Configuring Host Checker Policy
To configure a Host Checker policy:
1.Select Authentication > Endpoint Security > Host Checker.
2.Under Policies, click New.
3.Enter a name in the Policy Name field then click Continue. (Users see this name on the Host Checker remediation page if you enable custom instructions for this policy.)
4.Create one or more rules to associate with the policy.
5.Configure additional system-level options on Authentication > Endpoint Security > Host Checker page.
6.Determine the level at which you want to enforce Host Checker policies:
•To enforce Host Checker policies when the user initially signs in, implement the policy at the realm level select Users > User Realms > Select Realm > Authentication Policy > Host Checker.
•To allow or deny users access to specific roles based on compliance with Host Checker policies, implement the policies at the role level by using the Users > User Roles > Select Role > General > Restrictions > Host Checker page of the admin console.
•To map users to roles based on their compliance with Host Checker policies, select Users > User Realms > Select Realm > Role Mapping and use custom expressions.
7.To create client-side logs. Select System > Log/Monitoring > Client Logs/Settings and enable Host Checker and Pulse Desktop Client option.
8.If more than one valid session exists from the same system, and Host Checker is used in those sessions, all valid sessions are terminated if a user signs out from any of the sessions. To prevent this, turn off Host Checker for those sessions that do not need Host Checker.
Enable Agentless Mode with Profiler for using Agentless Host Checker policy evaluation. As a pre-requisite the Admin must configure the Profiler server to collect the endpoint attributes. Note that the Agentless Mode with Profiler functionality is also supported on the MAC Authentication Realm. Refer the Profiler documentation for configuration and other details.
Configuring Antivirus Rule with Remediation Options
Use this rule type to configure antivirus rule along with remediation actions. You can also monitor policies to ensure that logged-in endpoints maintain compliance status, and remediate the endpoint to another role or realm depending on the current status.
To configure a predefined antivirus rule:
1.Select Authentication > Endpoint Security > Host Checker.
2.Create a policy or click on existing policy in the Policies section of the page.
3.Select the tab for Windows or Mac, depending on the platform for which this rule is intended.
4.Under Rule Settings, select Predefined: Antivirus and click Add.
5.Enter the name of the antivirus rule.
6.To determine if your software vendor’s product is supported for the System Scan check, click these Antivirus products. A new window opens with a list of the products that support the feature.
7.Select or clear the check box next to Successful System Scan must have been performed in the last _ days, and enter the number of days in the box. If you select this check box, a new option is displayed. If the remediation action to start an antivirus scan successfully begun, you can override the previous check.
8.Select or clear Consider this rule as passed if ‘Full System Scan’ was started successfully as remediation check box.
9.Select or clear the Check for Virus Definition files check box. If you select this check box, then choose either Virus Definition files should not be older than n Updates (the range for this value is 1 - 20) or Virus Definition files should not be older than n Days (the range for this value is 1 – 30).
10.Select one of the following options:
•Require any supported product allows you to check for any product (rather than requiring you to select every product separately). This option button reveals a list of products in the remediation section to allow you to enable remediation options which are product specific.
•Require specific products/vendors allows you to define compliance by allowing any product by a specific vendor or provides functionality that allows you to select individual products to define compliance.
After you select your vendors and products, remediation options appear on the page.
For each of the following remediation actions:
•Download latest virus definition files—Obtains the latest available file for the specified vendor from the vendor’s website.
•Turn on Real Time Protection—Launches the virus-scanning mechanism for the specified vendor.
•Start Antivirus Scan—Performs a real-time virus scan for the specified vendor.
The check box is active if the action is supported for your product.
If your antivirus product is not supported, you can click the remediation column headers to determine what vendors and products are supported.
•If your product is supported, select the check box for the remediation action that you want to apply.
•Under Optional, select Monitor this rule for change in result to continuously monitor the policy compliance of endpoints. If this check box is selected, the compliance status of an endpoint that has successfully logged in changes, PPS initiates a new handshake to reevaluate realm or role assignments.
•Click Save Changes to save the antivirus rule and enforce antivirus remediation.
•(Optional) Add more rules to the policy, specify how Host Checker should evaluate multiple rules within the policy, and define remediation options.
