11.16 compliance features

ability to switch coming-EXCELLENT

workaround worked!

and I still dont see the profiles in device management

if you have time, send me a calendar req and I can show you live

I was just looking and is there no way to edit the scope of compliance readiness after it is created? I saw I can edit which rules are enforced but not any scoping.

Hi @mattjerome . Thank you for your feedback. We are actively working on many improvements to the compliance benchmarks capability - allowing to change the smart group (scope) is one of the items that are on our near-term roadmap. Please stay tuned for updates. In the meantime, as a workaround, you could potentially use nested smart groups feature in Jamf Pro to achieve what you need.

Could you please describe the use case for which you need to edit the scope?

Hi @danlaw777 . Thanks for your interest in compliance benchmarks and your feedback. Let me comment those:

• Ability to switch between monitor and enforce mode will come in very near future. We are actively working on it.
• We understand the need to easily see what machines are out of compliance. This is also under development and will come in near future. In the meantime, there is a workaround to get this information - please see this post. Please let us know if this helped.
• "using the advanced search fails to yield any results as there is no way to point to these standards in the search function" - could you please elaborate a bit more? Do you mean that the workaround does not produce what you need or that it does not work at all?
• Compliance benchmarks creates and manages profiles, scripts and other artefacts that are stored under device management tab. They are organised into a category that is named after your compliance benchmark configuration name.

scoping feature is NEEDED! 
1. pilot this configuration

2. post pilot, rescope to all devices

3. pilot next macOS

these are 3 but there are more I know

Hi @Tomas_Lukl1 are their plans to support the exceptions.plist so you can exempt some rules from a subset of computers in scope of the benchmark? The JCE supports this with the Compliance - Failed Results Count EA and the Compliance - Exemptions EA.

Hi @c_kay . Thank you for the question. Could you please describe in a bit more detail what is the use case the exemptions are useful for you?

Hi @c_kay . Thank you for the question. Could you please describe in a bit more detail what is the use case the exemptions are useful for you?

Hi @danlaw777 . Thanks for your interest in compliance benchmarks and your feedback. Let me comment those:

• Ability to switch between monitor and enforce mode will come in very near future. We are actively working on it.
• We understand the need to easily see what machines are out of compliance. This is also under development and will come in near future. In the meantime, there is a workaround to get this information - please see this post. Please let us know if this helped.
• "using the advanced search fails to yield any results as there is no way to point to these standards in the search function" - could you please elaborate a bit more? Do you mean that the workaround does not produce what you need or that it does not work at all?
• Compliance benchmarks creates and manages profiles, scripts and other artefacts that are stored under device management tab. They are organised into a category that is named after your compliance benchmark configuration name.

Are their plans to be able to sort the rules in a benchmark numerically instead of alphabetically to rule 1.10 comes after rule 1.2 ?

Hi @danlaw777 . Thanks for your interest in compliance benchmarks and your feedback. Let me comment those:

• Ability to switch between monitor and enforce mode will come in very near future. We are actively working on it.
• We understand the need to easily see what machines are out of compliance. This is also under development and will come in near future. In the meantime, there is a workaround to get this information - please see this post. Please let us know if this helped.
• "using the advanced search fails to yield any results as there is no way to point to these standards in the search function" - could you please elaborate a bit more? Do you mean that the workaround does not produce what you need or that it does not work at all?
• Compliance benchmarks creates and manages profiles, scripts and other artefacts that are stored under device management tab. They are organised into a category that is named after your compliance benchmark configuration name.

ability to switch coming-EXCELLENT

workaround worked!

and I still dont see the profiles in device management

@Tomas_Lukl1 is their going to be an API for Benchmarks so we can access the reporting data?

Actually that's been fixed so ignore.

@c_kay yes, creating an API to get reporting data programatically is on our roadmap. Is there anything specific you would expect this API to provide and what would you use it for?

I'd like the API to be able to get the Rule report data. So the pass, fail, unknown numbers for each rule please.

Speaking of the Rule report. I've noticed that a rule with 0 pass 0 fail 0 unknown is calculated to 0% Computers passed. I'm think that should be 100% Computers passed otherwise it looks like the rule failed where really it just doesn't apply to any other the Macs in scope.

For example, rule 5.9 Ensure Extensible Firmware Interface Version is Valid

Hi @danlaw777 @mattjerome and others,

I wanted to share that editing of benchmark scope (smart group) and mode/type (monitor or enforcement) has been enabled just today. Go check your Jamf Pro instances and let us know if the new capability works well for you!