Skip to main content
Skip table of contents

Device Compliance Assurance

Overview

Summary

The Nexthink Device Compliance Assurance Library package provides organizations with the actionable information they need to bring their devices and software into compliance.

Problem

Our reliance on SaaS applications, continuously updated OS, and stricter security policies have made the modern device a compliance nightmare, requiring constant updates to ensure performance, security, and compatibility.

Non-compliant devices will silently fall out of date, leaving users frustrated while support teams receive tickets that could have easily been avoided. Ultimately, even security needs to get involved when devices that have gone unnoticed for too long start creating security risks.

Solution

Monitor the overall compliance of devices in your landscape with respect to admin rights, versioning, and security. Quickly drill down and remedy non-compliance to avoid unnecessary frustration, support tickets, or questions from your security team.

This all-in-one dashboard offers the helicopter view needed to see and assess compliance across key compliance areas, such as:

  • configuration management agents' presence,

  • unauthorized administer rights for local users,

  • OS versioning across macOS and Windows,

  • Anti-virus and firewall,

  • Encryption status.

Key features

  • Single dashboard for complete visibility over key elements of compliance in the IT landscape.

  • Filters to drill down from specific locations or device types, down to a single device.

  • Monitoring of elements across both Windows and macOS devices.

  • A wide range of remediation remote actions to enable, set, or disable specific features in order to enforce compliance when necessary.

Changelog

V1.0.0.0 - Initial Release

Dependencies

This Library Pack contains widgets that make use of data collection remote actions to retrieve compliance data. The following remote actions need to be scheduled to populate these widgets:

  • Get local administrators (Windows);

  • Get Windows Defender information (Windows);

  • Get BitLocker information (Windows);

  • Get accounts information (macOS);

  • Get XProtect status (macOS);

  • Get encryption information (macOS);

  • Get firewall options (macOS).

This Library Pack contains a remote action to remediate detected issues and inconsistencies. The following remote actions can be used for remediation:

  • Update Windows Defender definition (Window);

  • Enable BitLocker encryption (Windows);

  • Install Windows Update (Windows);

  • Set firewall options (macOS);

  • Set Xprotect status (macOS);

  • Set auto-updates (macOS);

  • Disable root account (macOS);

  • Disable guest account (macOS).

Pack Structure

The pack comprises a single dashboard with four tabs and a set of both data collection and remediation remote actions related to the dashboard.
These remote actions and dashboard tabs are described below.

When you install this library pack for the first time, you must set up schedules for the following data collection remote actions:

  • Get local administrators (Windows);

  • Get Windows Defender information (Windows);

  • Get BitLocker information (Windows);

  • Get accounts information (macOS);

  • Get XProtect status (macOS);

  • Get encryption information (macOS);

  • Get firewall options (macOS).

The procedures are outlined below.

Remote Actions

Data Collection Remote Actions

Get local administrators (Windows only)

This remote action obtains a list and a total number of identities (local and domain users or groups) who are members of the target device Administrators group, filtered by provided whitelist.

This remote action acts as the data source for the Windows Local administrator identities widget group on the Device overview tab.

We recommend configuring this remote action to run daily on all active Windows devices.

Please note: this remote action requires additional configuration via the Whitelist input parameter. If this parameter is specified, the remote action ignores the specified accounts and groups and does not display them in the output. For example, every Windows device has a built-in administrator account that will show up in the results of a remote action if it is not specified in the Whitelist option.

  • This remote action requires strict formatting of its Whitelist parameter: its values ​​must be specified one at a time, separated by commas, without single or double quotes, and without double slashes for domain groups;

  • The Whitelist input parameter of this remote action requires all localizations of built-in accounts to be specified. For example, [English] Administrator, [French] Administrateur, [Spanish] Administrador.

Get Windows Defender information (Windows only)

This remote action provides a set of fields with information about the Defender engine, product version, full and quick scans age, definition files (last update), and status of several components.