Configuring Firewall Rule with Remediation Options
Use this rule type to create a Host Checker firewall rule that requires the endpoint to have a specific firewall installed and running before it connects to the network.
To configure a Host Checker predefined firewall rule:
1.Select Authentication > Endpoint Security > Host Checker.
2.Create a policy or click an existing policy in the Policies section of the page.
3.Select the tab for Windows or Mac, depending on the platform for which this rule is intended.
4.Under Rule Settings, select Predefined: Firewall and click Add.
5.Enter a name for the firewall rule.
6.Select one of the following options:
•Require any supported product allows you to check for any product (rather than requiring you to select every product separately). This option button provides a list of products in the remediation section to allow you to enable remediation options which are product specific.
•Require specific products/vendors allows you to define compliance by allowing any product by a specific vendor or provides functionality that allows you to select individual products to define compliance.
7.After you select your vendors and products, remediation options appear on the page.
8.If your firewall is supported, select the Turn on Firewall check box.
9.Under Optional, select Monitor this rule for change in result to continuously monitor the policy compliance of endpoints. If this check box is selected, and a change in compliance status on an endpoint that has successfully logged in occurs, PPS initiates a new handshake to reevaluate realm or role assignments.
10.Click Save Changes to save the firewall rule and enforce firewall remediation.
11.(Optional) Add more rules to the policy, specify how Host Checker should evaluate multiple rules within the policy, and define remediation options.
Configuring Malware Rule
Use this rule type to check for installed malware on endpoints.
To configure a Host Checker Predefined malware rule:
1.Select Authentication > Endpoint Security > Host Checker.
2.Create a new or click an existing policy in the Policies section of the page.
3.Select the tab for Windows.
4.Under Rule Settings, select Predefined: Malware and click Add.
5.From the Criteria, select the Malware Software to be installed on the endpoint.
6.Click Save Changes
Configuring AntiSpyware Rule
Use this rule type to check for installed antispyware on endpoints.
To configure a Host Checker Predefined Spyware rule:
1.Select Authentication > Endpoint Security > Host Checker.
2.Create a new or click an existing policy in the Policies section of the page.
3.Select the tab for Windows or Mac, depending on the platform for which this rule is intended.
4.Under Rule Settings, select Predefined: AntiSpyware and click Add.
5.Enter a name for the firewall rule.
6.Select one of the following options:
•Require any supported product allows you to check for any product (rather than requiring you to select every product separately). This option button provides a list of products in the remediation section to allow you to enable remediation options which are product specific.
•Require specific products/vendors allows you to define compliance by allowing any product by a specific vendor or provides functionality that allows you to select individual products to define compliance.
7.Under Optional, select Monitor this rule for change in result to continuously monitor the policy compliance of endpoints. If this check box is selected, and a change in compliance status on an endpoint that has successfully logged in occurs, PPS initiates a new handshake to re-evaluate realm or role assignments.
8.Click Save Changes.
9.(Optional) Add more rules to the policy, specify how Host Checker should evaluate multiple rules within the policy, and define remediation options.
Configuring Hard Disk Encryption Rule
Use this rule type to check for installed Hard Disk Encryption software on endpoints and specify the drives which needs to be encrypted.
To configure a predefined hard disk encryption rule:
1.Select Authentication > Endpoint Security > Host Checker.
2.Create a new policy, or click an existing policy in the Policies section of the page.
3.Select the tab for Windows or Mac, depending on the platform for which this rule is intended.
4.Under Rule Settings, select Predefined: HardDisk Encryption and click Add.
5.Under Rule Settings, select Predefined: HardDisk Encryption and then click Add.
6.Enter a Rule Name for the HardDisk Encryption rule.
7.Select one of the following options:
•Require any supported product allows you to check for any product (rather than requiring you to select every product separately). This option button provides a list of products in the remediation section to allow you to enable remediation options which are product specific.
•Require specific products/vendors allows you to define compliance by allowing any product by a specific vendor or provides functionality that allows you to select individual products to define compliance.
8.Under Drive Configuration, select the required option.
• All Drives--(Default) Select this option to check if all the drives on the client machine are encrypted.
