Compliance checks - Does anyone actually know how it works?

Not sure if this is of any help:  http://www.sophos.com/en-us/support/knowledgebase/120888.aspx

If so it seems that the app needs to be open and running in the background, which kind of sucks as users might close it down etc!

Thanks for that Ross.

I am aware of those requirements, but it doesn't really help.

I need to know whether the SMC app has to be installed in order for all aspect of compliance checks to work. If not which features are available without the SMC app?

Why are devices without a passcode not flagged as non-compliant? Why is non-compliance not flagged immediately? Enterprises aren't prepared to wait for hours, sometimes days before non-compliance is flagged, all the while allowing access to corporate data.

It would be nice if Sophos could give us a matrix listing compliance check features and dependencies.

I have a large organisation who are about to drop SMC due to the flaky nature of compliance checks, which is the only reason they bought it. Other MDM products are available.

Regards.

Hello,

the compliance check is done on the server, not on the client.

The server checks the information it has after it gets new information from the device as well as on a regular basis. 

If a device is non compliant it flags it as such and sends a message to the device informing about the non compliance. 

The information needed for the compliance check is transmitted without the app (Except for location tracing information which is done by the app). Therefore the MDM Profile is needed which is installed during device roll out.

The messages sent to the device informing about non comliance require the app to be running in the background since the app displays the messages.

Regarding the passcode compliance check: This is a setting that does not get synced to the server immedeatly due to Apples design. However, you could simply enforce a passcode using a policy.

If the other settings for the compliance set also take that long, please open a ticket with support so we can analyse better and help you get it resolved.

Regards
Thomas

Hi Thomas,

Thanks for the response.

I realise that the compliance check is done against the data held by the SMC server. This data, I believe, is collected/updated by the SMC server sending a sync request via APNS to the device, the device responds and the new data is appended to the SMC database. This is the first delay between a device becoming non-compliant and it being reported as such in the console. The second delay is the time between the device reporting its state to SMC and a compliance check being run against the updated data held by SMC. The third delay is the time taken for SMC to flag the device as non-compliant and trigger an alert on the device. Which is only possible if the SMC app is installed. This can't be guaranteed as there is no way to force users to install the app, a lot of devices are personal and not corporate.

Now, I rtealise there is very little we can do around the SMC app, but could you let me know how often SMC polls devices for status updates and can this interval be changed to an interval which a client may deem acceptable? How often are compliance checks carried out? I believe the compliance check interval is set when EAS proxy is configured. If so what is the default interval for these checks?

I assume there may be a trade-off between these checks and battery life on the devices. Do Sophos have any advice around this or is this not really an issue due to improved batteries and OS?

A lot of questions, I know, but I will get asked these by the client. We have had a lengthy pilot running and it is either going live or being dropped in the very near future. The main stumbling block is the compliance issue.

Regards.

Hi Neil,

your description regarding the delays is correct.

As far as I know, it is not possible to let the device synchronize once there is a change within the OS like the passcode.

Therefore, the SMC server has to wait until the device synchronizes it's latest information.

By default this synchronization is done every 24 hours. For iOS this interval can be changed in the "EAS Proxy" screen of the Conifugration Wizard (the "Device Sync interval"). See also page 27 of the installation guide.

That is also the place where you configure how often the compliance check is carried out. The default for that setting is that the check is done every 4 hours.

If you want to can configure the device sync to happen every 12 hours for example. During the synchronization abuot 400 KB are uploaded from the device to the server. The battery usage can be, in my opinion, neglected if you sync twice a day.

Regarding the SMC App you can also define it as a required app, so the user will have to install it to be compliant,.

Hope this helps.

Best regards

Stefan

Thanks Stefan,

That's a great help.

So, to recap the SMC server sends a sync request, default interval 24 hours, although for iOSdevices this can be changed during the EAS setup, via APNS. The device then responds via https and updates the SMC database. SMC runs compliance checks against the database, default interval 4 hours, again this can be changed during the EAS setup for iOS devices or using command bundles for Android and can be set in the client tab/general settings for Windows Phone 8 devices. These results are checked against the relevant compliance rule and the device is then flagged as compliant or not in the management console. In order for the device itself to indicate violations the SMC app must be installed. Adding the SMC app as a compliance requirement would block access to corporate email if the app was not installed, therefore compelling end-users to install the app.

Regards.