1. Start Kaspersky Security Center Administration Console.
2. Expand the Administration Server <Server name> node.
3. In the console tree, click Managed devices.
4. Select the administration group that contains the required client computer.
5. In the workspace, select the Policies tab and click New policy.

   The New Policy Wizard opens.

6. Follow the steps of the New Policy Wizard to create a policy.

1. Start Kaspersky Security Center Administration Console.
2. Expand the Administration Server <Server name> node.
3. In the console tree, click Policies.
4. In the workspace, click New policy.

   The New Policy Wizard opens.

5. Follow the steps of the New Policy Wizard to create a policy.

In the Select the application for which you want to create a group policy window, in the list of applications, select Kaspersky Endpoint Security 11 for Mac.

1. In the Enter a group policy name window, in the Name field, specify the name of the policy that you are creating. The name can't contain the following symbols: “ * < : > ? \ |.
2. Select the Use policy settings for an earlier version of the application checkbox if you want to import the settings from an existing Kaspersky Endpoint Security policy to a new policy.

In the Protection window, configure the following settings if necessary:

• Configure protection settings for the operating system on the client computer.
• Configure Trusted zone.

  You can create a list of objects that Kaspersky Endpoint Security does not scan or monitor.

• Configure Trusted applications.

  You can create a list of applications whose network activity will not be monitored by Kaspersky Endpoint Security.

• Select types of objects to be detected.
• Disable or enable the start of scheduled tasks when the computer is running on battery power.

In the File Threat Protection window, do the following if necessary:

• Enable or disable File Threat Protection.

  By default, File Threat Protection is enabled.

• Select a security level.

  By default, the security level recommended by Kaspersky is selected.

• Configure File Threat Protection settings.
• Select the action to be performed upon detecting a malicious object.

In the Web Threat Protection window, do the following if necessary:

• Enable or disable Web Threat Protection.

  By default, Web Threat Protection is enabled.

• Select a security level.

  By default, the security level recommended by Kaspersky is selected.

• Configure Web Threat Protection settings.
• Select the action to be performed upon detecting a malicious object in web traffic.

In the Network Threat Protection window, do the following if necessary:

• Enable or disable Network Threat Protection.

  By default, Network Threat Protection is enabled.

• Configure Network Threat Protection settings.

In the Update window, do the following if necessary:

• Enable or disable updating of application modules.
• Specify update sources.

In the KSN window, do the following if necessary:

• Read the full text of the Kaspersky Security Network Statement by clicking the KSN Statement button.
• View information about KSN infrastructure provided by Kaspersky Security Center.
• Enable or disable the use of Kaspersky Security Network.
• Enable or disable extended KSN mode.
• Enable or disable the use of a KSN proxy.
• Enable or disable the use of Kaspersky servers when the KSN proxy is unavailable.

Note: Use of Kaspersky Security Network and a KSN proxy on remote computers is available only if Kaspersky Security Center Administration Server is used as the proxy server. For detailed information about Administration Server properties, see the Kaspersky Security Center help.

When Global KSN infrastructure is used by Kaspersky Security Center and you choose to participate in Kaspersky Security Network in policy settings, Kaspersky Endpoint Security statistics from client computers to which the policy is applied are automatically sent to Kaspersky to enhance protection of these computers.

Note: Kaspersky doesn't receive, process, or store any personal data without your explicit consent.

When Private KSN infrastructure is used by Kaspersky Security Center and you choose to participate in Kaspersky Security Network in policy settings, Kaspersky Endpoint Security doesn't send statistics from client computers to which the policy is applied to Kaspersky.

After a policy is deleted or made inactive, KSN settings on a client computer return to the initial state.

In the User Interaction window, configure the Kaspersky Endpoint Security settings for interaction with the user of the client computer if necessary.

In the Network window, do the following if necessary:

• Configure the connection to a proxy server.
• Enable or disable scanning of inbound and outbound HTTPS traffic.
• Configure monitored ports.

  You can create a list of ports that are monitored by Kaspersky Endpoint Security.

In the Reports and Backup window, do the following if necessary:

• Configure settings for generating and storing reports.
• Configure settings for storing objects in Backup.

In the FileVault Disk Encryption window, do the following if necessary:

• Enable or disable FileVault disk encryption management for the user's startup disk.

  By default, FileVault disk encryption management is disabled.

• Choose the Encrypt disk option, if you want to encrypt the user's startup disk when the policy is applied to a client computer.

If the Enable FileVault disk encryption management checkbox is unselected, users with administrator rights can encrypt and decrypt their Mac startup disks from System Preferences.

If the Enable FileVault disk encryption management checkbox and the Encrypt disk option are selected, users with administrator rights can't decrypt the startup disk of their Mac from System Preferences.

If the Enable FileVault disk encryption management checkbox and the Decrypt disk option are selected, users with administrator rights can't encrypt the startup disk of their Mac from System Preferences.

In the Web Control window, do the following if necessary:

• Enable or disable Web Control.

  Note: If you enable Web Control to block access to dangerous web resources, Kaspersky Endpoint Security displays the Web Control is enabled notification in Protection Center on the remote computer.
  Kaspersky Endpoint Security displays notifications when the user accesses web resources blocked by Web Control on the remote computer if the Check secure connections (HTTPS) checkbox is selected in the Network window of the New policy Wizard.

• Add a new rule for Web Control by clicking Add.

  You can enter a rule name, choose whether the rule is active, specify a rule area by creating a list of specific web addresses or selecting website categories, and select an action that Kaspersky Endpoint Security performs when a user accesses a website included in this rule.

• Edit, delete, or organize created rules in the list.

The order in which the rules are sorted determines the priority of their application by Kaspersky Endpoint Security.

In the Target group window, click Browse to select an administration group to which you want to apply the policy.

In the Create the group policy for the application window, do the following:

1. Select the status that will be assigned to the policy:
   • Active policy: the policy is applied to the selected administration group.
   • Inactive policy: the policy is not applied.
   • Out-of-office policy: the policy is applied to the selected administration group when the computers are disconnected from the corporate network.

   Note: You can create multiple policies for an application in an administration group, but only one of them can be active.

   For detailed information about policy statuses, see the Kaspersky Security Center help.

2. Select the Open policy properties immediately after they are created checkbox if you want to review the policy settings after the policy is created.
3. Click Finish to close the New Policy Wizard.

   The policy that you have created appears on the Policies tab in the workspace of the relevant administration group. The policy is applied to client computers after their first synchronization with Administration Server.