• Specific Drives-Select this option to check if only specific drives on the client machine are encrypted.
•Drive Letters– Enter the drive name. For example, C, D, E.
•Consider policy as passed if the drives are not detected– Select this option to consider policy as passed if the drives are not detected
•Consider policy as passed if the drive Encryption is in progress– Select this option to allow the Host Checker policy to pass if the encryption process is in progress and the drive is not fully encrypted. The drive encryption process takes time to complete depending up on the drive size and contents. For multiple drives, the HC policy passes only if the encryption process is in progress in all the drives.
9.Click Save Changes.
Configuring Common Vulnerability and Exposure (CVE) Check Rules
Host Checker is used for analyzing the health of the endpoint before providing access to the network. As endpoints are vulnerable to many types of new attacks such as Ransomware attack. It becomes extremely important to identify such endpoints, which are vulnerable to any attacks. The CVE lists some of these attacks along with the required software patches to prevent from such attacks. PPS provides the CVE check rule, which helps in identifying the endpoints which are vulnerable using the OPSWAT library. If the endpoint is vulnerable appropriate action is taken based on the rule configuration. For example, the user can be denied from accessing the network.
- CVE check rule is supported from ESAP 3.2.3 onwards.
- OPSWAT version 3 does not support CVE rules. These rules will always be evaluated as failed and may cause the host checker policy to fail. It is recommended to delete CVE rules if you are using OPSWAT V3 SDK for evaulation.
To configure a predefined CVE check rule:
1.Select Authentication > Endpoint Security > Host Checker.
2.Create a new policy, or click an existing policy in the Policies section of the page.
3.Click the Windows tab.
4.Under Rule Settings, select Predefined: CVE Checks and click Add.
5.Enter a Rule Name for the CVE Check rule. For example, you can configure a check for WannyCry vulnerability.
6.From the Criteria, select if you require all the CVE checks from OPSWAT or choose the specific CVE checks from the available CVE checks list.
7.Click Save Changes.
Configuring Patch Management Rules
You can configure Host Checker to check for installed Patch Management Software on endpoints.
Patch management software detects patch status based on the configured rules on corresponding patch management server. Detection of patches status on the client machine depends on the support provided by the 3rd party patch management solution that is used. Hence different patch management software on the same client can report the status differently. To avoid conflicts, administrator is allowed to configure only one patch management software product on policy configuration page.
It provides options to configure various Severity and Category options that administrator is interested in. These additional details are used during policy evaluation such that only the missing patches that belongs to configured "Severity" and "Category" are considered. Any other patches that does not belong to configured "Severity" and "Category" are not considered during policy evaluation.
The default "Severity" options selected in policy are Critical, Important. The default "Category" options selected in policy are Security Update, Critical Update, Regular Update, Driver Update.
- The remediation support for patch management rule is available only for Windows platform using SCCM client.
- Patch Management on Mac is not supported with OPSWAT SDK V3 and pre-9.0R1 Pulse clients.
To configure a predefined patch management rule:
1.Select Authentication > Endpoint Security > Host Checker.
2.Create a new policy, or click an existing policy in the Policies section of the page.
3.Click the Windows/Mac tab.
4.Enter a Rule Name for the Patch Management rule.
5.Under Rule Settings, select Predefined: Patch Management and click Add.
6.From the Criteria, select the Patch Management Software to be installed on the endpoint.
7.Select the Severity and Category details of the patches to be evaluated.
For patch management products that do not provide "Severity" and "Category" details, administrator can choose the "Unknown" options so that all the reported missing patches are considered in policy evaluation.
8.(Windows Only) If you want to do remediation, Under the Remediation section, select Enable Automatic Patch Deployment.
9.Click Save Changes.
Configuring OS Checks Rule
You can configure Host Checker to check for the Windows/MAC operating systems and minimum service pack versions that you specify. Any service pack whose version is greater than or equal to the version you specify satisfies the policy.
OS Check rule is supported starting from MAC OS X El Captain (10.11) and above.
To configure a rule for OS checks:
1.Select Authentication > Endpoint Security > Host Checker.
2.Create a new policy, or click an existing policy in the Policies section of the page.
3.Click the Windows/Mac tab.
