Creating Location rules

Depending on your Absolute product licenses and the configuration of your account, Location rules may not be available.

In the Policies > Rules area, you can configure and activate a Location rule to automatically send an email notification when a device changes its location, or when it exits or enters a defined geofence. You can apply your rule to the devices in one or more device groups.

Example

Your organization has a policy that prohibits your employees from removing their laptop from the office. You use the Rules feature to draw a geofence around your office building and then configure the rule to notify you if a device leaves the area defined by the geofence.

Email notifications may be delayed depending on the connection status of the device. If a device is offline when a device-level event occurs, the rule is not triggered until the device comes back online and checks in to the Absolute Monitoring Center.

To use the Rules feature to help you monitor the location of your devices, the Geolocation Tracking policy needs to be activated in one or more policy groups.

For stolen devices, geolocation-related events are not logged while the theft investigation is open. As a result, any Location rules applied to the device are not triggered.

To create rules and geofences, your user role needs to be granted the Manage permission for Rules. All default Administrator user roles are granted this permission.

To create a rule:

  1. Log in to the Secure Endpoint Console as a user with the Manage permission for Rules.
  2. On the navigation bar, click Policies > Rules.

  3. Click Create rule and click Unexpected location change.

  4. On the Unexpected location change dialog, click the title and enter a name for the rule.
  5. [Optional] Click Add description and enter a description for this rule.
  6. Do one of the following:
    • If you want to be notified when a device exits a geofence, click the enters field and select exits.
    • If you want to be notified when a device enters geofence, go to the next step.
  7. You can specify the geographical area within which devices can (or can't) reside by entering location names, or by creating custom geofences. Click the field to the right of the enters field and do one of the following:
    • To create a custom geofence, begin entering a location name and then click Draw a geofence.
    • To specify a location:
      1. Begin entering the city, state, province, or country name of the location you want to use.

        2. If you want to create a rule to ensure that your devices comply with International Traffic in Arms Regulations (ITAR), begin entering ITAR Prohibited Countries and then select it.

      2. From the list of options that shows, select the applicable location. The location is added to the field.

      • To be notified when a device enters or exits a location below city level, such as a neighborhood or city block, create a geofence.

  8. Repeat step 7 for each geofence that you want to include in this rule. You can add as many as you want.

    If you add a location that is within another added location, the rule is not triggered for the more specific location. For example, if you add Alabama and USA, you are only notified when the device enters (or exits) USA.

  9. Do one of the following:

    • If the Include IP locations checkbox shows, and you want public IP address changes to trigger this rule when Wi-Fi and OS locations are unavailable or invalid, select the checkbox. Note that selecting this option may increase the number of false alerts generated by this rule.

      If you do not select the checkbox, the rule will not be triggered when the device moves to an IP location.

    • If the Include IP locations checkbox doesn't show, go to the next step.

    The availability of the Include IP locations checkbox is controlled by your account's Geolocation setting. Learn more

  10. If you added two or more locations, the following option becomes available:

    Do not trigger rule when device moves between any above locations

    Select this checkbox if you don't want to be notified when a device moves from one of the specified locations to another.

    This option applies to locations only. If you also added one or more custom geofences, the rule is still triggered when a device moves between two custom geofences or between a custom geofence and a location.

    When this option is not selected, the rule is triggered when a device enters (or exits) any of the specified locations, regardless of where it moved from (or to). For example, if a rule is configured to send an email when a device exits Canada or the US, the rule is triggered when a device moves between the two countries.

  11. The Send email field is prepopulated with your email address. Do one of the following:

    • To send email notifications to other users:

      1. Click Edit and click the field to open a selection list of email addresses associated with your account.

      2. Begin entering each email address and then select it from the list. To send alerts to individuals that are not console users, enter their full email address, pressing Enter after each one. To remove an address, click its icon. When you're done, click Close.

    • To disable email notifications entirely, click Edit and remove all email addresses from the field. When you're done, click Close.

      When the rule is triggered, an event is logged to the Events page in the History area, but no emails are sent. You may prefer this option if Absolute is integrated with a SIEM application.

  12. [Optional] To include a map of the device's geographical location in the email notification, select the Show device location on map checkbox. The map shows the device's primary location, any secondary locations, and its associated geofences, if applicable.

    Note that Geolocation permissions are not applied to email notifications. If you choose to include the map, all email recipients will see the device's location on the map, regardless of whether they are granted Address-Level View permissions for Geolocation.

  13. In the Apply to section, one of the following shows:

    • If you can manage all devices, All Active Devices shows.

    • If you can manage the devices in select device groups only, your assigned device groups show.

    To change the device groups that the rule applies to, click Edit and do the following:

    1. Click the field and select each device group. To remove a device group, click its "x" icon.

      If you can manage the devices in select device groups only, a warning message shows when you add a device group. Learn more

    2. If you selected All Active Devices in the previous step, you can exclude one or more device groups. Select the Exclude device groups checkbox and click the field to select each device group you want to exclude. To remove a device group that you added, click its "x" icon.
    3. When you're done, click outside the field and click Close.

    Within each selected device group, the rule is only applied to devices with an activated Geolocation Tracking policy.

  14. To activate the rule now, click Save and activate. To activate it later, click Save.

    The new rule is added to the Rules page, and a Rule created event is logged to Event History.

    To view your new rule's geofences on a map, along with all other configured geofences, go to map view.

    15. If the rule is active, it is applied to the devices in the specified device groups. Going forward, when the location of a device changes and its new location meets the conditions set in this rule, an email notification is sent to all specified recipients.

    Going forward, when a device's location changes, two events are logged to Event History: Device location updated (or Public IP location updated), and Rule triggered. In addition, if the device moved inside a geofence, a Device entered a geofence event is logged; if it moved outside a geofence, a Device exited a geofence event is logged.