Compliance

In This Section: Overview of Compliance Planning for Compliance Rules Configuring Compliance Policy Rules Monitoring Compliance States The Heartbeat Interval

The Compliance Software Blade makes sure that endpoint computers comply with security rules that you define for your organization. Computers that do not comply show as non-compliant and you can apply restrictive policies to them.

Overview of Compliance

Compliance makes sure that:

• All assigned Software Blades are installed and running on the endpoint computer.
• Anti-Malware is running and that the engine and signature databases are up to date.
• Required operating system service packs and updates are installed on the endpoint computer.
• Only authorized programs are installed and running on the endpoint computer.
• Required registry keys and values are present.

  Note - Registry and File Version checks are not relevant for Mac.

If an object (for example an OU or user) in the organizational tree violates its assigned policy, its compliance state changes, and this affects the behavior of the endpoint computer:

• The compliant state is changed to non-compliant.
• The event is logged, and you can monitor the status of the computer and its users.
• Users receive warnings or messages that explain the problem and give a solution.
• Policy rules for restricted computers apply.

Planning for Compliance Rules

Before you define and assign compliance rules, do these planning steps:

1. Identify the applications, files, registry keys, and process names that are required or not permitted on endpoint computers.
2. Collect all information and remediation files necessary for user compliance. Use this information when you create remediation objects to use in compliance rules.

   Compliance rules can prevent users from accessing required network resources when they are not compliant. Think about how to make it easy for users to become compliant.

3. Make sure that the firewall rules gives access to remediation resources. For example, sites from which service packs or Anti-virus updates can be downloaded.

   Note - In Windows 7, make sure the Interactive Service Detection service is running. This is necessary for remediation files (running with system credentials) that must interact with the user.

4. Define rule alerts and login policies to enforce the rules after deployment.