A client compliancy system is used to gate access to a protected network, such that only clients that are in compliance with a policy are allowed access to the protected network. Clients that are not in compliance are typically assigned to a quarantine network and provided with some remediation mechanism that should allow them to become compliant. Determination of a client's compliance can be done on the client itself, external to the client, or in a combination of these.
Endpoint compliance solutions help customers manage client security by ensuring that all clients are using current signatures, components, patches, and security policy. However, the endpoint compliance solution itself requires management. In particular, the “manager” (e.g., administrator/IT) must define and configure the required compliance policies. This configuration process is ongoing and difficult, particularly as more client security products are deployed, and as those products are updated. In addition, if the manager allows administrative privileges to a user, then the manager has very little control over what arbitrary or unknown applications the user can or cannot run on the endpoint. Being too restrictive results in over-management or in a situation where the user is not able to perform his task, both such results being unacceptable. Another problem is the impracticality associated with presetting an application list (both known good/bad and unknown) on an endpoint. In particular, it is difficult at best to anticipate what applications will and will not be required at a given endpoint in the future (particularly with regard to new and/or improved applications released after the preset date).
What is needed, therefore, are techniques for implementing effective endpoint management techniques.