Compliance checks - Does anyone actually know how it works?

Question

I'm puzzled.

Could someone please explain how compliance checks are carried out on iOS devices and whether the SMC app is a requirement?

For instance, I have configured a basic compliance rule stating devices must have a passcode, but removing the passcode from devices does not create a non-compliance situation no matter how long I wait.

Does the SMC app have to be installed for all aspects of compliance checks to work or only for certain features? If so is there any way to enforce the installation other than on "supervised" devices, after all we can't configure BYOD objects as "supervised".

Hopefully someone knows or is everyone as confused as I am.

Come on Sophos, the documentation and information around this is pretty poor.

This thread was automatically locked due to age.

SDU · Accepted Answer

Hi Neil, your description regarding the delays is correct. As far as I know, it is not possible to let the device synchronize once there is a change within the OS like the passcode. Therefore, the SMC server has to wait until the device synchronizes it's latest information. By default this synchronization is done every 24 hours. For iOS this interval can be changed in the "EAS Proxy" screen of the Conifugration Wizard (the "Device Sync interval"). See also page 27 of the installation guide. That is also the place where you configure how often the compliance check is carried out. The default for that setting is that the check is done every 4 hours. If you want to can configure the device sync to happen every 12 hours for example. During the synchronization abuot 400 KB are uploaded from the device to the server. The battery usage can be, in my opinion, neglected if you sync twice a day. Regarding the SMC App you can also define it as a required app, so the user will have to install it to be compliant,. Hope this helps. Best regards Stefan :54567