This remote action acts as the data source for the Windows Defender tab widgets.

We recommend configuring this remote action to run daily on all active Windows devices.

Get BitLocker information (Windows only)

This remote action returns basic information on BitLocker protection status, including whether the volume and key are secured, the encryption percentage level used encryption algorithm and the protectors used to secure the key.

This remote action acts as the data source for the Windows encryption compliance widget group on the Security applications tab.

We recommend configuring this remote action to run daily on all active Windows laptops (or all Windows devices).

Get accounts information (macOS only)

This remote action reports standard and administrator user account names and their count. It also reports if Guest or root accounts are enabled.

This remote action acts as the data source for the macOS local administrator identities widget group on the Device overview tab.

We recommend configuring this remote action to run daily on all active macOS devices.

Get XProtect status (macOS only)

This remote action retrieves the configured state of macOS Xprotect - a built-in antimalware system.

This remote action acts as the data source for the macOS antivirus compliance widget group on the Security applications tab.

We recommend configuring this remote action to run daily on all active macOS devices.

Get encryption information (macOS only)

This remote action gets an APFS file system disk encryption and decryption information in addition to checking whether FileVault is enabled or not.

This remote action acts as the data source for the macOS encryption compliance widget group on the Security applications tab.

We recommend configuring this remote action to run daily on all active macOS devices.

Get firewall options (macOS only)

This remote action indicates if Firewall is enabled and the options that are applied.

This remote action acts as the data source for the macOS firewall compliance widget group on the Security applications tab.

We recommend configuring this remote action to run daily on all active macOS devices.

Remediation Remote Actions

Update Windows Defender definition (Windows only)

This remote action will force an update of Windows Defender in case the device does not have the last version of the Windows Defender malware or spyware definition.

This remote action should be performed if outdated Windows Defender signatures are found in the Windows Defender tab.

This remote action is intended to resolve a specific issue and should be executed on demand. This remote action does not require an execution schedule.

Enable BitLocker encryption (Windows only)

This remote action enables BitLocker encryption on the drive where the OS is installed. Using the input parameters, you can choose the type of disk encryption and the encryption method.

This remote action should be performed if any unencrypted Windows devices violating the corporate policy are found in the Security Applications tab in the Windows Encryption Compliance widget group.

This remote action is intended to resolve a specific issue and should be executed on demand. This remote action does not require an execution schedule.

Install Windows Update (Windows only)

This remote action installs the Windows Update patch specified in the input parameters.

This remote action should be performed if any devices with incompliant versions of Windows are found under the Operating System - Windows tab.

Please note: this remote action requires a URL or UNC path to the Windows Update (.msu) file

This remote action is intended to resolve a specific issue and should be executed on demand. This remote action does not require an execution schedule.

Set firewall options (macOS only)

This remote action allows configuring the Firewall settings under System Preferences - Security and Privacy - Firewall.

This remote action should be performed if any unprotected macOS devices violating the corporate policy are found in the Security Applications tab in the macOS Firewall Compliance widget group.

Please note: this remote action needs to be configured with input parameters:

  • FirewallStatus: Enables (Enable value) or disables (Disable value) firewall for the endpoint. BlockAllConnections option blocks all incoming connections except basic services such as DHCP and IPSec

  • AllowSigned: Allow or deny the built-in software to receive incoming connections.

  • AllowDownloadSigned: Allow or deny the download of signed software to provide services accessible from the network.

  • StealthMode: Allow or deny ICMP connections to the computer.

This remote action is intended to resolve a specific issue and should be executed on demand. This remote action does not require an execution schedule.

Set Xprotect status (macOS only)

This remote action allows you to configure macOS Xprotect, the built-in anti-malware system.

This remote action should be performed if any unprotected macOS devices violating the corporate policy are found in the Security Applications tab in the macOS Antivirus Compliance widget group.

