Compliance Enforcement
The Compliance Enforcement feature allows you to regularly check the desired state of a package installation after executionon your own conditions and to determine how the DSM environment will react to a failed check.
Changes to the desired state of a software installation can occur if the end-user...
- uninstalls the software with Windows tools,
- intentionally or unintentionally damaged the software, for example by deleting files, or
- updated the software independently to a higher version.
The DSM environment may react by reinstalling the package automatically or by changing its compliance status to not compliant. For this purpose, the ServiceInstaller regularly checks the compliance of the package installation during its polling interval.
Enforcing compliance of software packages
Use the following package properties to activate the compliance enforcement:
- Condition for compliance
- Enforce compliance
Figure: Package properties for compliance enforcement
Package Property 'Condition for compliance'
Use this package property to define when the software packages are compliant.
When checking the compliance, always use conditions that are related to the computer where the package has been installed.
In order for the system to run a compliance check, the policy instance for a software package must have reached the compliant status during the initial installation.
Figure: Define the condition for compliance
Package Property 'Enforce compliance'
If you activate this package property from the Installation checks property group, the DSM environment tries to establish the compliance of a software package with a reinstallation. The ServiceInstaller runs up to five installation attempts for the package.
If all five attempts to reinstall the package fail, the policy instance gets the not compliant status. The policy instance's comment line contains the cause of the error. The ServiceInstaller no longer tries to establish compliance.
Figure: Policy instance after the fifth unsuccessful attempt to establish compliance
Compliance enforcement in special cases
Activating the 'Enforce compliance' package property later
If you...
- activate the Enforce compliance option later for a software package, or
- change the condition for compliance,
- and the software package has already been installed successfully on the computer at that moment,
...the compliance check will be activated with the changed properties during the next ServiceInstaller run.
During the first ServiceInstaller run after the changes, the compliance check runs with the old conditions. Then, the system runs a client synchronization and the changes reach the client for the first time. During the second ServiceInstaller run the changes take effect.
Compliance check without enforced compliance
If you have defined a condition for compliance without having activated the Enforce Compliance property, the compliance status of the software package immediately changes to not compliant, if the ServiceInstaller failed to check this condition.
No compliance even if compliance condition is met
Even if the condition for compliance is met, the compliance of the software package may not be effected. This could happen if the policy instance gets the status Not possible.
The condition for compliance works alongside the other compliance checks and does not replace them.
Package property "Compliance check only uses the 'Condition for existing installation'''
If you have already defined a condition for existing installation for a software package, you may also use this condition for checking its compliance.
A software package is regarded as installed and compliant if the condition for existing installation has been met even if the DSM environment did not install the package. Use this condition for a smooth transition of an unmanaged computer to a managed computer. The system checks this condition once during the installation of the DSM Clients on a computer.
No compliance enforcement for Software Sets
You cannot activate the Compliance Enforcement feature individually for Software Sets. Compliance enforcement only affects the individual software packages contained in the Software Sets.
- If a software package that is contained in a set becomes not compliant, the actual set also gets that status and thus follows the general compliance rules.
- As soon as the package has been reinstalled successfully (with enforced compliance), the Software Set also becomes compliant again after having been not compliant temporarily.