Compliance Reporting for Security related policies

kishjayson
Contributor

I submitted this as a feature request as the JSS doesn't appear to have this ability right out of the box, however I wanted to ask everyone here how you have been approaching Compliance Reporting in your organizations.

https://jamfnation.jamfsoftware.com/featureRequest.html?id=3030

Looking forward to hearing your feedback!

1 REPLY 1

justinrummel
Contributor III

I would rate things as Critical, Suggested, and Exceptions.

  1. Critical patches would be similar to the Bash or NTP security exploit patches, along with other Security releases for items like Java or Flash pointing to XProtect my bare minimum.
  2. Suggested would be Application level that had no known security issues. Firefox LTS, Chrome, 10.10.1... it just depends on how you define "Suggested"
  3. Exceptions are known items that are not being updated for one reason or another. If Java 1.8.xx is breaking your environment, it is an exception.

Once you have defined your ratings, then you can apply "weight". A Device that doesn't have a Critical patch could be weighted with 3, while suggest is 1, and Exceptions are 0.

So if one machine had NTP issues and 10.10.1, it would be 13+11+0=4. That would hit HARD against your metric vs. three machines that don't have Firefox (3x of 1*1)=3.

This is just off the top of my head. More thought in the math would be required.

- Justin