Without scheduled integrity checking enabled, SecureCloud evaluates a machine image instance based on the policy rules for the device in question. If the instance meets the criteria of the device policy rules, then SecureCloud permits the instance to access the device. If the instance fails to meet the criteria specified by the device policy rules, then SecureCloud denies device access to the requesting instance. In both of these cases, SecureCloud evaluates the instance only once during the instance session. If the instance is later in compliance with the device policy rules, the instance will not have another opportunity to request the device key.

With scheduled integrity checking enabled in a device policy, SecureCloud works with the Integrity Check Module (ICM) of the Runtime Agent to evaluate an instance multiple times during the entire instance session. Therefore, if SecureCloud revokes an encryption key, you have an opportunity to make the instance compliant with the policy rules and receive the encryption key back. But even before SecureCloud revokes the encryption key of an offending instance, the application can provide a grace period where the key is not revoked for a time and you are warned that the instance is in violation of the device policy rules.