4.Enter a Rule Name for the OS checks rule.
5.Under Rule Settings, select Predefined: OS checks and click Add.
6.From the Criteria, select the Windows/Mac operating systems and minimum service pack/version to be there on the endpoint.
7.Click Save Changes.
Configuring Third-Party NHC Rule
Use this rule type to specify the location of a custom DLL. Host Checker calls the DLL to perform customized client-side checks.
To configure a rule for third-party NHC:
1.Select Authentication > Endpoint Security > Host Checker.
2.Under Rule Settings, select Custom: 3rd Party NHC Check and then click Add.
3.Enter a name for the NHC Check rule.
4.Under Criteria, enter the Vendor name and Path to NHC DLL.
5.Under Optional, select Monitor this rule for change in result to continuously monitor the policy compliance of endpoints. If this check box is selected, and a change in compliance status on an endpoint that has successfully logged in occurs, the PPS initiates a new handshake to re-evaluate realm or role assignments.
6.Click Save Changes.
Configuring Ports Rule
Use this rule type to control the network connections that a client can generate during a session. This rule type ensures that certain ports are open or closed on the client machine before the user can access the system.
To configure a custom port rule:
1.Select Authentication > Endpoint Security > Host Checker.
2.Create a new policy, or click an existing policy in the Policies section of the page.
3.Under Rule Settings, select Custom: ports and then click Add.
4.Enter a name for the port rule.
5.Under Criteria, enter a comma delimited list (without spaces) of ports or port ranges, such as: 1234,11000- 11999,1235. Select Required if you want these ports to be open on the client machine or Deny if you want them to be closed.
6.(Windows only) Under Optional, select Monitor this rule for change in result to continuously monitor the policy compliance of endpoints. If this check box is selected, and a change in compliance status on an endpoint that has successfully logged in occurs, the PPS initiates a new handshake to re-evaluate realm or role assignments.
7.Click Save changes.
Configuring Process Rule
Use this rule type to control the software that a client may run during a session. This rule type ensures that certain processes are running or not running on the client machine before the user can access protected resources.
To configure a custom process rule:
1.Select Authentication > Endpoint Security > Host Checker.
2.Create a new policy, or click an existing policy in the Policies section of the page.
3.Under Rule Settings, select Custom: Process and then click Add.
4.Enter a name for the process rule.
5.Under Criteria, enter the name of a process (executable file), such as: good-app.exe. You can use a wildcard character to specify the process name. For example: good*.exe. Select Required to require that this process is running or Deny to require that this process is not running.
6.Under Optional, enable the checks required from the following:
•Specify the MD5 checksum value of each executable file to which you want the policy to apply. For example, an executable may have different MD5 checksum values on a desktop, laptop, or different operating systems. On a system with OpenSSL installed—Macintosh, Linux and Solaris systems have OpenSSL installed by default—you can determine the MD5 checksum by using this command: openssl md5 <processFilePath>.
•Specify the SHA256 checksum value of each file.
•Select or clear the check box next to Monitor this rule for change in result. With the checkbox enabled, it continuously monitors the policy compliance of endpoints. If this check box is selected, and a change in compliance status on an endpoint that has successfully logged in occurs, the PPS initiates a new handshake to re-evaluate realm or role assignments.
7.Click Save Changes.
Configuring File Rule
Use this rule type to ensure that certain files are present or not present on the client machine before the user can access. You may also use file checks to evaluate the age and content (through MD5 checksums) of required files and allow or deny access accordingly.
To configure a custom file rule:
1.Select Authentication > Endpoint Security > Host Checker.
2.Create a new policy, or click an existing policy in the Policies section of the page.
3.Under Rule Settings, select Custom: File and then click Add.
4.Enter a name for the file rule.
5.Under Criteria, enter the name of a file (any file type), For example, c:\temp\bad-file.txt or /temp/bad-file.txt. You can use a wildcard character to specify the file name. For example: *.txt.You can also use an environment variable to specify the directory path to the file. (You cannot use a wildcard character in the directory path.) Enclose the variable between the <% and %> characters. For example:<%windir%>\bad-file.txt.
6.Select Required to require that this file is present on the client machine or Deny to require that this file is not present.
