I run daily non compliance reports twice daily, 12 hours apart. They will report on compliance of the McAfee agent version, VSE, Engine and DAT versions. This will only run for systems that have been in contact over the previous 24 hours.
I'm running into an issue where things like training machines, backup machines not online frequently, people coming back from long weekends or vacations, etc. will show up on the non-compliant list because it had not yet updated and reported back to ePO before the report has run. This goes to our Helpdesk, who then open tickets for our IT staff to investigate. The problem is that in a lot of cases, the machine will be up to date by the time they get to it.
What I would like to do is to run this same report, but only have it show machines that have been out of date for more than 1 day. That way I'm filtering out the systems that are simply online for the first time in a while. I spent a few hours looking at building a query to do this, but I can't find a way to get that working the way I want it. Has anyone done this?
I thought about creating a task that tags the systems day 1, then run a task each day against the machines with that tag to re-check the versions, then clear those tags if they are then compliant. Seems like a bit over-complicated for something that may be easier to do in a simple query. If anyone can help I'd really appreciate it.
Where to I set the criteria? What I am looking to "flag" are systems that have any out of date product or definitions, whether it's the agent, HIPS, VSE, engine, etc. I don't see anywhere in the automatic response filters to set that. I see that the default is the non compliance event ID 16000. What feeds ePO the criteria that will generate that event?