Monitoring is how you catch problems before your clients call you. In OpenFrame it lives under Monitoring in the left nav, and it has two tools that look similar but do different jobs: Policies and Queries. This guide explains the concepts so the next four guides make sense.
Both are built on osquery — the open-source agent that lets you ask a device questions in plain SQL. If a device is enrolled in Fleet (the OpenFrame agent installs this), you can query it.
Policies vs. Queries — the key distinction
- A Policy is a compliance check. It's an osquery query written so that each device either passes or fails it. "Is the OS at least Windows 10?" "Is disk encryption on?" Each assigned device gets a PASSING or FAILING result, and the policy rolls up to COMPLIANT or not.
- A Query is data collection. It runs on a schedule and pulls back information for visibility — hostname, CPU, memory, uptime — without any pass/fail judgment. Think reporting, not enforcement.
Rule of thumb: if you want a yes/no answer about whether a device meets a standard, that's a Policy. If you just want to gather data on a cadence, that's a Query.
What's in a policy
Open Monitoring → Policies and click any policy to see its anatomy:
- Name and Description — what it checks, in plain language (e.g. "Validate that version is at least 10").
- Query — the osquery SQL that defines pass/fail, e.g.
SELECT major FROM os_version WHERE major >= 10. A device that returns a row passes; no row means it fails. - Severity — shown on the list (e.g. Low), with a Critical flag on the detail page. This is how you gauge how much a failure matters.
- Status — the aggregate result: COMPLIANT when all assigned devices pass.
- Devices — the machines the policy runs against, each showing PASSING or FAILING.
- Author — who created it.
Reading the Policies dashboard
The top of the Policies tab gives you the health summary at a glance:
- Total Policies — how many checks you've defined.
- Compliance Rate — e.g. 4/4 (100%) — how many are fully compliant.
- Failed Policies — the count that has at least one failing device. This is the number to watch.
- Updated — when the data last refreshed.
The list below shows each policy with its Severity, Platform, and Status so you can scan for trouble fast.
How it fits together
- You write a policy (a check) or a query (a data pull) as osquery SQL.
- You assign it to devices (individually, or filtered by tag — see Assign Devices to a Monitoring Policy).
- The osquery agent on each device runs it and reports back.
- Policies show PASSING/FAILING per device; queries return collected data.
- Failures surface as non-compliant policies you can triage (see Understanding Alerts).
Prerequisite: monitoring needs the Fleet/osquery agent on the device. If a device shows "Fleet agent is not installed," it can't be checked or queried until the agent is healthy — see the Phase 2 install guides and the device's Agents tab.
What's next
Now that the concepts are clear, build one: Create Your First Monitoring Check walks through making a policy end to end. Then Create a Monitoring Query covers the data-collection side.
Based on OpenFrame v0.9.19. Screens and defaults may shift between releases — when in doubt, what's in your console wins.
