Clients are violating their security policy

daveokeeffe
Conversationalist

Clients are violating their security policy

We use Systems Manager to to configure our Laptops policy and to alert us when our users are breaking the rules of the policy.  Basics of the policy are:

 

Screen lock after 15 minutes or less

Login required

Disk encryption

Antivirus running

Antispyware installed

Device is not compromised

Minimum OS version

 

The Alerts sent by the system seem to be wrong for some of our clients.  Users will be non-compliant for a few days, then be compliant again.  The most common failure points are:

 

Login not required

Password not required for screen saver

Screen lock delay too long

 

I've checked these devices myself, and the configuration of these pieces never change.  The system sends policy violation alerts about my own laptop, and I know for a fact that I am complying with the policy.

 

When I use the Security view on the Systems Manager / Devices page, I am shown the same incorrect policy violation state.

 

Are there any known issues around this system?  Is there a trick to getting it to work correctly?

6 REPLIES 6
PhilipDAth
Kind of a big deal
Kind of a big deal

I have issues with the security policy myself (in that I am not happy with how it works).

 

It is far too lagged reporting things.

 

For example, I would love to apply dynamic group policy based on a Windows desktop/notebook being infected.  I can detect the condition using security policies - about 4 hours after it happens.  And when the machine becomes compliant again you could be waiting another 4 hours.

 

 

The security policies need to be far more "dynamic".

Sorry Philip, but your response doesn't really relate to my question at all.

 

 

Since posting this, I've been able to get nearly all clients to be compliant.  There is one machine that refuses to comply though, and I cannot figure out why.

 

The non-compliance is on "Login not required".  This rule states that the guest account must be disabled, and that all users on the system have a password.  The machine definitely complies with that, but Meraki doesn't seem able to see that.

alyssafriesen
Here to help

Just chiming in that I am having the exact issues you are. I don't think it is a lag issue because it continues for days/weeks/forever on my machines.

Thanks for replying alyssafriesen.

 

I figured out why that one machine couldn't pass the 'Login not required' problem.  It was because the Meraki Agent wasn't installed on the machine.  The meraki web ui said it was installed, but the last time the meraki confirmed this with the machine was many many months ago.  Since that time, the machine had been wiped and given to a new user.

 

I stopped receiving these policy violation emails once I installed the Agent on that one machine.

 

Then I checked all the other machines, to see what the Meraki Agent last-checked dates were for each machine, and there were a few offenders.  Very soon after I viewed the apps list for each machine, I started getting policy violation emails again - this time about the screen lock timeout policy.  Up to 10 people were violating the policy, myself included, and I was definitely NOT violating the policy.

 

Other work took over for a few days, and then I realised I'd stopped receiving the policy violation emails.  As of this moment, all machines are compliant with the policy.

 

Why did meraki suddenly complain about 10 people screen timeout?  I don't know, but it got over it.

 

This feature is really quite badly broken.  I imagine it will not be too long before it decides to send violation emails again.

 

Alyssa, I recommend you double-check that the Meraki Agent is installed, and running, on the devices.  Check for `ls /var/log/m_agent.log`, and for the m_agent process ( `ps aux | grep m_agent` )

Thanks for the response! 

This is unfortunately even happening on a machine that I just installed the agent on as well as older machines.  I do see everything running correctly and all of the other information that the agent and profile (I have both installed) appears to be right.

rconiv
Getting noticed

Sorry to bring back an old thread, but I wasn't finding anything newer then this.  I am not having much luck with finding documentation that talks about the security policies, and what each one is looking for, or to find out what is causing most all our systems to fail them.  

 

Does screen lock require the screen saver to be setup, or just the screen turning off, which causes the system to lock and requiring a password to get back in work the same?  It currently says it is disabled, even though I have a 15 minute timer setup in group policy.  I did find some instructions on how to manually configure the screen saver, so guessing that is what has to happen.

 

Under system manager/configure/tabs,  it shows screen lock is at 15 minutes, which is what I have the policy set to for turning off the display.  It requires login after that happens, so that is enabled.  We have antivirus/firewall also installed.  

 

Is the only way to see what is causing the non-compliance having a subscription to Systems Manager?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels