Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 5 subscribers
  • Views 17746 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Compliance checks - Does anyone actually know how it works?

Neil_Evolve

I'm puzzled.

Could someone please explain how compliance checks are carried out on iOS devices and whether the SMC app is a requirement?

For instance, I have configured a basic compliance rule stating devices must have a passcode, but removing the passcode from devices does not create a non-compliance situation no matter how long I wait.

Does the SMC app have to be installed for all aspects of compliance checks to work or only for certain features? If so is there any way to enforce the installation other than on "supervised" devices, after all we can't configure BYOD objects as "supervised".

Hopefully someone knows or is everyone as confused as I am.

Come on Sophos, the documentation and information around this is pretty poor.

:54397


This thread was automatically locked due to age.
Parents
  • 0

    Hi Thomas,

    Thanks for the response.

    I realise that the compliance check is done against the data held by the SMC server. This data, I believe, is collected/updated by the SMC server sending a sync request via APNS to the device, the device responds and the new data is appended to the SMC database. This is the first delay between a device becoming non-compliant and it being reported as such in the console. The second delay is the time between the device reporting its state to SMC and a compliance check being run against the updated data held by SMC. The third delay is the time taken for SMC to flag the device as non-compliant and trigger an alert on the device. Which is only possible if the SMC app is installed. This can't be guaranteed as there is no way to force users to install the app, a lot of devices are personal and not corporate.

    Now, I rtealise there is very little we can do around the SMC app, but could you let me know how often SMC polls devices for status updates and can this interval be changed to an interval which a client may deem acceptable? How often are compliance checks carried out? I believe the compliance check interval is set when EAS proxy is configured. If so what is the default interval for these checks?

    I assume there may be a trade-off between these checks and battery life on the devices. Do Sophos have any advice around this or is this not really an issue due to improved batteries and OS?

    A lot of questions, I know, but I will get asked these by the client. We have had a lengthy pilot running and it is either going live or being dropped in the very near future. The main stumbling block is the compliance issue.

    Regards.

    :54511
Reply
  • 0

    Hi Thomas,

    Thanks for the response.

    I realise that the compliance check is done against the data held by the SMC server. This data, I believe, is collected/updated by the SMC server sending a sync request via APNS to the device, the device responds and the new data is appended to the SMC database. This is the first delay between a device becoming non-compliant and it being reported as such in the console. The second delay is the time between the device reporting its state to SMC and a compliance check being run against the updated data held by SMC. The third delay is the time taken for SMC to flag the device as non-compliant and trigger an alert on the device. Which is only possible if the SMC app is installed. This can't be guaranteed as there is no way to force users to install the app, a lot of devices are personal and not corporate.

    Now, I rtealise there is very little we can do around the SMC app, but could you let me know how often SMC polls devices for status updates and can this interval be changed to an interval which a client may deem acceptable? How often are compliance checks carried out? I believe the compliance check interval is set when EAS proxy is configured. If so what is the default interval for these checks?

    I assume there may be a trade-off between these checks and battery life on the devices. Do Sophos have any advice around this or is this not really an issue due to improved batteries and OS?

    A lot of questions, I know, but I will get asked these by the client. We have had a lengthy pilot running and it is either going live or being dropped in the very near future. The main stumbling block is the compliance issue.

    Regards.

    :54511
Children
No Data
Unfiltered HTML