Agent settings: Compliance

Tools > Configuration > Agent Settings > Compliance

With the Patch and Compliance tool, you can also create a compliance-specific scan task, that checks target devices for compliance with your customized security policy. A compliance scan is based on the contents of the Compliance group (and the options specified on the compliance settings), and can be run as a scheduled task, a policy, and even initiated by Ivanti Antivirus when a virus is detected that can't be removed or quarantined.

Compliance settings are a subset of the Distribution and Patch settings, and the help for those options is covered in Agent settings: Distribution and patch . These compliance settings are only used when a device does a compliance scan.

To assign new compliance settings to devices
  1. Add your compliance vulnerabilities to Groups > Compliance. To get there, click Tools > Security and Compliance > Patch and Compliance.
  2. In Tools > Configuration > Agent Settings > Compliance, right-click and click New.
  3. Change the compliance scan settings as necessary and click Save.
  4. Right-click your new compliance setting and click Create Scheduled Task.
  5. In the Change settings task, find the Compliance type and next to it select the new compliance setting.
  6. Finish configuring the task and schedule it to run.

About the Patch-only settings > Compliance settings page

Scanning
  • Frequently scan the compliance group: Select this option to set a compliance scan interval of your choice. The available intervals range from 30 minutes to 8 hours.
    • Scan only when a user is logged in
  • Scan after IP address change: Enabled by default.
    • Scan only when a user is logged in
  • Disable the frequent security scanner in agent configuration. In Configuration > Agent configuration, there's a Patch-only settings > Scan options > Frequent scan page. Selecting this disable option on the Compliance page overrides the settings on that agent configuration page.
Actions
  • Enable autofix: Defaults to enabled. Indicates that the security scanner will automatically deploy and install the necessary associated patch files for any vulnerabilities or custom definitions it detects on scanned devices. This option applies to security scan tasks only. In order for autofix to work, the definition must also have autofix enabled.
  • Immediately repair all detected items: Defaults to enabled. Indicates that any security risk will be automatically remediated.
  • Enforce 802.1x supported scan
If a virus cannot be removed or quarantined (Ivanti Antivirus only)
  • Immediately scan device for compliance
  • Perform network access control check to determine if device is unhealthy