Configure compliance alert rules - Primo Documentation

A compliance alert rule tells Primo: “For this rule type, these statuses should trigger an alert.” Until you configure rules, the alerts list stays empty — Primo collects status data but does not flag anything.

Open the rules panel

Go to MDM > Compliance Alerts.
Click Manage rules in the top-right of the page.

The page lists every rule type as its own section, with one toggle per possible status.

Two kinds of rules

Global rules — Enrollment Status and Online Status. These apply to every managed device and don’t depend on any MDM control being configured. They’re always available to configure.
MDM control rules — every other rule type (encryption, OS update, password policy, firewall, Wi-Fi, antivirus, admin user management, and so on). These only become configurable once the matching MDM control exists.

If a rule’s underlying MDM control isn’t set up yet, the rule appears at the top of the page in a banner labelled “X compliance alerts can’t be set up yet”, with a chip for each affected rule and a Manage MDM controls button that takes you to the MDM controls page. Configure the control there and the rule moves into the main list.

Configure a rule

Find the rule

Scroll to the rule type you want to configure (for example, Enrollment Status, Online Status, Recovery OS, Encryption).

Toggle the statuses that should trigger an alert

Each rule lists every possible status the device can report. Turn on the toggle next to each status you want to treat as a violation, and leave the rest off.For example, on Online Status, many teams turn on Offline 7+ days but leave Offline off, because short check-in gaps are normal.

Changes save automatically

From the next device sync onward, any device reporting a flagged status appears on the Compliance Alerts page.

A rule with no statuses toggled on is effectively off — Primo records the status but never raises an alert.

Reduce alert noise

If the alerts list is too noisy, return to Manage rules and turn off statuses that are too transient or expected. Common adjustments:

Online Status — Offline: short check-in gaps are normal. Many teams alert only on Offline 7+ days.
Encryption — Pending escrow: the device is encrypting and uploading the recovery key. Often safe to leave off.
OS Update — Grace period: a Windows device that’s late on an update but still inside its grace window. Leave off if you don’t want admins to act until the grace period ends.

After you change a toggle, the next device sync recomputes the alert list and devices in those statuses drop off automatically.

Rules waiting on an MDM control

Rules tied to MDM controls become configurable as soon as the underlying control is set up. Examples:

Rule	Becomes available when
ThreatDown / SentinelOne	The endpoint protection integration is connected
USB Blocking, App Blocking, Disable AirDrop, Screen Capture, Lock Profiles Pane	The matching MDM control exists
Admin Password Rotation	The admin password rotation control is configured
Entra SSO, Okta SSO	The corresponding identity control is configured

Click Manage MDM controls in the banner at the top of the rules page to jump straight to the MDM controls list.

Permissions

Action	Permission
View rules	`MDM_READ`
Edit rules	`MDM_WRITE`

Next steps

Monitor compliance alerts — work through the list of devices currently in violation.

Documentation Index

​Open the rules panel

​Two kinds of rules

​Configure a rule

​Reduce alert noise

​Rules waiting on an MDM control

​Permissions

​Next steps