Can I whitelist or exempt a device?

Making exceptions is, unfortunately, a normal part of IT and security operations. And while it may be considered a last-resort, there should still be an elegant way of handling it. With this in mind, we’ve created a straightforward policy exemption mechanism for devices.

Additionally, because exempt devices can potentially create security holes in your network, we’ve made it easy to audit exemption events, find exempt devices, and reverse the exemption.

While in an exempt state, devices will respond to the registry API and REST API v2 as if they were compliant. Despite this, all compliance issues will continue to be reported in the device details and API detailed responses.

Exempting devices from MetaAccess policy

There are 3 options to exempt devices from MetaAccess policy:

Option 1:

  1. Log into MetaAccess console

  2. Navigate to the Inventory > Devices page

  3. Select the devices by clicking the check-box next to it or by clicking on the device entry

  4. Click on the ‘Actions’ button in the top-right

  5. Select 'Exempt' to exempt the device from all issues or critical issues only

images/download/attachments/36836003/image2017-9-27_15-37-32.png


Option 2:

  1. Log into MetaAccess console

  2. Navigate to the Settings > Global Settings

  3. Select the 'Device Compliance' tab

  4. Upload a list of devices you want to exempt (a template is provided there)

  5. Hit SAVE

images/download/attachments/36836003/image2017-9-27_15-39-45.png

Option 3:

The Devices Action API can be used for programmatically managing device exemption state.


Reversing an exemption

  1. Log into MetaAccess console

  2. Navigate to the Inventory > Devices tab

  3. Select the device by clicking the check-box next to it or by clicking on the device entry

  4. Click on the ‘Actions’ button in the top-right

images/download/attachments/36836003/exempt.PNG

5. Select 'Unexempt' to unexempt the device from all issues or critical issues only

Finding exempt devices

In the Devices list view, an exempted device will be highlighted with a images/download/attachments/36836003/image2017-4-11_17-41-38.png symbol. Filters can also be used to show only exempted devices.

Audit log to track exemptions

MetaAccess allows multiple administrators to manage a single account, so it’s important that administrators can track actions taken by each other. To this point, exemption actions have been added to the Administrator Events section of the event log (Event Logs >> Administrator Events).

Any actions taken to exempt or unexempt a device will appear in this log, along with the name of the logged-in administrator who performed the action. For better visibility, two new filters are provided as well.

This article was last updated on 2017-09-27
EA