Policies

Ivanti Policy Secure(Ivanti Policy Secure) Host checker component supports many different type of product policy evaluation on endpoint along with continues monitoring of system health. The below table lists the description of various policies and features, which can be defined as part of device compliance check.

From 9.1R15 onwards, support for Solaris, and Cache Cleaner features are deprecated. Ensure you remove all configurations related to these servers before upgrading to 9.1R15. Upgrade may fail if all configurations are not removed. For more information refer KB45044.

Policy	Description
Predefined
Antivirus Policy	Policy to detect whether the Antivirus is installed and up-to-date with latest virus signatures. It also includes other options to check the last scan time, virus signature download, and remediation options.
Firewall Policy	Policy to detect the firewall installed on endpoint and the remediation option to turn on the firewall if it’s turned off.
Anti-Spyware Policy	Policy to detect the installed spyware on endpoints.
Hard disk Encryption	Policy to detect and check the encryption status of the specified or all drives using installed encryption software.
Patch Management	Policy to check whether the required operating system patches are installed properly.
OS Checks	Policy to check the version of the windows operating systems and minimum service packs.
Common Vulnerability and Exposure (CVE)	Policy to check any vulnerable attacks such as ransomware attack.
System Integrity Protection (SIP)	Policy to check the status (enabled/disabled) of System Integrity Protection (SIP) on the Mac OS endpoints.
Custom
3rd Party NHC Check	Policy to specify the location of custom DLL files.
Ports policy	Policy to check if a particular port is either opened or closed to allow or reject the user authentication.
Process policy	Policy to control the software or processes that runs on the client machine.
File Policy	Policy to check if a particular file with specific version or checksum, or last modified file is present on endpoint to allow or reject the user authentication.
Registry Settings policy	Policy to check the registry and its value to allow or reject the user authentication, with a remediation option to set the registry value if not configured.
NetBIOS policy	Policy to check the NetBIOS name from list of NetBIOS names provided to control user access.
MAC Address policy	Policy to check if the endpoint MAC address is in the provided regex or white listing of mac addresses to control user access.
Machine Certificate Policy	Policy to check for the required machine certificate on the endpoint to control user access. This policy evaluates both public and private keys of the installed machine certificate on endpoint for users using Ivanti Secure Access Client. For agentless users, only public key is evaluated.
Advanced Host Checking	Policy to dynamically check the compliance status of the endpoints. It includes combining 2 policy types for obtaining the expected values of the check type. The expected values are fetched from registry location on the client machine for evaluating the policies. The advanced support for checking the expected values against another policy is supported on Ports, Process, File, Registry, NETBIOS, MAC Address, and Machine certificate.
Statement of Health	Policy to perform the health state validation to determine which roles or realms can be accessed by endpoints. It checks the system health indicators such as antivirus is enabled and up to date, antispyware is enabled and up to date, firewall is enabled and so on.
Command	Policy to check the versions of the installed applications on the Mac OS endpoints.
Host Checker General Settings	Ivanti Policy Secure provides following admin configuration options while performing host checking.
General Options
Continuous Policy Evaluation	Option to configure periodic and continuous policy evaluation so that the endpoint is compliant with the Host Checker policy.
Virus Signature Version Monitoring	Option to monitor and verify the virus signatures, operating systems, and patches installed are up to date.
Pre-Authentication Host Checking	Pre-Authentication host checking are policies that are enforced at the realm level before authentication.
Post-Authentication Host Checking	Post-Authentication host checking are policies that are enforced when role assignment happens after authentication.

Agent and Agentless Host Checking

Agentless Host Checking means endpoints trying to connect Ivanti Policy Secure through browser (User Agent should be a browser such as Google Chrome, Edge, Internet Explorer, Firefox ESR). Agent based Host Checker means endpoints trying to connect to Ivanti Policy Secure through Ivanti Secure Access Client.

You can also see KB44716 for differences between agent and agentless Host Checking.

