Profile compliance behavior

The security posture of devices in your organization is enforced by deploying profiles.

Within an organization, different levels of Security can be implemented, depending on the overall Security requirements. A common level of security policies might be applied to all devices in the organization, at the Master Action site level, while at the department level, more restrictive policies might be necessary depending on the organizational structure and on the criticality of single devices. Based on the organization's desired Security posture, the Security Administrator creates a "Corporate" profile that enforces the minimal set of required security policies that must be common to all devices. At the department level, depending on the required security level and criticality of the devices, operators can create specific "Department" profiles that enforce more restrictive policies on specific sets of devices. The final result is that on the device the combined parameters from the deployed profiles are always the most restrictive.

Operationally, profile management is implemented as a two-step process. In the first step, Security Administrators define the Security posture of the organization by identifying the policies that must be enforced on the devices. These policies are defined by creating one or more profiles. When an operator creates and saves a profile in a specified site, all computers that are subscribed to that site are checked for relevance regarding the policies set in the profile. If a device becomes relevant for that profile, it means that it is not compliant. When a device is checked against a profile, if more restrictive settings are found, the device is not relevant.

In the second step, when the profile is deployed to the targets that must comply to the policies, the configurations that are defined in the profile are enforced on all targeted devices. This step is completed by a Fixlet that sets the required profile configurations on the selected targets. If the configuration parameters are changed locally on the target, the configuration is reapplied automatically, unless the parameters set locally on the target are more restrictive than the ones currently enforced with the deployed profile. When the profile is deployed successfully, the status on the device for the profile is Fixed.

Managing multiple profiles on a target - profile layering

Profiles are divided into categories. You can enable individual categories that contain one or more settings that you want to enforce on your targets. On Windows 10 targets, each parameter in the categories that are enabled in the profile is mapped to specific device settings according to the WMI infrastructure. On Mac OS X targets, a new OS X profile is created for each enabled category. A maximum of four OS X profiles are created on a Mac device, one for each enforced category in the BigFix profile. You can view OS X profiles from the Profile graphical user interface available in System Preferences on the device.

Operators can define multiple profiles that enforce one or more categories of settings. When the profile is deployed on a target, each setting in every enforced profile category is evaluated against the corresponding setting on the target. If at least one setting in the profile is more restrictive than the corresponding setting on the target, the target is considered relevant (noncompliant) and the profile is applied. You can deploy multiple profiles on a target, and the evaluation is always completed by comparing the individual settings. The final security configuration (security posture) of the target is made up of the union of more profiles where the most restrictive values are enforced.

If policies change either centrally or locally, Administrators can stop the deployments of the currently enforced profiles, and reset the profile configurations on all devices in the organization or in a specific department. New profiles can then be deployed on targets. For more information, see Resetting the Profile Management Configuration.

Note:

On Mac OS X devices, if one or more profiles that are not deployed by BigFix Profile Management exist, when you deploy a BigFix profile that sets parameters that belong to the same category of the existing profile, the deployment fails after the "Retry on Failure" counter expires. To solve the problem, you must first remove the existing profile from the device and then redeploy the BigFix profile. For more information about the specific error codes, see Mac OS X Profile Deployment errors

On Windows 10 devices, if one or more parameters in the profile have more restrictive settings than those currently on the device, the profile is always applied.

Use Case Example - Organization with Windows 10 devices

In this example, a corporation has 30 departments and several thousand Windows 10 devices that are distributed in several geographic locations. The Security Officer establishes the security posture of the entire corporation that comprises a set of common policies that all devices must comply to, regardless of their specific department membership. Administrators in each department, based on the devices and the roles of the users, can define specific security settings that are valid only for their specific department and deploy them locally.

In this example, Windows 10 device Win10_DeptB_SWAdm belongs to Department B in the organization, which is geographically located in London. The device is used by the Software Administrator, in charge of installing the required software on the devices in his/her department. To illustrate the layering behavior, three profiles are created and deployed to the device: a corporate profile, a department profile, and a profile that is specific to Software Administrators in the organization. Profile layering checks each setting in each category, and ensures that the most restrictive setting is always enforced.

The Security posture at the corporate level, establishes that all passwords in the organization be at least 8 characters long, and expire after 20 days. Moreover, the use of Cortana is not allowed.

To enforce this posture, the Security Administrator creates a corporate profile with the following settings:

Table 1. ProfileCorp_Win10 - Profile for all Windows 10 devices in the company
Profile Category	Setting
Password Settings	Password expires after 20 days
Password Settings	Minimum Password Length is 8 characters
Restrictions	Cortana is disabled

The profile is deployed and applied to all devices in the organization, including Win10_DeptB_SWAdm. When the profile is deployed successfully to the devices, they are compliant.

The Security Administrator defines a profile that must be deployed to all devices used by Software Administrators across the organization, including Win10_DeptB_SWAdm. The profile enforces the following settings:

Table 2. Profile_Corp_SWAdmins - Profile for all devices used by Software Administrators in the corporation
Profile Category	Setting
Password Settings	Minimum Password Length is 15 characters
	Device is put on BitLocker Recovery mode after 3 incorrect password attempts.
	Password Expires after 10 days
Restrictions	Telemetry Level set to Security

The Local Security Administrator in London defines a cross-department profile for departments A, B, and C in that location. This Profile has the following settings:

Table 3. Profile_London_DeptABC - Profile for all Windows 10 devices in London
Profile Category	Setting
Password Settings	Minimum Password Length is 12 characters
App Security	Allow App Store Auto Update is disabled
Restrictions	Cortana is enabled (default)
	Location Service set to OFF
	Telemetry Level det to Basic

This profile is deployed on all devices belonging to departments A, B, and C in London, including Win10_DeptB_SWAdm

The resulting Security configuration on device Win10_DeptB_SWAdm combines the most restrictive settings from all three profiles, as displayed in the following table

Table 4. Security configuration on target Win10_DeptB_SWAdm
Category	Settings
Password Settings	Minimum Password Length 15 characters - from profile Profile_Corp_SWAdmins
	Password Expires after 10 days - from profile Profile_Corp_SWAdmins
	Device is put on BitLocker Recovery mode after 3 incorrect password attempts - from profile Profile_Corp_SWAdmins
App Security	Allow App Store Auto Update is disabled - from profile Profile_London_DeptABC
Restrictions	Cortana is disabled - from profile ProfileCorp_Win10
	Location Service set to OFF - from profile Profile_London_DeptABC
	Telemetry Level set to Security - from profile Profile_Corp_SWAdmins

Resetting the Profile Management Configuration

In each site where at least one profile exists, a corresponding task for resetting the profile configuration on the device is available for Windows 10 and Mac OS X devices. When you run the task on Windows devices, it removes all parameters of the categories that were enabled by Profile Management, also those parameters that were set manually or by other applications,

On MAC OS X devices, the task erases all profiles that are created by Profile Management (a maximum of four profiles, one for each enforced category, is erased). Run this task in the following situations:

Corporate Security policies have changed and you want to enforce new policies on all your devices.
You are moving some devices from one department to another, and the new department has different security requirements.
You want to enforce less restrictive policies on one or more devices, either temporarily or on a permanent basis.

Select Content > Custom, and type Reset in the search field. A list of available reset tasks for Windows and MAC OS X is displayed. You can also use filters to restrict the search to specific sites or operators. Before you run a reset task, you must stop all open deployments of the profiles that are currently enforced on the targets where you want to reset the profile management parameters.

Depending on the operator login authorizations, you might view more than one Reset task. Deploy the task stored in the Site where the devices you want to reset are subscribed.