How to Run RMM-Based Compliance Audits Across macOS, Linux, and Windows

This guide explains how to implement RMM-based compliance audits across Windows, macOS, and Linux endpoints using remote monitoring and management (RMM) tools. This is a vital task for internal IT teams and managed service providers (MSPs) who need to meet regulatory obligations such as GDPR, HIPAA, and SOC2, as well as comply with their own internal security and data protection requirements.

What is an IT compliance audit?

A compliance audit is the systematic documentation and evaluation of your IT infrastructure and organizational processes to confirm that they conform to legal requirements or internal security policies. This can include assessing data handling and protection measures, staff behavior, cybersecurity protections, and whether operating system and software updates are being correctly applied.

How to perform a compliance audit

Compliance auditing should be a multi-stage, regular process. It must include checking the configuration of servers, networking, and cloud infrastructure, as well as the condition of the individual endpoints, such as workstations, laptops, and mobile devices provided to end-users.

Automation is critical for this process to be both continuous and efficient: scripting and RMM tools can be combined to collect the key metrics you require to confirm compliance, without requiring disruptive manual intervention, especially where devices are located off-site.

Key areas you should include in your auditing data collection include:

• OS and software patch compliance
• Encryption and backup status
• Firewall and antivirus configuration
• User accounts and permission levels
• Local policy enforcement and system hardening measures

It is important to understand that it is your responsibility to ensure that your compliance auditing mechanism covers the legally required metrics and reporting requirements that apply to your organization, users, and customers. Even when using out-of-the-box compliance reporting solutions, it’s up to you to confirm that they are appropriate for your business’s unique legal and operating conditions.

What you need to perform remote compliance audits for multiple devices

Windows, macOS, and Linux systems include scripting functionality that can be used to collect information for compliance audits. Once this information is generated client side using PowerShell or Bash scripts, it can be collected and centrally monitored, managed, and reported using an RMM platform.

To accomplish this, you’ll need:

• An RMM platform with support for Windows, macOS, and Linux agents
• Admin-level privileges on all managed endpoints
• Scripting capability for Bash on macOS and Linux, or PowerShell for Windows 10 and Windows 11 (or, optionally, the command prompt for legacy systems)
• Familiarity with applicable compliance frameworks or internal benchmarks
• Access to log files, configuration files, and the Registry on Windows devices

The following script examples provide a framework that demonstrates how PowerShell and Bash scripting can be used for generating audit data across platforms, enforcing policies, as well as how RMM solutions can be integrated to centrally collect, store, validate, and report on data.

Using PowerShell to Audit Windows Compliance settings

The PowerShell snippets below show how several key pieces of compliance data can be collected.

Collecting Windows Update and patch compliance data with Get-HotFix:

Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 5

Collecting BitLocker encryption status with Get-BitLockerVolume:

Get-BitLockerVolume | Select-Object MountPoint, ProtectionStatus

Using Get-LocalGroupMember for User and group enumeration:

Get-LocalGroupMember -Group “Administrators”

Collecting Firewall and Defender antivirus status with Get-MpComputerStatus:

Get-MpComputerStatus | Select-Object AMServiceEnabled, AntispywareEnabled, RealTimeProtectionEnabled

The output of these commands can then be logged to a standardized file or to the Windows Event Viewer for later collection by your RMM software.

Using CMD for lightweight audits on legacy Windows PCs

While PowerShell is preferred as the modern scripting and automation solution for Windows 10 and Windows 11, in some cases batch scripts and the command prompt may be needed to monitor legacy systems for compliance.

Check that the C: drive is encrypted with Bitlocker:

manage-bde -status C:

Get last patch date:

systeminfo | findstr /C:”Hotfix(s)”

Output firewall status:

netsh advfirewall show allprofiles

These provide only a lightweight solution, while PowerShell offers the ability to collect a wider range of more detailed data.

Using Registry to validate Windows compliance settings

Some compliance data will be stored in the Windows Registry, for example, information that can be used to determine the status of third-party antivirus, or system configuration values such as whether UAC is enabled, or the correct password policies are set. These checks can be included in other PowerShell scripts.

