--- title: "The Zero-Touch IT Audit: Automating Device Posture and Policy Evidence" slug: the-zero-touch-it-audit-automating-device-posture-and-policy-evidence date: 2026-02-26 author: Roopendra Talekar categories: [Guides] excerpt: "Stop chasing manual screenshots for SOC 2 audits. Learn how to use Unified APIs to automate device posture checks, policy verification, and evidence collection." tldr: "Manual evidence gathering is the bottleneck of every compliance audit. This guide details how to use Unified MDM, Knowledge Base, and File Storage APIs to programmatically verify device encryption, policy freshness, and file permissions, transforming GRC from a checklist into a continuous monitoring engine." canonical: https://truto.one/blog/the-zero-touch-it-audit-automating-device-posture-and-policy-evidence/ --- # The Zero-Touch IT Audit: Automating Device Posture and Policy Evidence The most painful week in a Compliance Officer's life isn't the audit itself—it's the "evidence gathering" sprint that precedes it. Specifically, it's the week where they chase the IT Manager to prove that 500 remote laptops have encrypted hard drives, and then harass the Engineering Lead to screenshot the "Information Security Policy" in Confluence to prove it was updated in the last year. For GRC (Governance, Risk, and Compliance) platforms, this manual toil is the single biggest barrier to adoption. If your platform requires customers to manually upload CSV exports from Jamf or drag-and-drop PDFs from Google Drive, you aren't automating compliance; you're just digitizing the checklist. The holy grail is **Zero-Touch Compliance**: a system where the evidence—device health, policy versions, and pentest reports—is programmatically pulled, normalized, and mapped to controls without human intervention. Here is how you can architect a continuous compliance observer using Unified APIs to automate the three pillars of IT auditing: Endpoint Security, Policy Distribution, and Evidence Centralization. ## Pillar 1: Automating Endpoint Security Evidence **The Problem:** Auditors demand proof of "Common Criteria 6.1 (Logical Access Security)." In practical terms, this means proving every employee device has: 1. Disk encryption enabled (FileVault/BitLocker). 2. A screen lock timer set to < 15 minutes. 3. The latest OS patches installed. In a homogeneous environment, this is easy. But most modern companies are a mess of MacBooks managed by **Jamf**, Windows laptops on **Intune**, and a few rogue Linux machines on **Kandji** or **JumpCloud** (often part of the [long tail of identity](https://truto.one/blog/the-long-tail-of-identity-why-your-grc-platform-needs-coverage-beyond-the-top-5-idps/) that auditors scrutinize). Building direct integrations for each of these requires learning completely different API paradigms (Graph API vs. classic REST vs. SOAP). **The Solution:** Use a Unified MDM API to abstract the fleet. Instead of writing three different scrapers, you query a single `Devices` endpoint. Truto’s [Unified MDM API](https://truto.one/blog/launching-the-unified-mdm-api-integrate-iru-ninjaone-and-more/) normalizes the response, giving you a standardized view of the fleet's compliance posture. Here is what that looks like in practice: ```typescript // Fetch all devices across Jamf, Intune, and Kandji const response = await fetch( "https://api.truto.one/unified/mdm/devices?integrated_account_id=acc_123", { headers: { Authorization: `Bearer ${TRUTO_API_KEY}` } } ); const devices = response.result; // Programmatically verify compliance controls const nonCompliantDevices = devices.filter(device => { const isEncrypted = device.compliance_status?.disk_encryption === true; const isOsCurrent = device.os_version >= MIN_REQUIRED_VERSION; return !isEncrypted || !isOsCurrent; }); if (nonCompliantDevices.length > 0) { triggerAlert("SOC 2 Control Failure: Unencrypted devices detected", nonCompliantDevices); } ``` ### The Normalization Challenge The hardest part isn't fetching the data; it's interpreting it. * **Intune** might report compliance as a complex object: `{ "complianceState": "compliant" }`. * **Jamf** might bury it in a detailed inventory report: `{ "general": { "remote_management": { "managed": true } } }`. A unified API handles this mapping layer. When you request the `Devices` resource, the response includes normalized fields for `serial_number`, `model`, `os_version`, and `assigned_user`—a critical data point for [automating employee compliance](https://truto.one/blog/automating-the-employee-compliance-lifecycle-from-offer-letter-to-offboarding/). This allows your GRC platform to build a "Fleet Health" dashboard that updates in real-time, replacing the stale CSV export that usually sits in an auditor's inbox. ## Pillar 2: Verifying Policy Distribution **The Problem:** Writing a security policy is easy. Proving that it exists, is accessible to staff, and has been updated recently is