Regarding the Global Host Checker option, Client-side process, login inactivity timeout option, we recommend that you specify an interval to control time out in the following situations:
-
Host Checker Global Options
At minimum, we recommend enabling general remediation actions such as Custom Instructions or Send reason strings if an endpoint does not meet the requirements of a policy. For example, the user may see a remediation page that contains the following custom instructions, a link to resources, and reason strings:
Your computer's security is unsatisfactory.
Your computer does not meet the following security requirements. Please follow the instructions below to fix these problems. When you are done click Try Again.
1. Symantec
Instructions: Click here to download the latest virus signature files. You can also contact helpdesk at XXX-XXX-XXXX.
Reasons: Symantec Endpoint Protection 12.1.4013.4013 does not comply with policy. Compliance requires latest virus definitions.
If you do not enable Custom Instructions or Send reason strings for a policy that fails, then Host Checker does not display the remediation page to the user. In this situation, users will not know why they were denied access to log in to the PCS appliance, and they will not be provided with resources to help the user bring their endpoint into compliance with Host Checker policy requirements. For example, the user will observe a message similar to the one listed below and the user will not:
You do not have permission to login. Please contact your administrator.
This may create unnecessary calls to the help desk.
We recommend that you provide a document to the appropriate support or help desk groups which lists the following:
- Documentation
- Define what exactly your Host Checker policy is checking for. You can create a variety of policies through the Host Checker client that check for antivirus software, firewalls, malware, spyware, and specific operating systems from a wide variety of industry leaders. You can also create checks for ports, processes, files, registry keys and the NetBIOS name, MAC addresses, or certificate of the client machine.
-
If you are using Boolean expressions in either the Host Checker policy or your role mapping rules, then we recommend that you document exactly what is required in order to successfully pass the endpoint check and map to a user role.
- After you have configured all of your rules for the Host Checker policy, you can specify how you want to enforce them by choosing one of the following options: All of the rules, Any of the rules, or Custom. For Custom requirements, you can specify a custom expression using Boolean operators AND and OR and also group and nest conditions using parenthesis.
Antivirus OR Corp_Asset
You can also write a custom expression for the role mapping rule to evaluate Host Checker’s status using the hostCheckerPolicy variable.
For example, you may have a role mapping rule which maps users to the Full Access Role if they meet the requirements defined in the following Boolean expression:
hostCheckerPolicy = ('Norton' and 'Sygate') and cacheCleanerStatus = 1
- A list of logs and screenshots required if they are unable to resolve the issue and escalation to Pulse Secure is required. Please refer to KB28146 - [Host Checker] Endpoint Security Assessment Plug-in (ESAP) Diagnostic Tool for PCS 7.2 / PPS 4.2 and above on Windows Platform and KB12905 - [Host Checker] The required logs for a Pulse Secure support case if Host Checker fails to detect a supported Anti-Virus or firewall product for logs required when a pre-defined check is failing.
Please check the following documents for changes to Host Checker support, known issues, and limitations prior to upgrading your Pulse Connect Secure device:
Pulse Secure aims to release a new ESAP software package every one to two months. We recommend that you check the following documentation prior to upgrading your ESAP release:
Whenever possible, test and qualify Host Checker policies in your lab before implementing or updating any new Host Checker policies. These checks should be tested on a typical corporate imaged machine.