You can use policies to apply identical Kaspersky Endpoint Security settings to all client computers within an administration group.
You can locally change the values of settings specified by a policy for individual computers in an administration group using Kaspersky Endpoint Security. You can locally change only those settings whose modification is not prohibited by the policy.
The ability to change application settings on the client computer is determined by the status of the “lock” on these settings in the policy properties:
A closed “lock” () means the following:
Kaspersky Security Center blocks changes to settings that this lock relates to from the Kaspersky Endpoint Security interface on client computers. On all client computers, Kaspersky Endpoint Security uses the same values of these settings, i.e. the values that are defined in the policy properties.
Kaspersky Security Center blocks changes to the settings that this lock relates to, in the properties of the policies for nested administration groups and slave Administration Servers that have the Inherit settings from parent policy function enabled. The values of these settings that are defined in top level policy properties are used.
An open “lock” () means the following:
Kaspersky Security Center allows changes to settings that this lock relates to from the Kaspersky Endpoint Security interface on client computers. On each client computer, Kaspersky Endpoint Security operates according to the local values of these settings if the component is enabled.
Kaspersky Security Center allows changes to the settings that this lock relates to, in the properties of the policies for nested administration groups and slave Administration Servers that have the Inherit settings from parent policy function enabled. The values of these settings do not depend on what is specified in the top level policy properties.
After the policy is applied for the first time, local application settings change in accordance with the policy settings.
The rights to access policy settings (read, write, execute) are specified for each user who has access to the Kaspersky Security Center Administration Server and separately for each functional scope of Kaspersky Endpoint Security. To configure the rights to access policy settings, go to the Security section of the properties window of the Kaspersky Security Center Administration Server.
The following functional scopes of Kaspersky Endpoint Security are singled out:
Essential Threat Protection. The functional scope includes the File Threat Protection, Mail Threat Protection, Web Threat Protection, Network Threat Protection, Firewall, and Scan Task components.
Application Control. The functional scope includes the Application Control component.
Device Control. The functional scope includes the Device Control component.
Encryption. The functional scope includes the Full Disk Encryption and File Level Encryption components.
Trusted zone. The functional scope includes the Trusted Zone.
Web Control. The functional scope includes the Web Control component.
Advanced Threat Protection. The functional scope includes KSN settings and the Behavior Detection, Exploit Prevention, Host Intrusion Prevention, and Remediation Engine components.
Basic functionality. This functional scope includes general application settings that are not specified for other functional scopes, including: licensing, inventory tasks, application database and module update tasks, Self-Defense, advanced application settings, reports and storages, password protection and application interface settings.
You can perform the following operations with a policy:
Create a policy.
Edit policy settings.
If the user account under which you accessed the Administration Server does not have rights to edit settings of certain functional scopes, the settings of these functional scopes are not available for editing.
Delete a policy.
Change policy status.
For information on using policies that are not related to interaction with Kaspersky Endpoint Security, refer to Kaspersky Security Center Help.