The Addigy Compliance Engine continually monitors your devices to ensure they are safe to access your network and corporate resources. When devices fall out compliance, Addigy will take the necessary actions such as generating tickets, alerting admins, perform automated remediations, and if necessary, restricting access to corporate resources.
Addigy Compliance is configured in the Catalog, where you are used to managing all of the assets in your Addigy environment.
Compliance is setup by creating a Benchmark, NIST, CIS, or one of your own, and then adding Rules to that Benchmark. A Benchmark consists of a bundle of Rules that check individual device states using Addigy Facts and Custom Facts.
Note: The NIST and CIS benchmarks will soon be included by default in your Organization. You will be able to choose to implement them in whole or pick and choose the parts that make sense for your organization.
Once a Benchmark is created, it is then assigned to one or more Policies. Devices assigned to that Policy will then report their compliance status. You can view the Compliance results on the Devices and GoLive pages.
Lets go over how you can:
- Create a Rule
- Create a Benchmark
- Apply the Benchmark to devices
- View Compliance results
Note: The Addigy Compliance Engine can be accessed programmatically via the Addigy API v2. Contact Addigy Support for access to API v2.
Create a rule
The fundamental piece of the compliance engine is Rules. Rules are very similar to Alerts, they allow you to set up real-time monitoring on a specific device fact along with automated remediation. These are the pieces that make up a Benchmark. For example, you can have a Rule that checks if Filevault is enabled.
You can create your first Rule by navigating to Catalog -> Compliance -> Rules. And then pressing "New".
Create a Benchmark
Benchmarks consist of 1 or many different rules. Benchmarks can be created from the Catalog page as well and are how we will group up our Rules. Popular benchmarks such as CIS and NIST will be supported out of the box in the future.
You can create a Benchmark by navigating to Catalog -> Compliance -> Benchmarks
Once your benchmark is complete, you can start adding/removing Rules to create the perfect compliance benchmark for your organization. Once you'll found the right set of Rules, press the save button.
NOTE: If your device does not meet the minimum version set, it will not be picked up by the compliance benchmark.
Apply your Benchmark
Now that your benchmark is ready, you can start tracking the compliance of your devices. To select the devices that you want to check for compliance, find the policy where these devices exist and apply the Benchmark item to that policy. Compliance can be added to Flex Policies or your standard Policy Hierarchy.
On the policy view, select Compliance at the bottom of the left navigation bar, select your benchmark for the table and then press the Add/Remove button. Then deploy the policy. The compliance benchmark will run against your devices on their next check-in. (~5 mins)
View Compliance Results
Now that our benchmark is properly applied, let us look at the results. We can view compliance at a high level from the Devices page by adding in the "Compliant" device fact.
You can click on the red/green icons in the Compliant device fact column to get more details on which benchmark is out of compliance and what rules specifically.
Furthermore, you can see the individual status in GoLive
The Addigy Compliance engine allows you to quickly and easily build bundles of monitoring alerts and remediation to keep your devices as safe as possible, while also providing you clear insight into what may be going wrong when devices are out of compliance. This information can be leveraged to move devices around policies to grant/restrict access to certain software and data.