How Do Users Know if Their Systems are Compliant?
By default, end users are not given any information
about policy decisions that were made as a result of HIP-enabled
security rule enforcement. However, you can enable this functionality by
configuring HIP notification messages to display when a particular
HIP profile is matched and/or not matched.
The decision as to when to display a message (that is, whether
to display it when the user’s configuration matches a HIP profile
in the policy or when it doesn’t match it), depends largely on your
policy and what a HIP match (or non-match) means for the user. That
is, does a match mean they are granted full access to your network
resources? Or does it mean they have limited access due to a non-compliance
issue?
For example, consider the following scenarios:
You create a HIP profile that matches if the required
corporate antivirus and anti-spyware software packages are
not installed.
In this case, you might want to create a HIP notification message
for users who match the HIP profile, and tell them that they need
to install the software (and, optionally, providing a link to the
file share where they can access the installer for the corresponding
software).
You create a HIP profile that matches if those same applications
are installed.
In this case, you might want to create the message for users who
do not match the profile, and direct them to the location of the
install package.