Capabilities & Technical Summary
Product Overview
Compliance-focused endpoint management built on NinjaOne (FedRAMP)
Enforces and monitors security controls on endpoints
Supports Windows, macOS, and Linux devices, including user endpoints and servers
Designed to support federal compliance frameworks such as CMMC
Device Management
Agent-based enrollment via Secureframe Federal MDM installer
Includes a best-effort removal of the legacy Secureframe Agent (FleetDM / Orbit) during enrollment, performed only when Secureframe ownership is confirmed to avoid impacting customer-managed installations
Centralized device visibility, including:
device status
software inventory
antivirus status
overall security and compliance posture
Device lifecycle actions
Delete
Removes the device from management
Performs best-effort cleanup of Secureframe-applied configurations
Wipe
Performs a best-effort device lockout or destructive action for lost or stolen devices
Removes the device from management
Wipe behavior varies by operating system, using native system capabilities to:
Windows: removes access to user accounts and system resources, and restricts device usability
macOS: attempts device lockout or data protection actions using native system capabilities
Linux: removes access to user data and system access where possible
Security Controls
Password
Enforces strong password policies across supported platforms, including minimum length, complexity, and account lockout protections.
On Windows, a full set of password controls is enforced, including expiration, history, and lockout policies.
On macOS and Linux, password complexity is enforced, while some advanced controls (such as password history and certain reset requirements) depend on operating system capabilities and may not be fully enforceable.
Automatic Login
Detects and disables automatic login to ensure users must authenticate before accessing the device.
Screen Lock
Enforces automatic screen locking after a period of inactivity and requires authentication to regain access.
Firewall
Ensures that the device firewall is enabled and properly configured using the operating system’s native firewall capabilities.
Disk Encryption
Validates that disk encryption is enabled to protect data at rest.
On supported platforms, Secureframe can assist with enabling encryption where possible.
In some cases, encryption may require user interaction or device setup changes and cannot be fully enforced remotely.
Antivirus & Malware Protection
Validates the presence and status of endpoint protection.
On Windows, built-in protections are leveraged to ensure real-time protection, threat detection, and up-to-date signatures.
On macOS and Linux, protection depends on native system capabilities or existing security tools.
Secureframe also evaluates integrated device data to confirm whether active protection is present.
Warning Banner
Enforces a pre-login warning banner to inform users about authorized use and monitoring requirements.
Remote Access Restrictions
Detects and restricts remote administrative access pathways to reduce unauthorized access risk.
Removable Media Restrictions
Supports controls to reduce the risk of data exfiltration via removable media.
On Windows, both access restrictions and anti-malware scanning for removable media are supported.
On macOS and Linux, enforcement of removable media restrictions is limited due to operating system capabilities.
Application Execution Control
Validates and enforces application execution controls using native platform capabilities.
Some advanced protections may be monitored but not fully enforceable, depending on the operating system.
Audit Logging
Ensures that system audit logging is enabled and configured to capture security-relevant activity.
Where supported, logging configuration is enforced; in other cases, Secureframe validates that logging is active and sufficient for monitoring and compliance purposes.
Software & Patch Visibility
Provides visibility into installed software and system update status.
Compliance signals are derived from device and system data, including whether critical updates are missing and what software is installed on each device.
Cleanup, Wipe, and Supplemental Detection
Supports operational actions and additional detection capabilities:
Cleanup: removes Secureframe-applied configurations during device offboarding
Wipe: performs best-effort device lockout or data destruction for lost or stolen devices
Supplemental detection: identifies security-relevant activity and limited device context to support monitoring and investigations
Monitoring & Detection
Provides visibility into security-relevant activity across endpoints.
Windows:
Uses native event logging with near real-time monitoring of selected security events
macOS & Linux:
Use periodic monitoring of system activity to identify relevant events
Detected activity includes:
privileged commands
authentication events
security or configuration changes
Secureframe correlates this activity with device and system information to provide broader visibility into endpoint security posture.
Supports alerting through Secureframe based on detected events
Compliance Coverage
Aligned with federal compliance frameworks such as CMMC
Compliance state is derived from:
device and system information
integrated data such as antivirus status, software inventory, update status, and device metadata
Each control follows one of two common models:
Enforced controls: validated, remediated where possible, and re-verified
Monitored controls: evaluated based on available system and device information
Platform Behavior
All platforms perform regular compliance checks and apply remediation where supported.
Windows
Supports near real-time security event monitoring
Provides the broadest enforcement coverage across controls
Some controls may be monitoring-only (e.g., disk encryption is validated but not automatically enabled)
macOS
Supports enforcement for key controls such as screen lock, firewall, password complexity, and automatic login disablement
Some controls are partially enforceable due to operating system limitations (e.g., certain protections cannot be enabled remotely, disk encryption may require user interaction)
Linux
Supports enforcement for selected controls such as screen lock, firewall, password complexity, audit logging, and application control
Some controls require manual remediation or external tooling (e.g., full disk encryption, antivirus)
Cross-platform behavior
Compliance is evaluated consistently across platforms, even though implementation differs
Each operating system relies on its native capabilities for enforcement and monitoring
Control behavior may vary depending on OS limitations and available features
Data Collected
Secureframe Federal MDM collects and processes the following types of data:
Device metadata (e.g., operating system, serial number, enrollment date, last check-in)
Security posture (e.g., firewall status, encryption, antivirus, screen lock, password policy, audit logging, remote access status)
Operational data (e.g., system update status)
Software inventory (installed applications on the device)
Compliance state based on device and system information
Security and audit event data
Limited user-related signals (e.g., detected email addresses from local system sources)
Operational Model
Security policies are applied per operating system
Devices are continuously evaluated for compliance
Non-compliant configurations are remediated where supported
Device actions include:
compliance checks
enforcement
cleanup during offboarding
wipe actions for lost or stolen devices
Legacy Secureframe Agent removal is performed during enrollment when ownership is confirmed
Cleanup actions are best-effort and remove Secureframe-applied configurations without weakening the core security posture
Wipe actions are best-effort and vary by operating system
Monitoring mechanisms capture security-relevant activity and additional device context
Compliance and security posture are evaluated using a combination of:
device and system information
detected activity and events