7.(Windows only) Under Optional, enable the checks required from the following:
•Specify the minimum version of the file (optional). For example, if you require notepad.exe to be present on the client, you can enter 5.0 in the field. Host Checker accepts version 5.0 and above, of notepad.exe.
•Specify the maximum age (File modified less than n days) (in days) for a file (optional). If the file is older than the specified number of days, then the client does not meet the attribute check requirement.
•Specify the MD5 checksum value of each file to which you want the policy to apply (optional). On Macintosh, Linux and Solaris, you can determine the MD5 checksum by using this command: openssl md5 <filePath>
8.Specify the SHA256 checksum value of each file.
9.Select Monitor this rule for change in result to continuously monitor the policy compliance of endpoints. If this check box is selected, and a change in compliance status on an endpoint that has successfully logged in occurs, the PPS initiates a new handshake to re-evaluate realm or role assignments.
10.Click Save Changes.
Configuring Registry Settings Rule
Use this rule type to control the corporate PC images, system configurations, and software settings that a client must have to access the PPS. This rule type ensures that certain registry keys are set on the client machine before the user can access the PPS. You may also use registry checks to evaluate the age of required files and to allow or deny access accordingly.
1.Select Authentication > Endpoint Security > Host Checker.
2.Create a new policy, or click an existing policy in the Policies section of the page.
3.Under Rule Settings, select Custom: Registry Setting and then click Add.
4.Enter a name for the registry setting rule.
5.Under the criteria:
•Select a root key from the drop-down list.
•Enter the path to the application folder for the registry subkey.
•Enter the name of the key’s value that you want to require (optional). This name appears in the Name column of the Registry Editor.
•Select the key value’s type (String, Binary, or DWORD) from the drop-down list (optional). This type appears in the Type column of the Registry Editor.
•Specify the required registry key value (optional). This information appears in the Data column of the Registry Editor.
•If the key value represents an application version, select Minimum version to allow the specified version or newer
6.Under Optional, select Monitor this rule for change in result to continuously monitor the policy compliance of endpoints. If this check box is selected, and a change in compliance status on an endpoint that has successfully logged in occurs, the system initiates a new handshake to re-evaluate realm or role assignments.
7.Under Remediation, Select the check box for Set Registry value specified in criteria.
8.Click Save Changes.
Configuring NetBIOS Rule
Use this rule type to check the NetBIOS name of the client machine before the user can access PPS.
A maximum of 1,000 regex patterns are supported in a single NetBIOS rule. In case, if there are more than 1,000 regex patterns in a single rule, split the rule into multiple rules.
To configure a custom NetBIOS rule:
1.Select Authentication > Endpoint Security > Host Checker.
2.Create a new policy, or click an existing policy in the Policies section of the page.
3.Under Rule Settings, select Custom: File and then click Add.
4.Enter a name for the NetBIOS rule.
5.Under Criteria, enter a comma-delimited list (without spaces) of NetBIOS names. The name can be up to 15 characters in length. You can use wildcard characters in the name and it is not case-sensitive. For example, md*, m*xp and *xp all match MDXP. Select Required to require that this file is present on the client machine or Deny to require that this file is not present.
For Mac OS, you can enter special characters “[!"\#$%&'()*+,\-./:;<=>?@\[\\\]^_`{|}~]” and space is allowed between NetBIOS names.
6.Select Required to require that NETBIOS name of the client machine match one of the names you specify, or Deny to require that the name does not match any name.
7.Click Save Changes.
Configuring MAC Address Rule
Use this rule type to check the MAC addresses of the client machine before the user can access the PPS.
To configure a custom MAC Address Rule:
1.Select Authentication > Endpoint Security > Host Checker.
2.Create a new policy or click an existing policy in the Policies section of the page.
3.Under Rule Settings, select Custom: MAC Address and then click Add.
4.Enter a name for the MAC address rule.
