The Compliance Checker is a program that you can use to view, and optionally, fix problems that might be causing a computer to fall out of compliance. When you run the program, a splash screen is displayed.
While the splash screen is displayed, the program checks the computer for all of the attributes that define a Stanford security compliant device. If it finds something that may cause problems—either with the computer's compliance status or the ability of the computer to become compliant— it records the details and attempts to correct it. Once all of the checks are done, the summary screen displays.
In the following example, the computer is compliant but the program determined that the encryption recovery key has not been escrowed in the Stanford infrastructure. This means that if you forget your encryption password and you have not recorded it locally you will not be able to retrieve the key from the MyDevices website. You might be permanently locked out of your computer.
In the next example, although the primary disk (C: drive) is encrypted, there is another drive that is not encrypted. If this was a Mac, this situation would cause the device to become non-compliant. Since this is a Windows computer, it is only a warning. The requirement to encrypt all drives does not currently apply to Windows computers, but this exemption will eventually be rescinded.
In the following example, the program discovered that the BigFix server (which is used for compliance monitoring) was not running. It then started the service. If there is a serious problem with the BigFix installation this might only be a temporary fix. After the BigFix service reports that the computer is compliant it is granted access to the Stanford network. However, if the BigFix service fails again, the computer may again fall out of compliance. If this occurs, further investigation and repairs may become necessary (for example, a removal and re-install of BigFix).
In addition to displaying problems that were found, the Compliance Checker fixes any problems that are found and can be fixed If the fix is successful, the Compliance Checker adds them to a list of items that were fixed. To see the list of fixed items, on the View menu, click Items That Were Repaired.
Items automatically repaired
To see a list of all of the items that the Compliance Checker can repair, on the Help menu, click What will be fixed?
- Answer File Found
- This file is used by the compliance applications (enrollment, and encryption) to direct run-time behavior. Occasionally, this file can get corrupted or locked, which may cause those applications to either fail or act in unpredictable ways. If the file is found, the Compliance Checker will attempt to unlock and delete it.
- A compliance enforcement flag was not found.
- Security setting enforcement (Bigfix only) is accomplished by setting a flag on the computer that will enable this enforcement. If this is not done, and a setting is changed to a value that is out of compliance with the security standard, the computer could fall out of compliance. If the flag is not found, the Compliance Checker will create it.
- Encryption Recovery Key not escrowed.
- If the disk encryption key has not been saved to the Stanford infrastructure, and the user has not explicitly chosen to avoid saving the key, the Compliance Checker will offer to escrow the recovery key.
- VLRE Service was Stopped
- The VLRE service is the compliance monitoring alternative to Bigfix. If will not make any changes to the computer, but will report compliance status to MyDevices. If it is found to be in an unresponsive state, an attempt will be made to enable the service.
- Bigfix Service was Stopped
- If Bigfix is installed, and it is found to be in an unresponsive state, an attempt will be made to enable the service.
The File menu contains three actions on Windows: temporary file cleanup, enrollment.txt changes, and reporting. Only two items are available on Mac: enrollment.txt changes and reporting.
Cleanup temporary files (Windows only)
Temporary files on a Windows computer can increase in number and size over time. These are not permanent files like documents or programs, they are only needed for a short period of time. If the increase of temporary files remains unchecked, it can reduce free disk space to a critical amount. Log files that are maintained by Windows system functions can grow too large and impact performance. These files can cause problems with installed software and Windows itself. For example, Windows Update can become unresponsive if temporary files get out of hand. Since Windows Update is the primary way that your computer is kept safe from security flaws in the operating system, this situation can allow hackers to compromise your computer. Cleaning up temporary files is an important thing to do periodically.
This function deletes unnecessary temporary files but does not affect important temporary files like the browser cache and cookies. However, be aware that this function remove the Windows Update history list. It will not harm updates that have already been applied or will be applied in the future, but it does mean that the list of updates that will be shown in Windows Update "Update history" may be lost.
Depending on the number and size of the temporary files on the computer, this function can take a significant amount of time to complete. When it does complete, you should reboot the computer if you have been experiencing problems that may be related to the build-up of temporary files.
Create new enrollment.txt file
Computers that are allowed to access the Stanford infrastructure must be marked with certain attributes. Occasionally, the enrollment application may be unable to mark the computer properly (create the enrollment.txt file). This can happen if there are technical issues (drivers, missing dlls, etc.) that prevent the enrollment app from functioning properly. The simplest solution to this problem is to choose one of the enrollment options from the file menu. This allows you to create a new enrollment.txt file and save it to your computer. If you select this menu item, a dialog box asking you if you want to continue is displayed.
Since the enrollment process requires that the end-user answer the enrollment questions (access to high risk data can only be answered by the individual who knows), creating an enrollment.txt file on behalf of the user should be strictly limited to those technical support individuals who will take personal responsibility for the accuracy of the data. Currently, this functionality is reserved for members of the Computer Resource Center.
Next, the screen to create the enrollment.txt file is displayed.
You can answer the required questions on behalf of the user of the computer, save the answers to a file (network drive or USB drive), then copy the file to the proper directory on the user's computer:
- Windows: C:\ProgramData\Stanford
- Mac: /Library/Application Support/Stanford
If the results of the report are confusing or you cannot identify the nature of the compliance issue from the Compliance Checker, you can generate an extremely verbose technical report, save it to a file, and mail that file to a third party (CRC, ISO, etc.) for review. By default, the file is saved to the desktop and is named "ComplianceReport.txt."