1E is always listening to its customers, so it’s absolutely awesome to see the new Nomad Baseline Wizard released in Nomad v6.3. This wizard enables administrators to define a global standard configuration for all Nomad clients and uses the built-in Compliance Settings feature of ConfigMgr.
What are “Compliance Settings”?
Compliance Settings – a feature of ConfigMgr – let you manage the configuration and compliance of servers and workstations. A configuration baseline includes one or more configuration items that include the specific settings you want to evaluate to determine compliance. ConfigMgr already includes out-of-the-box reports that can show you clients with non-compliance settings, which is great to show “configuration drift” (eg: someone/something altering settings on a computer away from the corporate standard).
Furthermore, if a setting does not comply with the value(s) configured in the configuration items (such as a registry key/value), then a compliance rule can remediate (read: enforce) that setting (and change the registry key to the correct value).
You can find further information on compliance settings here.
How do “Compliance Settings” help Nomad?
The compliance settings feature of ConfigMgr allows you to centrally control and enforce Nomad registry settings on all Nomad clients, so you can be assured that all your Nomad clients have the correct values, hence guaranteeing correct Nomad operations.
While we’re on the subject, a concern that sometimes arises is that some Nomad registry setting changes require the Nomad service to be restarted. This restart happens automatically when Nomad senses that a configuration value has changed, so there really is nothing to worry about.
Introducing the Nomad Baseline Wizard
The Nomad Baseline Wizard is a new feature introduced in Nomad v6.3, and automates the creation of the configuration items, and groups them into a single compliance baseline (for deployment to all your Nomad clients).
The wizard is launched by clicking the “Create Nomad Baseline” icon in the “Assets and Compliance” view of the ConfigMgr Console, as shown below:
You have probably already created a MST Transform file when you originally deployed the Nomad client, so you can import your existing Nomad MST Transform file (recommended), or configure the registry entries manually.
Select the option to “Configure settings using MSI Transform” and specify your MSI and MST file locations:
The wizard will read your Nomad MSI/MST files and display the registry settings. You can also add additional registry settings to your configuration baseline.
You can also enable or disable the Nomad Client Health Checks too, as shown below:
When you have configured your settings, the wizard will create a “Nomad – Client Settings” configuration baseline and “Nomad Registry Settings” configuration item.
Now you need to deploy this baseline to your Nomad clients. Right-click the Nomad – Client Settings baseline and select Deploy.
- Make sure you have selected the correct baseline.
- Enable the “Remediate noncompliant rules when supported” option, so that the settings contained in this baseline are enforced (and changed to the correct settings on non-compliant computers).
- Specify a device collection to target this configuration baseline at.
- Finally, specify the schedule to check for – and enforce – the configuration baseline.
Your client computers will download this compliance baseline as they check in with their Management Point for new policies, and eventually perform the evaluation of the baseline.
You can view the compliance summary by viewing the configuration baseline and/or the deployment.
The following screenshot shows that we have deployed the baseline to 170 devices and 100% are now compliant.
You can also right-click the deployment and select “View Status” to view a more in-depth report that shows devices grouped into compliant, non-compliant, and error columns.
Now that you have created a compliance baseline for your Nomad clients, it would be a good idea to create another for your DP’s (because some of those Nomad settings may be different to those of the client computers – such as PermittedLSZShares, SigsFolder and even P2PEnabled).
For further information on the Nomad Baseline Wizard, please view the online documentation here.
Check out my previous posts on Nomad: