Within Kolide, you’ve defined many policies and requirements that govern what must be true about a device for it to be allowed to move through authentication. These policies include Checks, registration eligibility requirements, device trust levels, authentication modes, and more.

If only some authentication requests processed by 1Password Device Trust are successful, your users may be experiencing a device posture outage. You may be able to mitigate the impact of this type of outage by changing your configured requirements to allow devices to proceed though authentication if appropriate data cannot be collected or reported to the server.

Building internal policies regarding what risks you’re willing to accept in the case of certain types of outages is an excellent way to prepare for contingencies. The most impactful policy to consider when building rollback strategies for device posture outages is your Checks policy.

If an Outage Impacts Checks

If Checks are not finalizing, updating, or reporting, this could cause some users to become “stuck” during authentication and be unable to proceed even though they’re in a compliant state.

Step 1: Preserve the Checks’ Intended Remediation Strategy

To mitigate this, first use the Check tagging capability provided by Kolide to create a record of the affected Check’s intended remediation strategy. This may take a few minutes as you configure your account, but it preserves long-term and cross-team awareness of the plan.

Some common tags include:

• “Warn then block”
  • “Block after 5”
  • “Block after 7”
• “Delay before warning”
• “Block immediately”
• “Notify only”
• “Report only”

You can also take screenshots of your settings, or find them in the Audit Log.

Step 2: Update the Checks to a Non-Blocking Remediation Strategy

After you’ve recorded your current settings, update the remediation strategy for all relevant Checks to a non-blocking strategy like Report Only for the duration of the outage. Reinstate your policies when the service has stabilized.

If you didn’t create a record of your Checks’ intended state, you can always reconstitute Checks from the Audit Log in Settings > Audit.