Description
In the world of device management, the device management signal is very important. It does not directly map to the device compliance status.
Device compliance status could be the result of evaluating the compliance policy (output of a policy decision engine). In certain cases, device management status maybe needed to evaluate policies (input to the policy decision engine).
Given that a managed device may or may not be compliant and this information is important in the continuous access evaluation.
I am proposing following change to the device compliance CAEP event
Option 1 - Management status via new keys
- Mark existing
current_statusandprevious_statusas optional to avoid mandating compliance status - Add additional 2 keys
current_management_statusandprevious_management_statusas OPTIONAL fields to communicate current and previous management status.
Pros -
- Transmitter is able to combine compliance and management changes in the same event, helpful in the scale.
Cons -
- Increased event size in the case when both compliance and management status is conveyed
Option 2 - Extend the values of existing keys
- Allow new values in the
current_statusandprevious_statuskeys
** managed
** not-managed
Pros -
- No size increase for the event, reusing the keys
- Transmitter is able to combine compliance and management changes in the same event, helpful in the scale.
Cons -
- May not be able to represent management change and compliance change together, due to key reuse
Option 3 - A new event called device management change
Define a new event as device management change to solely communicate device management change. This new event will have current_status and previous_status keys and values defined in the Option 2
Pros -
- Cleaner separation of two constructs
Cons -
- A new event to fire and consume for Tx/Rx pair