Potential use cases

The results of evaluation can be used by access control software to observe the compliance state of the endpoint, by diagnostic software to observe the failure state of particular components, or by startup scripts to verify any aspect of the system computable within the Tivoli BigFix inspection framework. Compliance might be determined based on detecting that certain conditions do or do not exist on the endpoint. Examples include:

  • Detecting if spyware is installed or running. This use might take the form of a compliance policy that a particular spyware detection program is installed, running, and up-to-date, or that a set of executables is not installed.
  • Detecting if a virus scanner is installed, running and properly configured.
  • Detecting if a firewall is installed, running and properly configured. This use might take the form of a compliance policy that requires the installation of a specific firewall.
  • Detecting that network shares are turned off. This use might take the form of requiring that no network shares be defined on the endpoint for the endpoint to be in compliance.
  • Detecting that wireless networks are disabled. This use might take the form of requiring that wireless networks be turned off during corporate LAN access.
  • Detecting the patch level of the endpoint. The API allows you to check whether there are any critical patches that require installation.

This is an example compliance expression that returns true when there are no critical patches that are relevant on the endpoint:

number of relevant fixlets whose (value of header "x-fixlet-source-severity" of it 
	as lowercase = "critical") of sites = 0

The description and comment fields of the compliance expression item can be used to provide content for your custom application. This technique can help mitigate the need to update your application executables when requirements change. For example, you might mark certain compliance expression items with comments like "Compliant if true" or "Quarantine if true." Then, you might program your application that is based on the results of evaluating the expression and the comments that are returned.

Possible applications include configurable watchdog software that is designed to look for certain conditions and then can disable, limit, or enable the following functions:

  • Network shares
  • Wireless networks
  • Network access