Desired Configuration Manager has been renamed in Configuration Manager 2012. It is now simply called Compliance Settings. This article will explore Compliance Settings. Microsoft added a few new features that are worth investigating.
Compliance settings help IT departments maintain control of devices once the device is in an end-user’s hand. It helps to keep “configuration drift” to a minimum. This occurs when an end user gets ahold of a machine and begins to change things. Compliance settings can be used to keep these changes in check, and ensure that the device is still following organizational policies.
Enabling Compliance Settings
The first step is to actually enable Compliance Settings. This is done in the “Client Settings” node of the “Administration” tab of the console. Open the client settings that you want to edit, and in the “General” node check the “Compliance Settings” check-box. This enables the client setting and allows you to configure it.
Now select “Compliance Settings” in the left pane. This will bring up the options, shown below.
We have two options here: “Enable compliance evaluation on clients” and “Enable User Data and Profiles”. The first option allows the actual evaluation of your configure baselines to take place. The second option allows you to manage user data. With these settings, you can enforce folder redirection of profile folders, or enforce roaming profiles.
Set these options as you choose, then click OK to save them. If this is a new set of client settings, they need to be deployed to your clients. Go through the normal process of deploying these settings to a collection, then you are ready to go.
Configuration Item vs. Configuration Baseline vs. User Data and Profiles
Compliance Settings is found under the “Assets and Compliance” tab of the CM 2012 console. There are three nodes under the Compliance Settings tab: Configuration Items, Configuration Baselines, and User Data and Profiles”.
A configuration item is exactly what it says. It is the particular settings that you are checking for. You create these items first, then assign them to a baseline that gets deployed.
A configuration item cannot be deployed to a collection. You must assign the configuration item to a configuration baseline. It is then this baseline that is deployed. A baseline is a pool of configuration items that you assign to a collection. These baselines are collection specific, which means that you can get very granular with how you deploy them. Your finance department and your sales department can have totally different configuration items if you choose.
I recommend setting up a baseline that is the “default” baseline that is applied to all devices. This baseline is your default settings that may include the fact that the firewall is turned on, that anti-virus is installed, and the computer is joined to your domain. From there, you can get more granular based on the department and their needs.
Finally, User Data and Profiles allows the administrator to enforce folder redirection, offline files, and roaming profiles. All of this can also be done in AD (through group policy), but this gives an administrator of a non-AD shop the ability to do this also. In some organizations, the CM 2012 administrator and the AD administrator are different people, possibly in the different departments. This allows those people to also configure this themselves without having to involve a domain admin. You can also be more granular with the CM 2012 settings then you can with AD.
In Depth: Configuration Items
You can create configuration items based on just about anything. It can be OS based, so that if a registry key should be set to one thing in Windows XP but another thing in Windows 7, you just target those items based on the OS.
As you can see, there are a lot of default options to choose from. Microsoft also included “Script” to plug any holes that are not covered by the default options. The trick here is to find out which of these options will give you the information you need. If you are wanting to check that devices have minimum version of a software application, you can probably find that in the registry, or checking the file version of program launcher. If you wanting to ensure that a Windows Firewall is port is open, you would check the registry.
Scripts can be very powerful here. Not only can check for almost anything using a script, but you can also remediate the issue with another script. Say you need ensure that the firewall port for remote management is enabled. You can write a script that tests the port or checks the registry. If that script fails, then the remediation script can run and open the port, ensuring that you can always remotely manage your clients. Scripts can be written in Jscript, PowerShell, or VB.
You can also set up child configuration items. Child items inherit all of the settings from the parent. You can think of this in the same way as NTFS permissions. A child folder will inherit the permissions of the parent, but can have additional permissions either granting or denying access. The same applies to configuration items. You can have an organization-wide security policy that is applied to all devices. Then, you can have a more stringent policy for devices that access personal data, such as HR computers. You can apply the child policy to your HR collection, and be sure that it also gets the organization-wide policies. This process keeps you from having to duplicate work. Without it, you would have to create one policy for the organization then another policy with the same (and more) settings for HR.
In Depth: User Data and Profiles
As stated earlier, User Data and Profiles allows the administrator enforce folder redirection, offline files, and roaming profiles. Because these settings can be collection specific, you force the files for HR to be saved to a network location, while allowing sales (who may be away from your network for long periods of time) to save files locally. This is one advantage to using the settings here instead of in AD. Because these are targeted to collections (and computers can exist in multiple collections), you can be very granular in what devices get these policies. This is not always possible in AD, where a computer object cannot exist in more than one organizational unit.
Folder redirection can be done on any folder in a user’s profile. This means that you can leave My Pictures local, but force My Documents to a network location. Most of the settings are pretty straightforward, but I do encourage you to look at the advanced settings.
The two most important settings here are the middle two. First, I would recommend leaving the second option set to “Yes”. This will move all of the contents of the current folder to the redirected folder. This ensures that anything currently stored locally will be moved to the network. Second, I would set the third option to “Yes”. This will keep the files stored on the network if you ever remove this setting. While I recommend this, you should always analyze what is best for your organization.
Next is offline files. With this, you can manage whether copies of network data is kept offline. This is beneficial for users if they are going on a long trip and they do not have internet/VPN access, or if your organization does not have a VPN. With setting set to “Enabled”, the computer will keep local copies of all network data. This is almost a requirement if you do folder redirection, unless you have an “always-on” VPN solution (such as DirectAccess). Depending on what you redirect, the user can have major problems if they are not connected your network.
The downside of offline files is shared data. Data can be corrupted if it is used by two people and not properly synced. This is outside the scope of this article, but I definitely encourage you to research this before implementing it.
Finally, you can enable roaming profiles. Roaming profiles is where the user’s profile is actually stored on the network, so that the user is presented with their files and settings no matter what computer they log in on. CM 2012 gives the administrator ability to exclude certain folders, and also the ability to only sync data at certain times.
The folder redirection settings and roaming profiles also have primary-user capabilities. This makes it so that these settings only apply to a user’s primary device. This is also a step up from AD, which has no primary user ability.
A Good Place to Start
As with a lot of things in CM 2012, there are far too many settings and customizations that can be made to go through them all in an article post. I can recommend a few places to start.
My default baseline would definitely include configuration items that ensure that the Windows Firewall is turned on. I would also ensure that CM 2012 ports and services are included and enabled appropriately. I also use Windows Remote Management quite a bit in my environment, so I would ensure that ports are open for that.
I use System Center 2012 Endpoint Protection, so that is already in my client settings and cannot be removed. If you do not use EP 2012, I would put that in a configuration item as well.
Finally, ensuring that Windows Update is enabled and the device is at an acceptable patch level is also something that should be in a default baseline.
Configuration Packs
One of the best uses of compliance settings is to ensure regulatory compliance. This is important in financial organizations and healthcare. To assist with this, Microsoft has released several configuration packs to help with HIPPA, SOX, and EUDPD compliance. These packs are out of the scope of this article, but they can be downloaded from the System Center Marketplace. Packs created for SCCM 2007 are compatible with CM 2012.
There are also configuration packs for Microsoft products, such as Exchange, SharePoint, and Lync.
Please note that these packs are intended to get you started, and should always be customized to meet your organization’s needed.
Summary
Compliance Settings are another tool in the management of devices. They ensure that once a device leaves the imaging line, it will still be clean and secure. Configuring these settings also helps to ensure that your organization meets regulatory compliance, while also being a step in keeping private company data safe.