Governance Policies | v8+
Like Dynamic Groups, Certero Governance Policies are a powerful reporting tool which allow you to perform reporting over and above what you can achieve by filtering on data grid columns. You can create simple or complex reporting logic, spanning all of the properties of inventory items and often the properties of related items of a different type.
Governance Policies allow you to define what success looks like (for a given problem), quantify non-compliance and identify compliant and non-compliant items. Some policy use cases are:
Ensure that all of my AD users have the Employee ID field populated.
Make sure the Windows Defender service is running across the desktop fleet.
Ensure that all of my Azure virtual machines are correctly tagged.
Make sure important software is being rolled out or updated; and/or that illegal software is not.
If you can identify a problem using Certero inventory, then it’s likely that a policy can be used to define success, call out the exceptions, minimise the risks, and help ensure you have the governance, training, and procedures in place to avoid the problem.
Governance Policies use Filters to define the reporting logic. The filters are constructed using a powerful but intuitive, graphical Filter Builder . Filters are saveable and reusable between policies. A policy has a Policy Filter where you define what success looks like and an optional Data Filter where you can reduce the pool of items being evaluated; for example, a policy which checks that users or computers comply with certain conditions, and where those conditions are country-specific, could have a Data Filter which scopes the policy to a single country.
Policies are found in the Governance > Policies menu where you’ll see the policy overview screen:
Each policy tile shows the title, success bar and description:
Choosing New Policy on the policy overview screen allows you to build a new policy. Clicking on an existing tile opens the policy details page which contains mini grids of the compliant and non-compliant items. The mini grid Details button will take you to the full data grid for the items where you can, for example, export an Excel report of non-compliant items to be investigated.
The Edit button on the policy details page opens the policy edit screen where you can edit, save, and delete a policy. You can set the policy title and description. The circled controls in the following image will open the Filter Builder for the Data and Policy Filters. The informational icons to the right show you the number of Blocks in the filter. Blocks are graphical units you use to create your filters and there are three types: Saved Filters , Conditions and Groups .
Policy Construction
Let’s create a policy to ensure that all of our users have the Employee ID attribute set in AD.
Go to Governance > Policies
Choose New Policy
Choose the data type we are going to manage, in this case Active Directory Users
On the policy edit screen, provide a meaningful name and description
Open the Filter Builder for the Policy Filter
Click the Plus button. This is used to add a Condition , Group or Saved Filter block
Add a condition
Click on the Property drop-down
Type id into the property search field and choose User Details > Employee ID
Change the operator to Is not blank and then choose the green tick to add the condition to the filter
This is the result
Close the Filter Builder and you’ll immediately see your results in the compliant and non-compliant mini grids. The grids update as you edit so that you can validate your logic while editing.
(Note that the Compliant and Non-Compliance mini grid no longer appear side by side in the current Certero version)
Note : In the image above, we see service accounts in the non-compliant list. We don’t care about configuration of these accounts, so let’s exclude them from the policy. The place to do that is in the Data Filter , which is where we can scope the pool of items being evaluated by the policy. Open the Data Filter builder:
Add the following condition to the Data Filter and note the use of the Exclude slider . With this Data Filter, we’re telling the policy that we only want to track compliance for AD users that do not have a Display Name which starts with svc , i.e., which are not service accounts. Using the Data Filter, we’ve refined the scope of the policy.
Now taking a look at the non-compliant users, we no longer see service accounts, but we’ve realised there are admin and generic accounts that we want to exclude, because we don’t need to track configuration of those either:
We could add more conditions to the Data Filter, but instead, we’ll make a Saved Filter which identifies our service, admin and generic accounts that we'll maintain in a single place and re-use in any policy that we want to scope on real, human users only.
First, clear the criteria in the Data Filter that we're going to replace and enhance with a Saved Filter, and save the policy:
To create our Save Filter, go to Governance > Filters
Create a new filter, set the title and description, and choose the Filter Builder button
Add conditions to identify the generic, admin and service accounts. In this case; AD users where the display name ends with admin or starts with reception , svc or callcenter
Close the Filter Builder. The result successfully identifies our non-real AD users
Save the filter. We now have a Saved Filter which we can use in other policies:
Go back and edit the Data Filter of the AD User Config policy
Find the Saved Filter in the drop-list and choose the green tick to add it to the Data Filter
Remember to set the slider to Exclude , because we want to exclude the generic accounts etc. from the scope of the AD User Config policy:
Close the Data Filter builder and check the policy results. We have:
A Policy Filter which checks that Active Directory Users have Employee ID set.
A Data Filter which limits the scope of the policy to real, human users only.
Zero non-compliant users. Everyone has an Active Directory Employee ID assigned.
(Note that the Compliant and Non-Compliance mini grids no longer appear side by side in the current Certero version)
We’re 100 percent compliant, for now. If non-compliant AD users exist in the future, the policy will detect them, and the success bar will show less than 100 percent. If we add the policy to a dashboard, we have even greater visibility:
Let’s make our policy more powerful by also ensuring users have a valid Department assigned in AD. We could add all our valid departments as conditions in the Policy Filter, like the following image, where:
We’ve added a Group block and put the department conditions in that because:
We need to match ANY department, and
We need to match both the Employee ID condition AND ANY of the department conditions. This is what groups are for; for using different ANY/ALL settings in the same filter.
Realistically, we wouldn’t add all our departments to the Policy Filter. We’d create a Saved Filter where we could centrally manage all our department names and then reference the Saved Filter in any required policies, like the following image where the yellow block is the Saved Filter. We’re checking that AD users have the Employee ID set AND have a valid department assigned:
It’s sometimes not advisable to check several different things in the same policy, because the non-compliant list will not directly tell you which criteria the items failed to meet; but remember that you can launch a full data grid from the non-compliant mini grid, inspect the non-compliant items in more detail, and export them to Excel the usual way.
Additional Information
You can clone policies by choosing Copy on the policy edit screen
You can drag conditions between groups
From the policy detail screen, you can export policies to a JSON file
On the policy overview screen, you can import previously exported policies from a JSON file
Thing To Remember
The construction of policy logic can initially seem complex, and there can be several ways of achieving the required result. There are two key things to remember which will make your policy journey easier.
Firstly, Certero Governance Policies are designed to track success. Where possible, define what success looks like in the policy and use it to track that.
Secondly, remember that the filter evaluation can’t directly find conditions that don’t actually exist and it might seem to find false positives if not correctly configured. You may need to match the criteria which is the opposite of success and use the Exclude slider option. For example, a policy to ensure 7-Zip is never installed on computers will need to match computers with 7-Zip installed with the Exclude option set, as per the following image. In this way, the policy matches all the computers with 7-Zip, then the discards those matching computers and takes all the other computers and tracks those as compliant. If we asked the filter to find computers without 7-Zip, it would match every computer, because every computer will have software on it that’s not 7-zip .
Example Policies and Filters
Example 1 : A policy to ensure Windows Defender is running on desktop computers.
Data Filter
Policy Filter
Example 2 : A filter to ensure vendor AD accounts have an expiry date set and that the date is no more than one year in the future. You would also use a data filter to scope the policy on vendor accounts only.
Example 3 : A policy to check that computers with Chrome installed have version 79.x.
Data filter
Policy Filter
Example 4 : A policy to ensure that disabled staff AD accounts are correctly marked as terminated in AD.
Data Filter
Policy Filter
Example 5 : A filter to ensure all C drives are protected with BitLocker.
Example 6 : A filter to ensure all C drives across the Windows fleet have more than 5 GB free.
Example 7 : A filter to ensure Azure VMs have a cost center tag populated AND an environment tag containing a valid value.
