AppsConfiguration ManagerGolden Configurations

Use compliance plans

Add-on product: Configuration Manager extends Itential Platform with configuration compliance and validation capabilities. It requires Itential Platform as a prerequisite. View platform overview

Compliance plans schedule and manage comprehensive compliance reporting across multiple Golden Configurations. Use them to maintain regular compliance checks and generate audit reports.

What are compliance plans?

Compliance plans orchestrate compliance checks across multiple Golden Configurations, device groups, and schedules. They provide centralized management for enterprise-wide compliance programs and generate consolidated reports for audit and analysis.

How compliance plans work

Compliance plans follow this process:

1

Define scope

Select Golden Configurations and device groups to check

2

Set schedule

Configure when compliance checks should run

3

Execute checks

Run compliance across all defined scopes automatically

4

Generate reports

Compile results into comprehensive compliance reports

5

Distribute results

Send reports to stakeholders and archive for audit

Create a compliance plan

To create a new compliance plan:

1

Open the create dialog

Click Create (+) in Configuration Manager

2

Select compliance plan

Choose Compliance Plan from the dropdown

3

Configure basic settings

  • Enter a plan name
  • Add a description
  • Set the plan owner
4

Create

Click Create to open the compliance plan editor

Configure compliance plan scope

Define what the plan should check.

Add Golden Configurations

To include Golden Configurations in the plan:

1

Open the Scope tab

Navigate to the Scope section

2

Add Golden Configurations

Click Add Golden Configuration

3

Select configurations

Choose one or more Golden Configurations

4

Specify nodes

  • Select specific nodes, or
  • Include entire tree
5

Save selections

Click Save to add to the plan

Add device groups

To include device groups:

1

Open the Groups section

Navigate to device groups in the Scope tab

2

Add groups

Click Add Device Group

3

Select groups

Choose one or more device groups

4

Save selections

Click Save to add to the plan

Scope example:

Compliance Plan: Enterprise Network Compliance
Scope:
  - Golden Config: Campus Switches (all nodes)
  - Golden Config: Data Center Switches (production node only)
  - Golden Config: Firewall Policy (all nodes)
  - Device Group: Branch Office Devices
  - Device Group: Core Network Devices

Set compliance plan schedule

Configure when compliance checks run.

Schedule options

Schedule TypeWhen to Use
DailyRegular compliance monitoring
WeeklyComprehensive weekend checks
MonthlyMonthly audit reports
QuarterlyRegulatory compliance periods
On-demandAd-hoc compliance verification

Configure schedule

To set the plan schedule:

1

Open the Schedule tab

Navigate to scheduling configuration

2

Select frequency

Choose daily, weekly, monthly, or custom

3

Set time

Define when checks should run (consider maintenance windows)

4

Configure options

  • Set timezone
  • Define retry behavior
  • Set timeout limits
5

Save schedule

Click Save to apply scheduling

Schedule examples:

Daily monitoring:

Frequency: Daily
Time: 2:00 AM local time
Days: Monday through Sunday
Retry: 2 attempts if failure

Weekly audit:

Frequency: Weekly
Day: Sunday
Time: 1:00 AM local time
Retry: 3 attempts if failure
Timeout: 4 hours

Configure compliance reports

Define how compliance results are reported.

Report settings

To configure reports:

1

Open the Reports tab

Navigate to report configuration

2

Select report format

Choose PDF, CSV, JSON, or HTML

3

Configure content

  • Summary statistics
  • Detailed device results
  • Configuration diffs
  • Trend analysis
4

Set retention

Define how long reports are stored

5

Save settings

Click Save to apply report configuration

Report content options

Content TypeDescription
Executive summaryHigh-level compliance statistics
Device detailsPer-device compliance status
Configuration diffsSpecific configuration differences
Trend analysisCompliance changes over time
Exception listDevices with approved deviations

Distribute reports

To configure report distribution:

1

Open the Distribution section

Navigate to report distribution settings

2

Add recipients

Enter email addresses for report recipients

3

Configure delivery

  • Set delivery time (immediate or scheduled)
  • Define format preferences per recipient
  • Set notification preferences
4

Add integrations

Configure integration with ticketing or monitoring systems

5

Save distribution

Click Save to apply settings

Run compliance plans

Manual execution

To run a compliance plan immediately:

