Managing policies

A policy is a collection of application settings that are defined for an administration group. You can configure multiple policies with different values for one application. An application can run under different settings for different administration groups. Each administration group can have its own policy for an application.

Policy settings are sent to client computers by Network Agent during synchronization. By default, the Administration Server performs synchronization immediately after policy settings are changed. UDP port 15000 on the client computer is used for synchronization. Administration Server performs synchronization every 15 minutes. If synchronization fails after policy settings were changed, the next synchronization attempt will be performed according to the configured schedule.

Active and inactive policy

A policy is intended for a group of managed computers and can be active or inactive. The settings of an active policy are saved on client computers during synchronization. You cannot simultaneously apply multiple policies to one computer, therefore only one policy may be active in each group.

You can create an unlimited number of inactive policies. An inactive policy does not affect application settings on computers in the network. Inactive policies are intended as preparations for emergency situations, such as a virus attack. If there is an attack via flash drives, you can activate a policy that blocks access to flash drives. In this case, the active policy automatically becomes inactive.

Out-of-office policy

An out-of-office policy is activated when a computer leaves the organization network perimeter.

Hierarchy of policies

Each policy setting has the dc_lock_locked_dark attribute, which indicates if this setting can be modified in the child policies or in the local application settings. Child policy is a policy for nested hierarchy levels, that is a policy for nested administration groups and slave Administration Servers. The dc_lock_locked_dark attribute is enabled only if inheritance of parent policy settings is enabled in the child policy. Policies for out-of-office users do not affect other policies through the hierarchy of administration groups.

KES11_Lock_Shem

Hierarchy of policies

Creating a policy

To create a policy:

  1. In the main window of Web Console, select DevicesPolicies and policy profiles.
  2. Click the Add button.

    The Policy Wizard starts.

  3. Select Kaspersky Endpoint Security and click Next.
  4. Please read and accept the terms of the Kaspersky Security Network (KSN) Statement and click Next.
  5. On the General tab, you can perform the following actions:
    • Change the policy name.
    • Select the policy status:
      • Active. After the next synchronization, the policy will be used as the active policy on the computer.
      • Inactive. Backup policy. If necessary, an inactive policy can be switched to active status.
      • Out-of-office. The policy is activated when a computer leaves the organization network perimeter.
    • Configure the inheritance of settings:
      • Inherit settings from parent policy. If this toggle button is switched on, the policy setting values are inherited from the top-level policy. Policy settings cannot be edited if dc_lock_locked_dark is set for the parent policy.
      • Force inheritance of settings in child policies. If the toggle button is on, the values of the policy settings are propagated to the child policies. In the child policy settings the Inherit settings from parent policy check box is automatically selected. Child policy settings are inherited from the parent policy, except for the settings marked with dc_lock_unlocked_dark. Child policy settings cannot be edited if dc_lock_locked_dark is set for the parent policy.
  6. On the Application settings tab, you can configure the Kaspersky Endpoint Security policy settings.
  7. Click the Save button.

As a result, Kaspersky Endpoint Security settings will be configured on client computers during the next synchronization.

Page top