Compliance Configuration and Extension Attribute

Table of Contents

Compliance features are enabled globally for the following ISO-mandated OS hardening configurations. By default, all devices opt-in to receiving the following: 

      • AUP Banner (Changing on Tues) 
      • 15-minute screen saver
      • Install standard firewall
      • Block UT Guest Wifi
      • Default Scan schedule for Microsoft Defender
      • Install Nessus Agent
      • Receive OS patches when published by EPM Service
      • Receive Application patches by default (method of patching carries) 
      • Be prompted by Nudge to install OS patches

Additional compliance applications: 

  • Install Microsoft Defender
    • The ISO and EPM encourage using MDE as the preferred method of Antivirus for macOS. However, since the University is migrating from Amp to Defender, ITSOs are in charge of scoping Defender as it aligns with their migrations schedule. Secondarily, Defender is configured with department codes as a part of the payload so that devices can be reported on accurately. Therefore, Defender can't be scoped Globally. When EPM onboards each site, we set up the Defender configurations at the site level. Units simply have to scope their devices.  


Extension Attributes for Exceptions

  • ISO is the office managing EPM exceptions – If you need an exception, contact ISO via the exception request process.
  • An exception for opting out of all patching is needed; examples are excluding Nessus and other ISO requirements.
  • Change in configuration – There are EAs for opting out and setting your configuration terms. If EPM isn't managing your patches or other compliance requirements, you assume responsibility for these items as a Site Admin.
  • EAs aren't an exception process. EAs are a workflow to manage exceptions.



How to leverage an extension attribute to except a hardening checklist item: 

If a machine needs to be excluded from one of the Global policies mentioned above, you can use an Extension Attribute to remove the device from scope.

The EPM team has build in scoping logic that will add a machine to a smart group, which is used for exception frameworks. To use one of these Extension attributes, open the inventory record of the machine in question, and navigate to the “extension attribute” tab on the left column. Here you will find different boolean options for each standard payload. A null value is treated the same as “No”. Once the option is toggled to “yes” the exception will now occur. 





Search UT EPM Documentation
Get Help

EPM is available to IT Support Organizations (ITSOs) with any endpoint management questions. If you have a question about a specific endpoint client, please reach out to your local endpoint client support organization.

SERVICE STATUS

Planned Maintenance

  • ConfigMgr: Every Tuesday, from 6 a.m. – 10 a.m.
  • Jamf: Every Tuesday, from 8 a.m. – 12 p.m.








Related pages