The compliance engine is an automated tool by Workspace ONE UEM powered by AirWatch that ensures all devices abide by your policies. These policies can include basic security settings such as requiring a passcode and having a minimum device lock period.

Compliance Policies in Workspace ONE UEM

For certain platforms, you can also decide to set and enforce certain precautions. These precautions include setting password strength, blocking certain apps, and requiring device check-in intervals to ensure that devices are safe and in-contact with Workspace ONE UEM. Once devices are determined to be out of compliance, the compliance engine warns users to address compliance errors to prevent disciplinary action on the device. For example, the compliance engine can trigger a message to notify the user that their device is out of compliance.

In addition, devices not in compliance cannot have device profiles assigned to it and cannot have apps installed on the device. If corrections are not made in the amount of time specified, the device loses access to certain content and functions that you define. The available compliance policies and actions vary by platform.

Dell BIOS Verification for Workspace ONE UEM

Ensure that your Dell Windows Desktop devices remain secure with Dell Trusted Device (formerly, Dell BIOS Verification). This service analyses the BIOS of your Dell devices and reports the status to Workspace ONE UEM so you can act against any compromised devices.

Benefits of Dell Trusted Device

The BIOS is a part in maintaining the overall device health and security. Modern computer systems rely on BIOS firmware to initialize hardware during the boot process and for runtime services that support the operating system and applications. This privileged position within the device architecture makes unauthorized modification of the BIOS firmware a significant threat. The Dell Trusted Device service provides secure BIOS validation using a secure signed response model. The status of the secure validation helps you act on compromised devices with the compliance policy engine.

Prepare Your Devices for Dell Trusted Device

To use Dell Trusted Device on your Windows Desktop devices, you must install the Dell Trusted Device service on the device. You must download the latest client from Dell (https://www.dell.com/support/home/product-support/product/trusted-device/drivers). Consider using Software Distribution to install the client on your Dell Windows Desktop devices.

Dell BIOS Verification Statuses

After you install the client onto your devices, you can see the reported status in the Device Details page. The statuses are as follows:
  • Pass - The Dell Trusted Device client is installed on the device and the device is secure.
  • Fail - The Dell Trusted Device client is installed and one of the following issues is present:
    • The Pre-Check event returns a fail result. This result happens when the client detects an invalid binary signature.
    • The BIOS Utility event returns a fail result for the validation test.
    • The BIOS Server Processing event returns a fail result for an invalid signature, invalid exit code, or the payload status is out of sync.
  • Warning - The Dell Trusted Device is installed and the client detects an issue. The device might not be secured, so investigate the issue. Causes for a Warning status might include the following list.
    • No network connection
    • Invalid command-line argument
    • Application is running with insufficient privileges.
    • Internal errors in the client
    • Server responds with an error.
    • Driver issues with the client
    • Unknown results in the BIOS verification
  • If you see a gray warning icon, the Dell Trusted Device client is not installed on the device.

Compromised Device Detection with Health Attestation

In both BYOD and Corporate-Owned device deployments, it is important to know that devices are healthy when accessing corporate resources. The Windows Health Attestation Service accesses device boot information from the cloud through secure communications. This information is measured and checked against related data points to ensure that the device booted up as intended and is not victim to security vulnerabilities or threat. Measurements include Secure Boot, Code Integrity, BitLocker, and Boot Manager.

Workspace ONE UEM enables you to configure the Windows Health Attestation service to ensure device compliance. If any of the enabled checks fail, the Workspace ONE UEM compliance policy engine applies security measures based on the configured compliance policy. This functionality allows you to keep your enterprise data secure from compromised devices. Since Workspace ONE UEM pulls the necessary information from the device hardware and not the OS, compromised devices are detected even when the OS kernel is compromised.

Configure the Health Attestation for Windows Desktop Compliance Policies

Keep your devices secured by using Windows Health Attestation Service for compromised device detection. This service allows Workspace ONE UEM to check the device integrity during startup and take corrective actions.

Procedure

  1. Navigate to Groups & Settings > All Settings > Devices & Users > Windows > Windows Desktop > Windows Health Attestation.
  2. (Optional) Select Use Custom Server if you are using a custom on-premises server running Health Attestation. Enter the Server URL.
  3. Configure the Health Attestation settings.
    Settings Descriptions
    Use Custom Server

    Select to configure a custom server for Health Attestation.

    This option requires a server running Windows Server 2016 or newer.

    Enabling this option displays the Server URL field.

    Server URL Enter the URL for your custom Health Attestation server.
    Secure Boot Disabled

    Enable to flag compromised device status when Secure Boot is disabled on the device.

    Secure Boot forces the system to boot to a factory trusted state. When Secure Boot is enabled, the core components used to boot the machine must have the correct cryptographic signatures that the OEM trusts. The UEFI firmware verifies the trust before it allows the machine to start. Secure boot prevents the startup if any it detects any tampered files.

    Attestation Identity Key (AIK) Not Present

    Enable to flag compromised device status when the AIK is not present on the device.

    Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate. It can be trusted more than a device that does not have an EK certificate.

    Data Execution Prevention (DEP) Policy Disabled

    Enable to flag compromised device status when the DEP is deacivated on the device.

    The Data Execution Prevention (DEP) Policy is a memory protection feature built into the system level of the OS. The policy prevents running code from data pages such as the default heap, stacks, and memory pools. Hardware and software both enforce DEP.

    BitLocker Disabled Enable to flag compromised device status when BitLocker encryption is deactivated on the device.
    Code Integrity Check Disabled

    Enable to flag compromised device status when the code integrity check is deactivated on the device.

    Code integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity checks for unsigned drivers or system files before they load into the kernel. The check also scans for users with administrative privileges running system files modified by malicious software.

    Early Launch Anti-Malware Disabled

    Enable to flag compromised device status when the early launch anti-malware is deactivated on the device.

    Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.

    Code Integrity Version Check Enable to flag compromised device status when the code integrity version check fails.
    Boot Manager Version Check Enable to flag compromised device status when the boot manager version check fails.
    Boot App Security Version Number Check Enable to flag compromised device status when the boot app security version number does not meet the entered number.
    Boot Manager Security Version Number Check Enable to flag compromised device status when the boot manager security version number does not meet the entered number.
    Advanced Settings Enable to configure advance settings in the Software Version Identifiers section.
  4. Select Save.