Understanding Host Checker Policy Remediation
This topic describes Host Checker policy remediation.
Remediation Options
You can specify general remediation actions for Host Checker to take if an endpoint does not meet the requirements of a policy. For example, you can display a remediation page to the user that contains specific instructions and links to resources to help the user bring their endpoint into compliance with Host Checker policy requirements.
You can also include a message to users (called a reason string) that is returned by Host Checker or an IMV and that explains why the client machine does not meet the Host Checker policy requirements.
For example, the user might see a remediation page that contains custom instructions, a link to resources, and reason strings:
For each Host Checker policy, you can configure two types of remediation actions:
- User-driven—Using custom instructions and reason strings, you can inform the user about the failed policy and how to make his computer conform. The user must take action to successfully re-evaluate the failed policy unless you configure an IMV to automatically remediate his computer. For instance, you can create a custom page that is linked to a policy server or Web page and enables the user to bring his computer into compliance.
- Automatic (system-driven)—You can configure Host Checker to automatically remediate the user’s computer. For example, when the initial policy fails, you can kill processes, delete files, or allow automatic remediation by an antivirus rule, a firewall rule, or a registry setting rule. Host Checker does not inform users when performing automatic actions. (You could, however, include information in your custom instructions about the automatic actions.)
Remediation User Experience
Users might see a remediation page in the following situations:
- Before the user signs in:
- If you enable custom instructions or reason strings for a policy that fails, the system displays the remediation page. The user has two choices:
- Take the appropriate actions to make the endpoint conform to the policy and then click Try Again on the remediation page. Host Checker checks the user’s computer again for compliance with the policy.
- Leave the endpoint in its current state and click Continue to sign in. The user cannot access the realm, role, or resource that requires compliance with the failed policy.
If you do not configure the system with at least one realm that allows access without enforcing a Host Checker policy, the user must bring the endpoint into compliance before signing in.
- If you do not enable custom instructions or reason strings for a policy that fails, Host Checker does not display the remediation page. Instead, a message displays telling the user that no additional information has been provided and to contact the system administrator. The system does not assign the user a role that allows access to protected resources.
- If you enable custom instructions or reason strings for a policy that fails, the system displays the remediation page. The user has two choices:
- After the user signs in:
- Ivanti—During a session, if a user’s computer becomes noncompliant with the Host Checker policy, a message is displayed briefly in the system tray that informs the user of the noncompliance. The remediation page is displayed on the client.
- Agentless—During a session, if a user’s agentless computer becomes noncompliant with the Host Checker policy, the system displays the remediation page to inform the user of the noncompliance. On Windows agentless computers, Host Checker displays a bubble and tray icon if the endpoint becomes noncompliant. The user must click the bubble or tray icon to open a browser window that contains the remediation instructions. On Macintosh and Linux agentless computers, Host Checker automatically opens a browser window that contains the remediation instructions as soon as the endpoint is noncompliant.