Uploading proof of completion
Janine Sutter
In case the Secfix Agent does not recognize applying one of the security requirements, users want to demonstrate compliance with the security requirements (e.g. PW Manager) & would like to have the option to upload proof. For example, they could provide a screenshot showing that the necessary configurations are in place.
Use case:
A company with strict BYOD policies allows employees to use personal devices but does not require installing an agent. To verify compliance, employees can manually confirm security settings (e.g. PW manager) and upload screenshots as evidence. This ensures compliance verification without needing automated detection.
Created by Elżbieta Żurakowska
Ghada Shebl
Merged in a post:
Upload evidence of device compliance
Abraham Aranguren
Some of our employees are not using the Secfix Agent. We would like them to be able to upload evidence manually of device compliance into Secfix. It would also be great if there were monthly reminders about that to employees.
Grigory Emelianov
Abraham Aranguren thanks for this feedback! I just have a few questions:
- Which OS systems are relevant here?
- Is it company devices or their own?
- Do you think they would install more famous MDM solutions like Kandji or MS Intune instead if you'd implement something like that? I could imaging there is generally less interest in any monitoring system giving the nature of your business.
Abraham Aranguren
Grigory Emelianov Linux, Mac and Windows are relevant. We have a BYOD policy so we cannot enforce MDM, everybody is on their own equipment, hence the reluctance to run the secfix binary by infosec people, thanks!
Grigory Emelianov
Hi, we were recently considering this feature but we found a few potential UX issues in the workflow:
- Without Secfix agent, if they want to upload evidence about device compliance (password manager, encryption, etc.), employees will need to enter at 1. least device name, 2. operation system version and 3. serial number of the device correctly. Serial number is critical here because there is some logic behind it. Would you trust your employees to provide the correct Serial Number? Or would you upload this for every employee as admin?
Also currently, Computers page shows only real monitoring data synced from the devices. If we add manually monitored devices there, you'll loose your single source of truth for device monitoring in case data provided by employees is not accurate. Hence, would you like us to add the manually added devices there (accept risk of lower accuracy) or did you expect only the computer automated checks to consider this data and not the computers page?