hard. Auditors often ask for a screenshot of the Confluence page history to verify the "Last Updated" date. **The Solution:** Treat policy documentation as code using the Unified Knowledge Base API. Your GRC platform should be able to link a specific Control (e.g., "Data Classification Policy") to a specific live document in the customer's wiki (Notion, Confluence, Slab). By polling the `Pages` endpoint, you can automatically verify the freshness of the policy: ```json // GET /unified/knowledge-base/pages/page_xyz { "id": "page_xyz", "title": "Information Security Policy 2024", "created_at": "2023-01-15T08:00:00Z", "updated_at": "2024-02-10T14:30:00Z", // <--- The evidence "url": "https://acme.notion.site/InfoSec-Policy", "authors": [ { "id": "user_123", "name": "Jane Doe (CISO)" } ] } ``` If `updated_at` is older than 365 days, your platform can automatically flag the control as "At Risk" and notify the compliance owner. This moves the workflow from *"panic before the audit"* to *"continuous governance."* > [!TIP] > **Pro Tip:** Use the `PageContent` endpoint to go deeper. You can programmatically scan the body of the policy for required keywords (e.g., "GDPR", "Data Retention") to ensure the content meets minimum standards, effectively linting your company policies. ## Pillar 3: Centralizing Artifacts **The Problem:** Compliance is 50% technical controls and 50% paperwork. Vendor agreements, penetration test reports, and disaster recovery plans are scattered across Google Drive, SharePoint, Box, and Dropbox. During an audit, the "Evidence Collection" folder becomes a dumping ground of duplicate PDFs. Worse, sensitive documents (like raw pentest findings) are often emailed around, violating the very security principles you're trying to uphold. **The Solution:** Index evidence in place using the Unified File Storage API. Instead of asking customers to upload files *into* your GRC tool (creating a stale copy), use the `DriveItems` resource to link directly to the source of truth. 1. **Search & Link:** Allow users to search their corporate Google Drive or SharePoint directly from your UI to find the "2024 Pentest Report." 2. **Monitor Permissions:** Use the `Permissions` endpoint to verify that the "Sensitive HR Data" folder is actually restricted to the HR group. ```typescript // Check who has access to the sensitive evidence folder const permissions = await fetch( `https://api.truto.one/unified/file-storage/drive-items/${folderId}/permissions` ); const publicAccess = permissions.result.find(p => p.type === 'anyone' || p.role === 'writer' ); if (publicAccess) { // Automatically fail the "Access Control" check flagControlFailure("Public access detected on sensitive evidence folder"); } ``` This approach transforms your GRC platform from a passive file repository into an active security monitor that watches for Data Loss Prevention (DLP) risks in real-time. ## The Reality Check: Trade-offs and Gotchas While Unified APIs dramatically simplify the architecture, engineers should be aware of the constraints when building these automations. ### 1. The Definition of "Active" MDM providers have different thresholds for what constitutes an "active" device. Intune might keep a device record for 90 days after it last checked in; Jamf might keep it indefinitely until manually deleted. If you blindly trust the device list, you might flag a laptop as non-compliant when it's actually been sitting in a closet for six months. **Best Practice:** Filter devices based on `last_check_in_at` timestamps to exclude ghosts. ### 2. Rate Limits are Real Polling the entire fleet of 5,000 devices every 5 minutes will get you rate-limited by the underlying provider (especially smaller MDM players). Truto handles [pagination and rate limit backoff](https://truto.one/blog/declarative-pagination-system-in-truto-unified-real-time-api/), but you should design your sync frequency thoughtfully. A daily sync is usually sufficient for compliance evidence. ### 3. Permission Scopes To verify file permissions or read policy documents, your OAuth app needs `read` access to the customer's storage or knowledge base. This can be a friction point during onboarding. Be transparent about why you need these scopes—specifically, that you are reading metadata (dates, authors, permissions) rather than ingesting the entire corporate archive. ## Moving Beyond Screenshots The future of GRC is not a better checklist; it's an automated observer that lives in the background. By integrating with the systems where work actually happens—the MDM for devices, the Wiki for policies, and the Cloud Drive for artifacts—you remove the friction that makes audits painful. Your customers hired you to reduce their risk, not to give them more homework. Stop asking for screenshots—whether for device health or [SDLC evidence](https://truto.one/blog/automating-sdlc-evidence-how-grc-platforms-can-stop-chasing-engineers-for-screenshots/).