Device Compliance
Overview
The Device Compliance pack gives an understanding of device compliance from multiple aspects across your device landscape. With dashboards for how well protected your devices are, system, software, and network compliance the pack gives a complete picture.
Each aspect of compliance is tracked and scored so that a simple numerical value can be used to understand your compliance status for that area. In addition, there are breakdowns by multiple angles, such as whether your devices are local or remote from the Office, by device type, by location, by model, and by OS.
There are some compliance aspects that function immediately that the pack is installed and some that require a small amount of configuration, which now follows.
Configuration
The pack uses a number of categories, which should be configured according to the needs of your organization.
Compliance (Binary Category)
NOTE: This is the binary category as there are multiple categories called Compliance. In this category, there are three tags to represent the corporate browser, binaries that should not be present at all (no matter what version) and binaries that are considered non-compliant if they are beneath a certain version. Please populate according to your corporate needs.
Compliance (Domain Category)
This contains the list of passlisted (allowed) or blocklisted (forbidden) domains for your corporation if you wish to list them. The pack has dashboards showing the compliance regarding devices visiting these domains.
Corporate AV
This category is to be populated with the corporate Anti-virus that is used at your Organization under the "yes" tag. The "no" tag should be left to all other matches so that it is either finding the Anti-virus or not.
Corporate FW
This category is to be populated with the corporate Firewall that is used at your Organization under the "yes" tag. The "no" tag should be left to all other matches so that it is either finding the firewall software or not.
Local admin passlist
This category defines devices where it is approved to have admin privileges. Manually tag any devices to which this applies according to your corporate policy.
Proxy passlist
This category defines devices where it is approved to reach external destinations. Manually tag any devices to which this applies according to your corporate policy. If you have a corporate policy allowing all devices of a particular type (for example, workstations and laptops) to access external destinations (e.g. the internet) then use a dynamic rule to include these types of devices.
OS Compliance
This category is to be populated with the corporate Operating System(s) used at your Organization. The dashboard will show any non-compliant devices from this perspective.
OS Name
This category groups operating systems together, as you introduce new Operating Systems into your Organization please add new tags for it.
Type (Application Category)
This category is for applications by type, please group your applications according to the relevant type.
Model
This category groups different models of devices together. Please ensure the groupings match your Organization hardware device types.
Remote Worker vs Office Worker Device
This category will tag devices as remote based on their IP address. It works on the principle that ranges for workers that are on-site ("Office-Based Worker") is defined and automatically detected, with any other address considered being remote from the environment and so defining the worker as a "Remotely Connected Worker".
To successfully use this category, please define the ranges that your organization uses when employees are present at the office, i.e. not remote. It is important that the "Last Local IP Address" subnet ranges to match the IP configuration for your business.
So, for example, if you use a 10. x.y.z address for your internal addressing when in the Office, ensure this is set in this category. It is pre-populated with 10. x.y.z and 172.16.y.z as these are commonly used for internal addressing when at work. TIP: you can also use "not in subnetwork" to exclude particular ranges that might be within a larger range.
Please note that the automatic detection using the IP address uses a feature (last local IP) that is only available since version 6.24 of Nexthink and only when the collector is using TCP as its communication channel. If your environment is below this level, or still uses UDP, then please use the manual categorization of the User class, to identify your remote employees.
Finally, note that there is no fixed reason that this method has to be used. If you wish to remove the dynamic criteria and simply statically assign a portion of your devices with this category, this will also work.
Last updated