Compliance
Policies and policy instances provide accurate information on the status and/or the compliance of a computer in the DSMC at any time. The compliance of a computer clearly indicates whether a computer has the status that was defined by the existing policies and policy instances. A computer's compliance can be calculated from the associated policy instances.
The system recalculates the compliance as soon as a new policy instance is created or changed or when data is exchanged between the DSM Client on a managed computer and the DSMDB on the Management Point (client synchronization). If the system detects that it must take an action (e.g. installation or repair) in order to reach the compliance, it specifies the appropriate execution mode and sets the compliance status to compliance pending. Then, the Installer acts accordingly and tries to reach the required compliance.
Compliance status
The compliance status indicates to which degree a computer's policy instances have been implemented:
| Status | Icon | Relevance for the individual policy instance | Relevance for the computer |
|---|---|---|---|
|
Not defined |
|
This status only occurs if the system cannot determine the compliance status for whatever reason. |
There are no policy instances for the computer. |
|
Compliant |
|
The policy instances have been implemented successfully. The desired configuration matches the installed configuration. Uninstallation may also be a desired configuration; this is shown as compliant. |
All of the computer's policy instances are compliant. |
| Compliance pending |
|
The policy instances are ready to be implemented but have not been implemented yet. To reach the desired configuration, the system has already set the appropriate execution mode (e.g. Update). |
Compliance is pending for the computer's policy instances. |
| Client prerequisites not fulfilled |
|
The policy instance cannot be implemented correctly because the defined client prerequisites are not fulfilled. | The status is not used for determining a computer's compliance. |
| Not possible |
|
The system attempted to implement the policy instance but did not succeed because the package does not support the required execution mode. |
The status is not used for determining a computer's compliance. |
|
Not compliant |
|
There are different interpretations of this status:
|
At least one of the computer's instances has the status not compliant. |
| Partly compliant (~ n%) |
|
This status does not exist for an individual policy instance. | The status of the target computer is only partly compliant with the desired configuration. This part equals the percentage of the policy instances that have the status compliant or Compliance pending. |
Determining a policy instance's compliance status
By comparing the desired configuration with the actual installed configuration, the system determines the current compliance status of a policy instance. The system determines the conflicts between these two configurations and attempts to solve the conflicts automatically.
Desired and installed configuration
|
Desired configuration |
Describes the desired status of an assigned package on a managed computer. The corresponding policy property consists of the assigned package and the installation parameters. |
|
Installed configuration |
Describes the actual installed status of an assigned package on a managed computer. The corresponding policy property consists of the installed package and the applied installation parameters. |
Execution mode
The Business Logic Server (BLS) and the Installer determine the compliance status of policy instances. The BLS primarily displays the compliance status in the DSMC. The Installer actually determines the compliance status and specifies which actions need to be taken to reach the compliance; these actions are stored as execution mode.
If the Installer determines that the status is compliance pending, which means that a specific action is required to reach this compliance, the action becomes the actual execution mode and is stored as such. The following execution modes are possible: Installation, repair, reinstallation, uninstallation, modification or update. Depending on the execution mode, the Installer takes the required action.
In any other case the Installer does not take action and the execution mode of the policy instance is 'empty' (there is no value).
It is possible to specify which of the following execution modes a package can support: repair, reinstallation, modification, update or uninstallation.
For example, if the Installer determines repair as execution mode for a package and the package does not support this mode, the Installer tries to use other actions to reach the desired configuration. In this case, the Installer uninstalls the package first and then tries to reach the desired configuration by installing the package again.
Downgrading to a lower program version, which is stored in the same package, could also be a possible workaround for the Installer. If the desired configuration points to a lower revision of the package, the Installer automatically uninstalls first to be able to install the desired configuration later on.
If the Installer cannot reach the desired configuration with any of the possible execution modes (e.g. if the package neither supports repair nor uninstallation), the compliance cannot be reached. In this case, the compliance status will be not possible. To reach the compliance, the administrator has to change the actual package or the assignment.
Determining the compliance and the execution mode
The following figure shows which steps are necessary to determine the compliance and execution mode:
Explanations:
- Execution mode versus compliance
If the system specifies an execution mode (e.g. installation) for a policy instance, the compliance status is = compliance pending. - Desired = installed?
During this step the Installer checks whether the installed configuration corresponds to the desired configuration. In which case the status is compliant unless the package calls for repair or reinstallation. In both cases, the Installer uses these execution modes.
If the client's installation prerequisites are not met, the configuration is 'empty'. This leads to the compliance status Client prerequisites not fulfilled. If the respective package has already been installed, it will be uninstalled later. - Desired = empty?
Installed = empty?
If there is no desired configuration, the execution mode is set to uninstallation. If the installed configuration is 'empty', the execution mode is set to installation.
There is also no value for 'Desired' (the value remains 'empty') if a computer is removed from the group that is assigned as installation target. - Desired revision = installed revision?
If the desired and the installed revision are the same, even if the desired and installed revision do not match, the installation parameters must differ. In this case, the execution mode is set to modification. - Desired revision > installed revision?
If the desired revision is lower than the installed revision, a downgrade is required. The execution mode is set to uninstallation first. Then, the Installer installs the desired revision during its next run.
If the desired revision is higher, the execution mode is set to update. - Not possible
If there is a way to reach the desired configuration with an execution mode the package does not support, the DSM attempts to uninstall the package first and then to install it again. If the package does not support uninstallation, the Installer has no means of reaching the desired installation status and therefore the compliance status is set to Not possible.