Security Policies in Systems Manager

Creating Security Policies

1. Navigate to Systems manager > Configure > Policies.
2. Click Add new along the right side of the page.
   Note: Customers with Legacy SM can only create one security policy, and thus skip this step.
   
    
3. Enter a Security policy name that describes its intended use or purpose.
   Note: The name can only contain letters, numbers, dashes, underscores, and periods, and must not be blank.
   
    
4. Select any of the traits that should be used to determine device compliance. See below for an example.
   
    
5. Click Save Changes.

If additional policies need to be configured, click Back to list and repeat from Step 2.

Deleting Security Policies

Note: Legacy SM users can only have one policy, which is only used for security reports. Thus it cannot be deleted. Instead, delete any undesired reports.

1. Navigate to Systems manager > Configure > Policies.
2. Check the box next to the policy or policies that should be deleted.
   
    
3. Click Delete.
   
    
4. Check the box confirming deletion.
   
    
5. Click Delete # check security policy/policies.
   
    
6. The security policy/policies will then disappear from the list and be removed from any policies or security reports.

Generating Security Reports

Once a security policy has been created, security reports can be used to automatically send compliance reports to configured administrators or e-mail addresses. 

1. Navigate to Systems manager > Configure > Alerts.
2. Under the Security report section, click Add a new report.
   
    
3. Select a Security policy to report on.
4. Choose a Schedule that indicates the frequency the report should be sent at.
5. Check the box for Only failing? if only devices out of compliance should be included in the report.
6. Check the box for Filter tags? if only devices with certain tags should be included in the report.
7. If Filter tags? is checked:
   1. Select the Tag scope. "Any" requires at least one of the tags be present on a client to match. "All" requires all of the tags be present on a client to match.
   2. Select the Tags to match on.
      
       
8. Click Save Changes.

To delete a report, simply click the X in the Delete column next to the report. Then click Save Changes.

To control who should receive the scheduled reports, use the Delivery settings section of the Configure > Alerts page.

Checking Device Compliance

There are few different ways to determine if a client is compliant with a security policy.

To check an individual client:

1. Navigate to Systems Manager > Monitor > Devices.
2. Select the client that is to be checked.
   
    
3. Under the Security section, the Security policy field will indicate compliant with any existing policies. Green indicates compliance
   
   
   Red indicates non-compliance
   

To check multiple clients:

1. Navigate to Network-wide > Monitor > Clients.
2. Using the dropdown in the upper right corner above the client list, select Security.
   
   
3. This will present a set of security policy fields within the client list.
4. To add or remove fields, use the + sign on the right end of the header row.
   
    
5. Within the list that appears, check the boxes in the Security section for any desired columns.
   
    
6. The list will now indicate the compliance of policies or specific security traits, as selected.
   

Using Security Policies to Control Profiles

Similar to other types of tags, security policy compliance can be used to dynamically control which client devices will receive a particular profile. Both "Compliant" and "Violating" tags will be available for each configured security policy in the Scope for a given profile.

The example image below shows the Scope for a profile containing VPN settings, which should only be pushed to devices with the "vpn" tag and are compliant with the security policy indicated.

Note: This feature is not available for Legacy SM users.

Additional Resources

Please review our documentation for more information on the application of tags and scoping.