Confirm UAC enforcement using the Windows Registry by checking the registry key located at:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Contains the value:

“EnableLUA”=dword:00000001

System configuration can also be found in the Windows Registry, for example, password requirements are located at the key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

You can check the values located there, such as maximum password age:

“MaximumPasswordAge”=dword:0000001E

Using Group Policy to ensure baseline compliance on Windows

Group Policy can be used to enforce settings for both compliance and auditing, for example, password policies can be set using the settings located at Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy.

BitLocker can be enforced using the settings at Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption, while audit logging can be enforced by configuring the settings in Computer Configuration > Advanced Audit Policy Configuration.

Using Bash scripts to audit Linux and macOS systems

Bash scripts can be used to collect compliance audit data from Linux systems using common system tools, as shown in these examples.

Check for last system update:

lastupdate=$(stat -c %y /var/lib/apt/periodic/update-success-stamp)

echo “Last APT update: $lastupdate”

Confirm firewall (UFW) is active:

ufw status | grep -i active

Audit sudo users:

grep ‘^sudo’ /etc/group

Confirm encryption status (LUKS):

lsblk -o NAME,FSTYPE | grep luks

Collecting compliance auditing data from macOS devices

Bash scripts can also be used to automate the collection of system information from devices running macOS for later collection and parsing by your RMM platform.

Check firewall status:

/usr/libexec/ApplicationFirewall/socketfilterfw –getglobalstate

Check FileVault (disk encryption) status:

fdesetup status

List logged-in users with admin privileges:

dscl . -read /Groups/admin GroupMembership

Centralized logging and output collection

Each audit script should output logs that can be parsed by your RMM platform or exported for compliance reporting.

This can be achieved in Windows using the Start-Transcript command:

Start-Transcript -Path “C:\Audit\audit_log.txt” -Append

Or, on Linux/macOS:

exec > /var/log/rmm_compliance_audit.log 2>&1

These examples output to a file named audit_log.txt. Before writing your audit data, you should convert it to a consistent format that is supported by your RMM platform.

Troubleshooting compliance audit scripts and reporting

The common problems encountered when performing automated remote compliance audits include missing outputs, where scripts fail due to insufficient permissions to either read or write data, and false negatives due to outdated or invalid script conditions. These can be mitigated by regularly reviewing your scripts and by ensuring that errors are raised on failure.

If you deploy legacy systems, ensure that they either have fallback commands or separate scripts for handling edge cases. For example, some machine control systems use obsolete operating systems that may need to be omitted from broader script deployment enforcement policies, and instead use their own unique script.

Inconsistent formats can be rectified by ensuring all scripts export in a standardized format and structure, defined by your scripts rather than the tools they call to collect data. For example, by taking the output of PowerShell or Bash commands and parsing them into an internally consistent format that can be read by your RMM.

Additional considerations when designing and implementing your RMM-based compliance audits

When designing your compliance auditing system and deciding on what metrics to collect, you should make sure that they fully cover all the requirements detailed in the legal frameworks that cover your business and its users. This can include things like encrypting personal data, and implementing role-based access.

Scripts should follow best practices, using exit codes and logging to confirm that they have fully executed and raising alerts if not, so that all data is confirmed. Script output should be normalized across platforms to ensure that there are no gaps and to streamline consolidated reporting.

It is critical that all reporting mechanisms and data is secured: scripts may have access to sensitive information as part of the auditing process, and logs may also include this data. Part of auditing should be auditing these monitoring systems themselves to ensure they are also compliant and follow data protection requirements.

How NinjaOne helps you stay compliant without increasing your IT team’s workload

Leveraging the reporting and alerting functionality of your RMM helps you keep your organization compliant with the ever-increasing risk businesses face from non-compliance with data protection and privacy laws.

NinjaOne provides cross-platform RMM and mobile device management (MDM) as part of its IT administration and MSP platform, which includes robust auditing capabilities. With NinjaOne, you can store and deploy PowerShell, command prompt, and Bash scripts and target Windows, Linux, and macOS endpoints granularly.

The collection of compliance data can be enforced and automated, and used in unified dashboards and scheduled reports. Automatic remediation can be implemented, and issues that cannot be resolved can be escalated with custom alerts, so that administrators can respond to compliance breaches immediately.