5.Under Criteria,enter a comma-delimited list (without spaces) of MAC addresses in the form XX:XX:XX:XX:XX:XX where the X’s are hexadecimal numbers. For example: 00:0e:1b:04:40:29.You can use a * wildcard character to represent a two-character section of the address. For example, you can use a * to represent the “04”, “40”, and “29” sections of the previous example address:00:0e:1b:*:*:*But you cannot use a * to represent a single character. For example, the * in the following address is not allowed:00:0e:1b:04:40:*9
6.Select Required to require that a MAC address of the client machine matches any of the addresses you specify, or Deny to require that the all addresses do not match. A client machine will have at least one MAC address for each network connection, such as Ethernet, wireless, and VPN.
7.This rules requirement is met if there is a match between any of the addresses you specify and any MAC address on the client machine.
8.Click Save Changes.
Configuring Machine Certificate Rule
Use this rule type to check that the client machine is permitted access by validating the machine certificate stored on the client machine.
To configure a machine certificate rule:
1.Select Authentication > Endpoint Security > Host Checker.
2.Create a new policy, or click an existing policy in the Policies section of the page.
3.Under Rule Settings, select Custom: Machine certificate and then click Add.
4.Enter a name for the machine certificate rule.
5.Under Criteria, Select Issuer Certificate list, select the certificate that you want to retrieve from the user’s machine and validate. Or, select Any Certificate to skip the issuer check and only validate the machine certificate based on the optional criteria that you specify below.
6.From the Optional fields (Certificate field and Expected value), specify any additional criteria that Host Checker should use when verifying the machine certificate.
- If more than one certificate is installed on the client machine that matches the specified criteria, The Host Checker client passes the first certificate it finds to PPS for validation.
- Admin must perform some additional configurations on the Client machine for installing machine certificate on MAC OS due to some restrictions from Apple. For more information, see KB44148
7.Click Save Changes.
Configuring Advanced Host Checking Rule
Use this rule type to combine multiple policies for performing advanced host checking. The supported policy types are ports, process, file, registry setting, NETBIOS, MAC address and machine certificate. It allows Administrator to dynamically configure the expected values from registry locations on the endpoint for evaluating the policies.
This feature is supported only on Windows platform.
To configure an advanced host checking rule:
1.Select Authentication > Endpoint Security > Host Checker.
2.Create a new policy, or click an existing policy in the Policies section of the page.
3.Under Rule Settings, select Custom: Advanced Host Checking and then click Add.
4.Enter a name for the rule.
5.Select the check to be performed from the Rule Type list.
6.Under Criteria, Select Rule Type list.
•Select Ports to check whether a specific port number is opened or closed on the endpoint.
•Enable Required/Deny to check if the specified port is open/closed.
•Select the registry root key- HKEY_LOCAL_MACHINE, HKEY_USERS, HKEY_CURRENT_USER, HKEY_CURRENT_CONFIG, or HKEY_CLASSES_ROOT.
•Enter the registry subkey.
•Enter the name of the registry.
•Select the type of the registry- String, Binary, or DWORD.
•Select Check for 64-bit registry to check the 64 bit registry on Windows. The default is 32 bit registry.
You can similarly add the check type for Process/File/NETBIOS/MAC Address. The port number/process name/file path/NETBIOS name/MAC address is obtained from the Registry setting.
•Select Registry Setting to verify the specific registry values on the endpoint. You can define only the registry location in the policy and define another registry location, which provides the expected registry value.
•Select the registry root key- HKEY_LOCAL_MACHINE, HKEY_USERS, HKEY_CURRENT_USER, HKEY_CURRENT_CONFIG, or HKEY_CLASSES_ROOT.
•Enter the registry subkey.
•Enter the name.
•Select the type of the registry- String, Binary, or DWORD.
•Configure another registry setting to fetch the expected registry value. Select the registry subkey, name, and type.
•Select Machine Certificate to verify the required certificate is installed on the client machine certificate store.
•Select the issuer certificate from the list.
•Specify any additional criteria that Host Checker must use while verifying the certificate.
•Enter the certificate field name. For example, cn.
•Select the registry key.
•Enter the registry subkey.
•Enter the registry name.
•Select the registry type.
•Click Add.
7.Click Save Changes.
Configuring Statement of Health Rule
Use this rule type to evaluate endpoint’s health status and make policy decisions for network access based on the result.
To configure a custom state of health rule:
1.Select Authentication > Endpoint Security > Host Checker.
