Create Your First Monitoring Check
Phase 4 — Monitoring & Policies · OpenFrame Onboarding
A monitoring check is a policy — an osquery query that each device passes or fails. Let's build one end to end. We'll use a simple, useful example: confirm Windows machines are on at least Windows 10.
Before you start
- You need an Admin role.
- The devices you want to check should have the Fleet/osquery agent installed and online (check the device's Agents tab if unsure). A device without the agent can't be evaluated.
- A little osquery SQL helps, but you can copy the example below and adjust. The Osquery Documentation link in the editor lists every table you can query.
Create the policy
-
Go to Monitoring → Policies → Add Policy.
-
Name — give it something scannable, e.g. Windows version.
-
Description — say what it checks in plain language, e.g. Validate that version is at least 10. Your future self (and teammates) will thank you.
-
Query — write the osquery SQL that defines passing. The trick: a device passes if the query returns a row, and fails if it returns nothing. So write the query to match only compliant devices.
For our example:
sqlSELECT major FROM os_version WHERE major >= 10A device on Windows 10 or newer returns a row (passes); an older one returns nothing (fails).
Test before you save
Click Test Policy to run the query against real devices first. This is the step that saves you from rolling out a check with a typo or a wrong table name. Confirm it returns what you expect, then fix the SQL if it doesn't.
Write checks as "what good looks like." Because returning a row = pass, your query should describe the compliant state. "Encryption is on," "OS is current," "the right agent is installed." If you accidentally write it to match the bad state, every healthy device will show as failing.
Assign devices
Scroll to the Devices section and choose which machines this policy runs against. You can pick individual devices, filter by Device Tags, or Add All Devices. This is covered in full in Assign Devices to a Monitoring Policy — for your first check, add a couple of test devices you know the answer for.
Save and read the results
Click Save Policy. OpenFrame distributes the check to the assigned devices, and as each one reports back you'll see:
- On the policy's detail page, a Devices table with PASSING / FAILING per device.
- On the Policies list, the policy's aggregate Status — COMPLIANT when every assigned device passes.
- In the dashboard tiles, the Compliance Rate and Failed Policies counts update.
Results aren't instant — the agent has to run the check on its next cycle, so give it a little time and refresh.
Editing later
Open the policy and click Edit to change the name, description, query, or device assignment. Test Policy is available here too, so you can iterate safely.
Quick checklist
- Named the policy and wrote a clear description
- Wrote the query so a compliant device returns a row
- Used Test Policy to confirm it behaves
- Assigned a few known devices
- Saved, then confirmed PASSING/FAILING came back as expected
What's next
That's a compliance check. For the data-collection side — pulling info on a schedule rather than judging pass/fail — see Create a Monitoring Query. To target checks at the right machines in bulk, see Assign Devices to a Monitoring Policy.
Based on OpenFrame v0.9.19. Screens and defaults may shift between releases — when in doubt, what's in your console wins.
