MDM Compliance Improvement

Complete
Global System Administrator & Senior Desktop Lead January 2024

Overview

At Infoblox, administered global MDM infrastructure across Intune and Jamf for 2,800+ endpoints, building automated compliance verification and remediation to close persistent gaps in security posture.

Problem

Device compliance sat at 82%. Critical security controls — FileVault encryption, the BloxOne Endpoint network proxy, System Integrity Protection (SIP), and CrowdStrike Falcon — were not consistently enabled, active, or licensed across the fleet, and there was no automated way to catch or fix drift.

Approach

Wrote scripts to verify and remediate each control on every managed device: confirming FileVault was enabled, the BloxOne Endpoint proxy was configured and running, SIP was active, and Falcon was installed, running, and properly licensed. Non-compliant devices were automatically corrected rather than just flagged.

Architecture

Verification scripts run against each device via Jamf and Intune, checking FileVault status, BloxOne Endpoint proxy configuration, SIP state, and Falcon install/license/activity status. Devices that fail a check are remediated automatically, re-applying configuration or reinstalling the agent as needed.

Outcome

Raised MDM compliance from 82% to 98% across 2,800+ endpoints, standardizing endpoint governance and closing the manual-review gap that had let devices drift out of compliance.

Lessons Learned

Compliance checks only matter if they close the loop — verifying a control and fixing it in the same pass eliminates the backlog that a report-only dashboard leaves behind.