cancel
Showing results for 
Search instead for 
Did you mean: 

Host checker policy evaluate vs enforce

John.Corbin_
Contributor

Host checker policy evaluate vs enforce

I am trying to set up a policy that will check if you have a company issued machine cert on your client. I do not want the policy to deny access if you don't have a company issued machine cert. When I enable the policy and only set it to evaluate When testing I get prompted to install the missing certificate. I do not want non-company assets to get this option. Can anyone point me in the right direction for this?

2 REPLIES 2
zanyterp_
Respected Contributor

Re: Host checker policy evaluate vs enforce

Evaluate: Check the posture, record result, and inform user of the reason for failure (if there are any required policies listed); but access is granted. Evaluation must happen on the realm.

Enforce: check the posture, record the result, and deny access if the user fails; a message will be presented with why they failed (if reason strings are enabled) for the reason of failure. Enforcement can be on the realm or the role.

How many realms are you using (2 would be best to reduce the likelihood of users getting a message for needing to install the certificate).

John.Corbin_
Contributor

Re: Host checker policy evaluate vs enforce

this is our test cluster so it has a lot of clutter on it. we have 10 realms on it but not all of them are in use.