2.Create a new policy, or click an existing policy in the Policies section of the page.
3.For a new policy, specify a name for the policy and then click Continue.
4.Under Rule Settings, select Custom: Statement of Health and then click Add.
5.Enter a Name for the SOH rule.
6.Under Criteria, enter a Label for a SOH parameter. Select an SOH policy option from the Parameter menu then click Add for the following types:
•Antivirus Enabled
•Antivirus up to date
•Antispyware enabled
•Antispyware up to date
•Firewall Enabled
•Automatic Updates Enabled
7.Select additional options from the Parameter list to add additional SOH parameters.
8.(Optional) For each rule, select the Enable automatic remediation check box. If you select this option for a rule, the user receives a remediation message from the SoH agent, and appropriate remediation is performed, if possible. If the box is not selected, the user receives a remediation message, but no remediation action is performed.
9.Click Save Changes.
Configuring System Integrity Protection Rule
System Integrity Protection (SIP) is a security feature introduced in Mac OS X El Capitan. This security feature from Apple provides security on the endpoint machine by restricting various actions that root user can perform on the client machine. System Integrity Protection is enabled by default but can be disabled.
PPS supports System Integrity Protection policy to check the status of System Integrity Protection (SIP) on the Mac OS endpoints. Using this, the administrators can provide different access level to the end points based on the status of "System Integrity Protection" on the client machines.
To configure a Host Checker Predefined SIP rule:
1.Select Authentication > Endpoint Security > Host Checker.
2.Create a new or click an existing policy in the Policies section of the page.
3.Select the tab for Mac.
4.Under Rule Settings, select Predefined: System Integrity Protection Rule and click Add.
5.Enter the rule name.
6.Under Criteria, select Enabled to ensure that the System Integrity Protection on the client machine is enabled.
7.Click Save Changes.
Configuring Command Rule
Command Rule enables administrators to check the versions of the installed applications on the Mac OS endpoints.
To configure a Host Checker: Custom command rule:
1.Select Authentication > Endpoint Security > Host Checker.
2.Create a new or click an existing policy in the Policies section of the page.
3.Select the tab for Mac.
4.Under Rule Settings, select Custom: Command and click Add.
5.Enter the rule name.
6.Under Criteria, complete the following configuration:
•Select the command type as default read (Read Settings)
•Specify the path of the property list file of the required application on the client machine.
•Enter the key name used in the property list file for obtaining the version of the application.
•Enter the expected version that needs to be present on the client machine
7.Click Save Changes.
Ensure that the required ESAP package (which has support for Command Rule) is installed and activated on the server.
Using a Wildcard or Environment Variable in a Host Checker Rule
The following table lists the wildcards you can use to specify a file name in a File rule or a process name in a Process rule.
|
Wildcard Character |
Description |
Example |
|
* |
Matches any character |
*.txt |
|
? |
Matches exactly one character |
app-?.exe |
In a Custom File rule for Windows, you can use the following environment variables to specify the directory path to a file:
|
Environment variable |
Example Windows Value |
|
<%APPDATA%> |
C:\Documents and Settings\jdoe\Application Data |
|
<%windir%> |
C:\WINDOWS |
|
<%ProgramFiles%> |
C:\Program Files |
|
<%CommonProgramFiles%> |
C:\Program Files\Common Files |
|
<%USERPROFILE%> |
C:\Documents and Settings\jdoe |
|
<%HOMEDRIVE%> |
C: |
|
<%Temp%> |
C:\Documents and Settings \<username>\Local Settings\Temp |
The following table lists File rules for Macintosh, Linux and Solaris.
|
Environment variable |
Example Macintosh Value |
Example Linux and Solaris Values |
|
<%Java.home%> |
/System/Library/Frameworks/JavaVM.framework/ Versions/1.4.2/Home |
/local/local/Java/j2sdk1.4.1_02/ jre |
|
<%Java.io.tmpdir%> |
/tmp |
/tmp |
|
<%user.dir%> |
/Users/admin |
/home-shared/cknouse |
|
<%user.home%> |
/Users/admin |
/home/cknouse |
Configuring Third-Party Integrity Measurement Verifiers (IMV)
The TNC standard enables the enforcement of security requirements for endpoints connecting to networks. You can configure Host Checker to monitor third-party TNC-compliant IMCs installed on client computers. To do so, you must:
1.Run the Third-party Integrity Measurement Verifier (IMV) Server installer on the system designated as the remote IMV server. Install the third-party IMVs and create the server certificates. You can download this installer from Maintenance > system > Installers.
