Zentral can vouch that you are doing a terrific job with customisable Compliance Checks. Use them to automate your reporting and to find bad Apples.
Most Organizations have adopted data and endpoint protection best practices such as FileVault disk encryption and macOS sharing restrictions. However, ensuring that the measures remain active and effective and to find devices with issues is what makes great security posture.
Zentral gives you a clever solution to audit compliance over time, with two complementary Compliance Checks based on its own inventory and on Osquery. When applied well, you can create automated, extensive reporting over your endpoint devices health.
Occasionally you will want to check specific inventory data, such as ensuring that your OS version falls within a certain range or that a custom Jamf extension attribute meets an expected value. Use the Zentral inventory Compliance Checks to do this.
Compliance Checks are powered by a JMESPath expression. These expressions are evaluated every time a machine inventory update is made, giving you the ability to even check custom inventory fields. When the expression evaluates to false
for a device, the check fails and the machine is marked as non-compliant, and a JMESPath check status update event is triggered.
If you want to verify data that is not present in the inventory, use the Zentral Compliance Checks based on Osquery. Any Osquery query that produces results with a special ztl_status
(FAILED
or OK
) column can be utilized as Compliance Check.
Run it on demand, or schedule it at the interval of your choice. When Zentral receives an Osquery result with valid ztl_status
values, the compliance check status for the corresponding machine is updated and an Osquery check status update event is emitted if required.
The status of each Compliance Check in scope for a given machine is displayed through the inventory. The inventory can be filtered by a given compliance check status, or the overall machine status - If a machine has at least one failed compliance check, it is considered non-compliant.
The compliance check status of each machine and the total aggregations can be exported in the inventory reports - also available via the API. Prometheus metrics are exported for each compliance checks. This allows you to graph the compliance state for you entire fleet using the dashboard tool of your choice. You could even configure alerts when a given threshold of non-compliant machines is reached.
JMESPath might be a bit intimidating at first, and the inventory data is broad. There are some well known patterns for the Osquery queries that are not trivial. We will help you learn these technics and write the checks you require.
Collect the compliance checks metrics using Prometheus, and display them in dashboards. Automatically export fleet compliance reports at regular interval.
Use configuration-as-code and your favorite continuous deployment solution to manage the inventory and Osquery compliance checks.