Hello, I am facing error in policy scheduling. When we create the worklets, we leave the execution scheduled, but the execution does not occur. If we perform the execution manually, the policy applies normally, but the scheduling does not occur. In this case, we have two situations.
Situation 1: We created 3 months ago 5 policies to remove specific browsers from linux machines. The policies work perfectly if executed manually, but if we schedule, only 1 of them is executing correctly. All are add in the same group and running at alternate times.
Situation 2: We create a policy to add a mandatory software and if we run it manually, it works correctly, but we schedule the execution and the policy does not run. We have already changed it from one group to another, from one machine to another, from one to another
Are we doing something wrong? Has anyone experienced this?
Page 1 / 1
Hi Fabio,
The Worklet will only run if an endpoint is found to be non-compliant based on the Evaluation code. If you take a look directly at an endpoint it will show either a clock or green icon showing compliance:
Policies can be run manually even if the endpoint is compliant, however it will not run automatically since it does not need to.
Feel free to paste a screenshot of the eval code and I can take a look at it. If you can, add a screenshot of your Required Software policy and we can look at that as well. If a device is compliant with the RS policy it also will not run:
Additionally, if you make a change to a policy, best practice is to ensure a device goes through a scan to check compliance before it runs/does not run due to compliance.
Hello, Mark
I think I understand, but then we have the case I mentioned. We have created some policies for the removal of browsers on Linux machines. All policies are the same, only changing the name of the browser (software) If we analyze "evaluation code" they are all the same. But when checking the endpoints, only one policy will be executed in the scheduling.
and this is true of all endpoints.
follows the evaluation code of the policy that is being executed by the schedule and gives the policy that is not.
I did a scan test on one of the endpoints that is in the group where the policy is added, to check if it would change the status of the execution, but nothing.
Thanks for the screenshots. So in this case, you are saying that the Tor removal policy does not appear to be working, is that correct? The other policies are functioning?
On the contrary, tor is being executed as scheduled, the others are not.
The Tor removal is being executed I believe since ‘tor’ is actually returning multiple results over and over again: the dpkg command is returning things like ‘calculator’, ‘editor’, ‘monitor’ etc…
We specifically do not want the policies to run which sounds odd, however if an endpoint is compliant then we are happy. Its a good thing to not see the policies routinely run. It means one of two things: Our configuration is being modifed;
OR
Our Evaluation code is not doing what we think it is.
In this case, the search for ‘tor’ is too generic. If we see ‘tor’ then uninstall the tor brower’.
The next time the Evaluation code scans there are still results for ‘tor’ and it makes the policy as non-compliant.
Another example, if I say ‘match fire, and then uninstall firefox’ I will still be left with these results containing ‘firewire’ or ‘firewall’ and it will fail the eval code and run the uninstaller over and over again until I change my Eval code to only match firefox.
Let me know if that helps.
Here is a closer example to what I believe you ultimately want, I’m no scripting expert by any means but this might get you exactly what you need (if all these items get removed with your uninstall/removal commands):
It made perfect sense.
You mentioned that for good practice recommended performing a new scan when the policy changes.
Would there be any way to scan all the machines in the group that the policy is adding?
The best way is to decrease the ‘Scan Interval’ setting in the groups. Unfortunately devices are not scanned when group membership is changed automatically. I can pass that feedback to our product team to see if we could implement that feature.
Thank you.
Mark, thank you very much for the information. One last confirmation regarding appointments. For mandatory software policies that do not have validation codes, does the policy use the software name and version as validation?
correct?
Thats correct. It is case sensitive as well. If a software has been deployed and the device is still showing non-compliant, copy and paste the package name/version from the ‘Software’ section of an individual device into the scope of the policy.