2.Specify the remote IMV server so that PPS can communicate with it.
3.Implement the Host Checker policy. Once you configure the remote IMV server, PPS adds the policy type Custom: remote IMV.
Configuring a Remote IMV Server
The third-party IMVs are installed on the remote IMV server and not on PPS and then obtain a server certificate for the remote IMV server. Import the trusted root CA certificate of the CA that generated the server certificate to PPS. PPS then authenticates with the remote IMV server through the certificate. If you do not have a CA, install and use OpenSSL to generate a CA certificate.
To configure the remote IMV server:
1.Select Maintenace > System > Installers and download the third-party Measurement Verifier (IMV) server installer.
2.Run the installer on the system designated as the remote IMV server.
3.Install the third-party IMVs on the remote IMV server and the corresponding IMCs on the client systems.
4.Generate a server certificate from a certificate authority for the remote IMV server. The server’s certificate Subject CN value must contain the actual host name or IP address of the remote IMV server.
The server certificate and the private key must be combined into a single PKCS#12 file and must be encrypted with a password. If you do not have a CA, you can use OpenSSL to create one, and then create a server certificate for the remote IMV server.
Configuring a Third-Party IMV Policy
To use Host Checker as a policy enforcement tool for managing endpoints, you must create global Host Checker policies at the system level and then implement the policies at the realm and role levels.
The Custom: Remote IMV option does not appear until you add the Remote IMV New Server and New IMV on the main Host Checker page.
To configure a third-party IMV policy:
1.Select Authentication > Endpoint Security > Host Checker.
2.Under Policies, click New.
3.Enter a name in the Policy Name field and click Continue. (Users see this name on the Host Checker remediation page if you enable custom instructions for this policy.)
4.Under Rule Settings, select Custom: Remote IMV and click Add.
5.In the Add Custom Rule: Remote IMV page:
•In the Rule Name field, enter an identifier for the rule.
•Under Criteria, select the third-party IMV to associate with this rule.
6.Click Save Changes.
7.Specify how Host Checker must evaluate multiple rules within the policy.
8.(Recommended) Specify remediation options for users whose computers do not meet the requirements specified in the policy.
9.Click Save Changes.
10.Implement the policy at the realm or role level.
Configuring General Host Checker Remediation
To specify remediation actions for a Host Checker policy:
1.Select Authentication > Endpoint Security > Host Checker.
2.Create or enable Host Checker policies.
3.Specify the remediation actions for Host Checker to perform if a computer does not meet the requirements of the current policy:
•Enable Custom Instructions—Enter the instructions to display to the user on the Host Checker remediation page. You can use the following HTML tags to format text and to add links to resources such as policy servers or web sites: <i>, <b>, <br>, <font>, and <a href>. For example:
You do not have the latest signature files.
<a href=”www.company.com”>Click here to download the latest signature files.</a>
•Kill Processes—On each line, enter the name of one or more processes to kill if the computer does not meet the policy requirements. You can include an optional MD5 checksum for the process. (You cannot use wildcards in the process name.) For example:
keylogger.exe
MD5: 6A7DFAF12C3183B56C44E89B12DBEF56
•Delete Files—Enter the names of files to delete if the user’s computer does not meet the policy requirements. (You cannot use wildcards in the file name.) Enter one filename per line. For example:
c:\temp\bad-file.txt
/temp/bad-file.txt
•Send reason strings—Select this option to display a message to users (called a reason string) that is returned by Host Checker or IMV and that explains why the client machine does not meet the Host Checker policy requirements. This option applies to predefined rules, to custom rules, and to third-party IMVs that use extensions in the Pulse Secure TNC SDK. For example, an antivirus IMV might display the following reason string:
The AntiVirus Product Version is too low. The age of the Virus Definitions is not acceptable.
4.Click Save Changes