Agentless	Ivanti Agent
Agentless solution refers to endpoints connecting to network using web browser. With Agentless solution, the device has to get the layer 3 access using an IP address.	Ivanti Agent solution refers to endpoints connecting to network using Ivanti Secure Access Client. With Ivanti agent, the user never gets the full connection to the network during the validation cycle. The connection validations are performed at Layer 2 without requiring the device access the network.
Agentless solution polls the network on a regular basis to check whether the endpoint is compliant. The user has to enable security protections at the beginning of the cycle to avoid any network breach.	Ivanti agent always performs continuous monitoring. Any changes to security measures are identified in the real time and thus strengthens the network security posture.
Agentless solution inspects the endpoints using WMI protocol.	Ivanti Agent uses more secured protocols.

Agentless

Ivanti Agent

Agentless solution refers to endpoints connecting to network using web browser.

With Agentless solution, the device has to get the layer 3 access using an IP address.

Ivanti Agent solution refers to endpoints connecting to network using Ivanti Secure Access Client.

With Ivanti agent, the user never gets the full connection to the network during the validation cycle. The connection validations are performed at Layer 2 without requiring the device access the network.

Agentless solution polls the network on a regular basis to check whether the endpoint is compliant. The user has to enable security protections at the beginning of the cycle to avoid any network breach.

Ivanti agent always performs continuous monitoring. Any changes to security measures are identified in the real time and thus strengthens the network security posture.

Agentless solution inspects the endpoints using WMI protocol.

Ivanti Agent uses more secured protocols.

Support Platform Matrix

A Host Checker policy contains one or more rules. Each rule can apply to different host checks and for different device types (Windows, Mac, Linux, iOS, Android). The below table lists the Host Checker policies that are supported on Windows, Mac, and Linux.

Policy	Windows		Macintosh		Linux
	Client	Clientless	Client	Clientless	Client	Clientless
Antivirus	Yes	Yes*	Yes	Yes*	No	No
Firewall	Yes	Yes*	Yes	Yes*	No	No
AntiSpyware	Yes	Yes	Yes	Yes	No	No
Hard Disk Encryption	Yes	Yes	Yes	Yes	No	No
Patch Assessment	Yes	Yes	Yes	Yes	No	No
OS Checks	Yes	Yes	Yes	Yes	No	No
Common Vulnerability and Exposure (CVE) Check	Yes	Yes	No	No	No	No
3rd Party NHC Checks	Yes	Yes	No	No	No	No
Ports	Yes	Yes	Yes	Yes	Yes	Yes
Process	Yes	Yes	Yes	Yes	Yes	Yes
Files	Yes	Yes**	Yes	Yes**	Yes	Yes**
Registry Setting	Yes	Yes***	No	No	No	No
NetBIOS	Yes	Yes	Yes	Yes	No	No
MAC Address	Yes	Yes	Yes	Yes	No	No
Machine Certificates	Yes	Yes****	Yes	Yes	No	No
Statement of Health	Yes	Yes	No	No	No	No
System Integrity Protection (SIP)	No	No	Yes	Yes	No	No
Command	No	No	Yes	Yes	No	No
Advanced Host Checking	Yes	Yes	No	No	No	No

- * In some occasions, Antivirus/Firewall products restricts the remediation actions to admin/services (For example but not limited to, turning on firewall). In such scenarios, certain remediation actions won’t work with browser/clientless logins. Note that, this is defined by the corresponding security products.
- **Admin should enable system level access for accessing certain files and file locations for browser login.
- ***To access device-certificates from system store, the plugin needs admin rights. With browser/clientless login private key verification is not supported in Agentless login.
- ****Registry verification requires admin privileges for accessing certain registry files. There are limitations with accessing some of the registry hierarchy for evaluating registry checks for browser login.
- Agentless mode with Profiler is supported only with Windows platforms. The supported policies are Antivirus, Firewall, Antispyware, OS checks, Ports, Process, NetBIOS, and MAC Address. For more information, see Profiler documentation.

Host Checker Remediation Capabilities

	Windows	Mac OS	Linux
Custom Instructions	Yes	Yes	Yes
Custom Actions	Yes	-	-
Kill Process	Yes	Yes	Yes
Delete Files	Yes	Yes	Yes
Reason String	Yes	Yes	Yes