Getting started with Device Compliance policies

Device Compliance policies use data collected from your Windows and Mac devices to determine their state of compliance based on conditions you set. The collected information is made available in reports and on the Device Details page, which you can use to monitor the compliance status of devices along with any reasons for non-compliance. Equipped with this information, you can:

  • Track any key performance indicators (KPIs) related to the compliance of your devices

  • Initiate remedial actions on devices that become non-compliant (for example, by creating an Action rule that automatically freezes devices when their compliance status changes)

  • Prevent devices from accessing the corporate network if they are at risk, unhealthy, or not compliant with your organization's requirements

Device Compliance policies apply to devices running a supported version of the Windows or macOS operating system. To see up-to-date Device Compliance status information in the console, each device's Secure Endpoint Agent must be regularly connecting to the Absolute Monitoring Center.

By default, the Global Policy Group and all custom policy groups include a preconfigured Device Compliance policy, which is set to Inactive. Although you can activate the policy in the Global Policy Group, best practice is to create custom policy groups and activate each policy group's Device Compliance policy, as required.

Devices included in a Device Compliance policy must satisfy all the conditions you set to be considered compliant. You can determine compliance using any of the following conditions, which are based on data points the Secure Endpoint Agent regularly monitors on devices.

Enable this condition to monitor if devices included in the policy are protected by one or more anti-malware applications.

  • If at least one anti-malware application is active on a device, it is reported as Compliant.

  • If all anti-malware applications are inactive or disabled, or none are detected, the device is reported as Non-compliant.

  • If the Secure Endpoint Agent is unable to determine a device's anti-malware status, it is reported as Unknown.

Each device's Secure Endpoint Agent performs an hourly anti-malware scan. If a change is detected, the new anti-malware information is uploaded on the device's next agent connection, which is typically within the next 15 minutes if the device is online.

The anti-malware condition is enabled by default in a Device Compliance policy, but you can disable it if required.

Enable this condition to monitor if devices included in the policy use encryption to protect data stored on the system drive.

  • If a device's encryption status is reported as Encrypted (meaning its system drive is fully encrypted), it is considered Compliant.

  • If a device's encryption status is reported as Not Encrypted, Not Detected, or Decryption in Progress, it is considered Non-compliant.

For Windows devices included in your policy, you also have the option of considering devices compliant when they report any the following encryption statuses:

  • Suspended (BitLocker only) – The Secure Endpoint Agent reports this status when encryption is temporarily disabled on the device, often because of system updates, firmware upgrades, or other system changes.

  • Encryption In Progress – The Secure Endpoint Agent reports this status when the system drive is in the process of being encrypted.

  • Used Space Encrypted – The Secure Endpoint Agent reports this status when all disk space that contains data is encrypted, but free space is not encrypted.

Each device's Secure Endpoint Agent performs an hourly encryption scan. If a change is detected, the new information is uploaded on the device's next agent connection, which is typically within the next 15 minutes if the device is online.

The encryption condition is enabled by default when the Full-Disk Encryption Status policy is already activated in the associated policy group. If this policy is not already activated, you'll be prompted to activate it when enabling the encryption condition.

Enable this condition to monitor if devices included in the policy are adhering to location-based rules.

A device is considered compliant if the location reported by the Secure Endpoint Agent matches the parameters you set in the following options:

  • Device must be in one of these locations – The cities, states, provinces, and countries the device is allowed to be located in. You can enter multiple locations as required.

  • Device must not be in one of these locations – The cities, states, provinces, and countries the device is not allowed to be located in. You can enter multiple locations as required.

The Secure Endpoint Agent detects and uploads location information at different intervals depending on the device's platform type. Learn more

The geolocation condition can only be enabled if the Geolocation Tracking policy is already activated in the associated policy group. If this policy is not already activated, you'll be prompted to activate it when enabling the geolocation condition.

Enable this condition to monitor if devices included in the policy are running a specific operating system and/or version range of an operating system.

A device is considered compliant if the operating system reported by the Secure Endpoint Agent matches the parameters you set, including:

  • Whether the device is running Windows or macOS

  • Whether the device is running a version of the operating system that falls within the range you specify in the Minimum OS version and Maximum OS version fields

Each device's Secure Endpoint Agent performs a daily hardware scan. A scan is also triggered when the device is restarted or the detected public IP address or SSID changes. If a change is detected in the operating system, the new information is uploaded on the device's next agent connection, which is typically within the next 15 minutes if the device is online.

Enable the Consider Unknown status as compliant option if you want to consider devices included in the policy as compliant when their compliance status cannot be determined. This occurs when the Secure Endpoint Agent is unable to collect or update the required data points (such geographical location or state of encryption) on a device and reports an Unknown status.

After you activate a Device Compliance policy, the agent begins to collect compliance-related information from the devices associated with the applicable policy group. After you've allowed a day for the policy to be deployed and run on each device, you can view the collected status information in the policy group's Devices page. You can also add compliance-related columns (Device Compliance Status, Device Compliance Details, and Device Compliance Last updated) to other pages and reports, such as:

In addition, you can view detailed compliance-related information for each device on its Device Details page:

  • Compliance status is listed in the Security Controls area at the top of the page

  • Compliance-related events (for example, when compliance status changes for a device) are listed on the History page

You can also view compliance-related events on the Events page in the History area.

  • Details of each compliance-related event are listed to the right when clicked