As part of our Device Compliance features, we make available a set of pre-built benchmarks to easily test and enforce your devices for CIS and NIST compliance.
These benchmarks are available for anyone to deploy in just a few seconds. You can find these ready-to-deploy benchmarks in the Compliance tab of the catalog.
Addigy also provides pre-built iOS benchmarks that push down a profile that aligns with CIS guidelines for iOS Compliance. This benchmark varies from the others as it only pushes a profile and the monitoring is based on the successful deployment of the profile.
Which benchmark should I use?
Your security requirements are up to your organization. The Level 1 CIS set consists of over 80 rules that provide very comprehensive security. The NIST options are even more rigid. For many customers, the full set is too strict, so they simply clone the original and select only the rules needed.
Where are the pre-built benchmarks generated from?
Prebuilt benchmarks are based on the guidelines provided by the Center for Internet Security and National Institute of Standards and Technology. We also leverage open-source resources such as https://github.com/usnistgov/macos_security
Is there a risk to using a pre-built benchmark?
The rules from CIS and NIST are open source and regularly tested. We're confident that they provide the best option for industry-recommended security. Furthermore, we constantly monitor the spec for any changes so that the rules you assign are updated as needed.
I have other compliance rules that aren't in either spec.
A common compliance rule many organizations have is that anti-virus software be installed on all devices. Creating custom rules and benchmarks is easy and your custom benchmarks can be assigned to the same policy(ies). We recommend using the official rules when possible because they may get updated from time to time.
Should I select Monitor and Remediate or Monitor-Only?
Monitor and Remediate will enforce compliance on the device by running scripts or installing profiles as needed to ensure that each device passes the benchmark. Most customers prefer Monitor and Remediate to reduce the need for a human admin to be involved. Monitor-Only will run the same tests but will not attempt to fix any issues. Reports are available to see which rules passed or failed for each device.