1

Open the compliance plan

Navigate to the plan in Configuration Manager

2

Run now

Click Run Now in the plan toolbar

3

Monitor progress

View real-time execution status

4

Access results

View or download reports when complete

Scheduled execution

Compliance plans run automatically based on their schedule:

  • Plan starts at scheduled time
  • Compliance checks execute for all scoped items
  • Reports generate upon completion
  • Distribution occurs based on settings
  • Results archive for audit purposes

View compliance plan results

Access plan reports

To view compliance plan results:

1

Open the compliance plan

Navigate to the plan in Configuration Manager

2

Open the Results tab

Click the Results tab

3

Select a report

Choose a report from the execution history

4

Review results

View summary and detailed compliance data

Understand report data

Compliance plan reports include:

Summary metrics:

  • Total devices checked
  • Compliant device count
  • Non-compliant device count
  • Compliance percentage
  • Comparison to previous runs

Detailed results:

  • Per-device compliance status
  • Configuration differences
  • Golden configuration alignment
  • Remediation recommendations

Trend data:

  • Compliance percentage over time
  • Recurring non-compliance issues
  • Improvement or degradation trends
  • Device-specific compliance history

Manage compliance exceptions

Some devices may have approved deviations from Golden Configurations.

Document exceptions

To add an exception:

1

Open the Exceptions section

Navigate to exceptions in the compliance plan

2

Add exception

Click Add Exception

3

Define exception

  • Select device or device group
  • Specify golden configuration node
  • Describe the approved deviation
  • Set expiration date (if temporary)
  • Add approval documentation
4

Save exception

Click Save to document the exception

Review exceptions

Periodically review documented exceptions:

1

Open the Exceptions tab

View all current exceptions

2

Check expiration dates

Identify expired or expiring exceptions

3

Validate necessity

Confirm exceptions are still required

4

Update or remove

Renew, modify, or remove exceptions as needed

Best practices

Plan scope strategically:

  • Group related Golden Configurations together
  • Align plans with audit requirements
  • Consider network segmentation
  • Balance scope size with execution time

Schedule appropriately:

  • Run during maintenance windows
  • Avoid peak usage times
  • Stagger large plans across time periods
  • Consider device impact and load

Manage reports effectively:

  • Customize reports for different audiences
  • Archive reports for audit requirements
  • Automate report distribution
  • Set appropriate retention periods

Handle exceptions properly:

  • Require approval for all exceptions
  • Document business justification
  • Set expiration dates for temporary exceptions
  • Review exceptions regularly
  • Update golden configs when exceptions become standard

Monitor plan health:

  • Track plan execution success rates
  • Review execution duration trends
  • Monitor for recurring failures
  • Adjust scope or schedule as needed

Example: Enterprise compliance plan

Plan: Monthly Security Compliance Audit

Scope:

  • Golden Config: Firewall Security Policy (all nodes)
  • Golden Config: Switch Security Settings (all nodes)
  • Golden Config: Router Security Baseline (all nodes)
  • Device Group: Production Network
  • Device Group: DMZ Devices

Schedule:

  • Frequency: Monthly
  • Day: First Sunday of each month
  • Time: 12:00 AM EST
  • Retry: 3 attempts
  • Timeout: 6 hours

Reports:

  • Format: PDF (executive) + CSV (detailed)
  • Content: Summary, device details, diffs, trends
  • Distribution:
    • CISO: Executive summary PDF
    • Network team: Detailed CSV
    • Security team: Full PDF report
    • Audit team: Archive all formats

Exceptions:

  • Lab devices: Development configurations approved
  • Legacy systems: EOL devices with documented risks
  • Review cycle: Quarterly

Troubleshoot compliance plans

Plan execution fails

If a compliance plan doesn’t complete:

  • Check golden configuration validity
  • Verify device connectivity
  • Review execution logs for errors
  • Confirm adequate execution timeout
  • Check for scheduler issues

Reports not generated

If reports don’t appear:

  • Verify plan completed successfully
  • Check report format configuration
  • Review storage capacity
  • Confirm report generation settings
  • Check for template errors

Distribution fails

If reports don’t reach recipients:

  • Verify email addresses
  • Check email server configuration
  • Review distribution logs
  • Confirm integration settings
  • Test with manual distribution

Next steps

Dynamic compliance

Automate remediation workflows

Golden configurations

Create and manage baselines

Build workflows

Integrate compliance with orchestration