OnGuard Workflow and Application Tokens
04-13-2019 06:28 AM
TAC and I are tweaking our OnGuard configuration to provide a better user experience. We use the Persistent Agent. I'd like to provide a grace period for users to install updates before they are quarantined. I've been thinking about setting a time attribute and doing calculations to track how long a user's device is in the "needs updates" state. The link below seems to imply there is an application token "Checkup" state that says "Client is compliant; however, there is an update available. This can be used to proactively remediate to healthy state". How does one utilize the "Checkup" state? On a related note, I'd like to quarantine the device immediately if the application token is "Infected". To this point, we've only used Healthy or Unhealthy. What sets these application tokens and how does one utilize them?
On a related note, we are currently using attributes "Health Check Interval" and "Health Check Quiet Period" to provide a grace period. My feeling is using application tokens above would be a more real-time and a more secure solution. In our test WEBAUTH service, these attributes have been removed.
Re: OnGuard Workflow and Application Tokens
04-23-2019 07:46 AM
This page indicates OnGuard uses the OPSWAT OESIS framework. https://www.arubanetworks.com/techdocs/ClearPass/6.7/PolicyManager/index.htm#CPPM_UserGuide/Admin/Onguard_agent_installers.htm
A test file from eicar.org was used to trigger an infection with Windows Defender. OnGuard thinks the system is healthy. See the screenshot below.
Something may not be configured correctly, maybe this isn't a valid test, or maybe OnGuard only checks that things are up-to-date. The research continues.