|
Screen saver timeout |
Requires the screen saver to engage when a device is not actively being used. You need to specify the number of minutes of inactivity before the screen saver should be activated. This should be used in conjunction with the “Screen saver lock” check. |
|
Firewall |
Requires the use of a personal firewall on devices to help prevent unauthorized external access. |
Firewall Disabled |
Operating system supported |
Requires all devices to be running on a supported operating system. This ensures that only operating systems still eligible for updates and security patches from the vendor are used. |
Operating System is not Supported |
Known devices |
Requires devices to be marked as “Known” by a company manager. Devices can be marked as “Known” in the “All devices” section of the Company admin page in Workplace. Only unique user-device combinations that have been previously marked as known in Company Admin are classified as Known Devices. Learn more about how Venn determines if devices are "known." |
Device Not Marked as Known |
Available DLP Policies for Mobile Devices
Compliance Check | Check Description | Remediation Instructions for Users |
---|---|---|
Passcode set | Requires that users set a passcode on their mobile devices. | - Mobile Compliance Check: Passcode Set on Android - Mobile Compliance Check: Passcode Set on iOS |
Encrypted (Android Only) |
Requires Android users to encrypt their device. Note: On iOS devices, setting a passcode will also encrypt the device. |
Mobile Compliance Check: Encryption on Android |
Genuine Android OS / iOS | Requires that a genuine Android OS or iOS is installed as the Mobile Operating System, ensuring that it hasn’t been jailbroken or rooted. | - Mobile Compliance Check: Genuine Android OS - Mobile Compliance Check: Genuine iOS |
Mobile device marked as known | Requires devices to be marked as "known" in your company's admin settings, meaning that the device is approved for work use. | Mobile Compliance Check: Mobile Device Marked as Known |
Operating system supported | Requires that the mobile device is running on a supported operating system. | Mobile Compliance Check: Operating System Supported |