Please note: this remote action requires configuration through its input parameter:

  • XProtectStatus: Enables (Enable value) or disables (Disable value) Xprotect on the device

This remote action is intended to resolve a specific issue and should be executed on demand. This remote action does not require an execution schedule.

Set auto updates (macOS only)

This remote action sets the advanced options for macOS automatic updates.

This remote action should be performed if any devices with incompliant versions of macOS are found under the Operating System - macOS tab.

Please note: this remote action requires configuration through its input parameters:

  • AutomaticCheck: Enables or disables 'Check for updates' setting

  • AutomaticDownload: Enables or disables 'Download new updates when available' setting

  • AutomaticallyInstallMacOSUpdates: Enables or disables 'Install macOS Updates' setting

  • AutoUpdateAppStore: Enables or disables 'Install app updates from the App store' setting

This Remote Action is intended to resolve a specific issue and should be executed on demand. This remote action does not require an execution schedule.

Disable root account (macOS only)

This remote action disables the built-in root account in macOS endpoints if it was enabled.

This remote action should be performed if root-enabled macOS devices are listed on the Device overview tab in the macOS Local Administrator Identities widget group.

This remote action is intended to resolve a specific issue and should be executed on demand. This remote action does not require an execution schedule.

Disable guest account (macOS only)

This remote action disables the built-in Guest account if it was enabled.

This remote action should be performed if guest-enabled macOS devices are listed on the Device overview tab in the macOS Local Administrator Identities widget group.

This remote action is intended to resolve a specific issue and should be executed on demand. This remote action does not require an execution schedule.

Schedules

Schedules are a new feature of remote action in Nexthink Infinity that allow you to define when the remote action executes and what device(s) it targets. This allows the operator to target different groups of devices by remote actions.

As shown in the gif below, a schedule targeting a specific platform can be created. In this case, we use an NQL query to filter for Windows-based client devices.

Here is a snippet of the NQL query used in the gif above. The query returns a list of Windows-based devices. Please feel free to edit the query as desired:

SQL
devices 
| where operating_system.platform == Windows
 and operating_system.name !in ["*server*"]

If you need help with NQL queries, please look at the NQL tutorial.

Device Compliance Assurance dashboard

This dashboard utilizes tabs to separate content. The Device overview tab provides an overview of the presence of a configuration management agent and the presence of unauthorized local users with administrator rights, followed by dedicated tabs for “Operating system - Windows“, “Operating system - macOS“, “Security applications“ and “Windows Defender“.
The dashboard filters common to each tab allow you to select two localization levels: Country and City. These are based on and restricted by the level of Geo-IP localization that has been configured. Also, there are filters on Entity, Device Type, and Device Name.

Device overview

  • This tab provides an overview of the device status from the following points of view:

    • Windows and macOS devices with non-standard members of the local Administrators group;

    • macOS devices with Root and Guest accounts enabled;

    • Windows and macOS devices that are running out of disk space;

    • MECM/Intune management agents' presence on Windows devices.

  • This tab uses the following Remote Actions for its outputs:

    • Get local administrators (Windows)

    • Get accounts information (macOS)

Operating system - Windows

  • This tab provides an overview of the versions and builds of Windows found in the environment. In addition, it shows the number of devices with any particular version of Windows, as well as the ratio of those devices.

Operating system - macOS

  • This tab provides an overview of the macOS versions found in the environment. In addition, it shows the number of devices with any particular version of macOS, as well as the ratio of those devices.

Security applications

  • This tab provides a complete overview of the status of antivirus, firewall, and encryption on devices, as well as the compliance ratio for each of these areas.

  • This tab uses the following Remote Actions for its outputs:

    • Get firewall options (macOS)

    • Get BitLocker information (Windows)

    • Get encryption information (macOS)

    • Get XProtect status (macOS)

Windows Defender

  • This tab provides an overview of Windows Defender status and signatures on Windows devices and an overview of Windows Defender versions.

  • This tab uses the following Remote Action for its outputs:

    • Get Windows Defender information (Windows).

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.