Managing policies

You can use policies to apply identical Kaspersky Endpoint Security settings to all client computers within an administration group.

You can locally change the values of settings specified by a policy for individual computers in an administration group using Kaspersky Endpoint Security. You can locally change only those settings whose modification is not prohibited by the policy.

The ability to change application settings on the client computer is determined by the status of the “lock” on these settings in the policy properties:

• A closed “lock” () means the following:
  • Kaspersky Security Center blocks changes to settings that this lock relates to from the Kaspersky Endpoint Security interface on client computers. On all client computers, Kaspersky Endpoint Security uses the same values of these settings, i.e. the values that are defined in the policy properties.
  • Kaspersky Security Center blocks changes to the settings that this lock relates to, in the properties of the policies for nested administration groups and slave Administration Servers that have the Inherit settings from parent policy function enabled. The values of these settings that are defined in top level policy properties are used.
• An open “lock” () means the following:
  • Kaspersky Security Center allows changes to settings that this lock relates to from the Kaspersky Endpoint Security interface on client computers. On each client computer, Kaspersky Endpoint Security operates according to the local values of these settings if the component is enabled.
  • Kaspersky Security Center allows changes to the settings that this lock relates to, in the properties of the policies for nested administration groups and slave Administration Servers that have the Inherit settings from parent policy function enabled. The values of these settings do not depend on what is specified in the top level policy properties.

After the policy is applied for the first time, local application settings change in accordance with the policy settings.

The rights to access policy settings (read, write, execute) are specified for each user who has access to the Kaspersky Security Center Administration Server and separately for each functional scope of Kaspersky Endpoint Security. To configure the rights to access policy settings, go to the Security section of the properties window of the Kaspersky Security Center Administration Server.

The following functional scopes of Kaspersky Endpoint Security are singled out:

• Essential Threat Protection. The functional scope includes the File Threat Protection, Mail Threat Protection, Web Threat Protection, Network Threat Protection, Firewall, and Scan Task components.
• Application Control. The functional scope includes the Application Control component.
• Device Control. The functional scope includes the Device Control component.
• Encryption. The functional scope includes the Full Disk Encryption and File Level Encryption components.
• Trusted zone. The functional scope includes the Trusted Zone.
• Web Control. The functional scope includes the Web Control component.
• Advanced Threat Protection. The functional scope includes KSN settings and the Behavior Detection, Exploit Prevention, Host Intrusion Prevention, and Remediation Engine components.

Basic functionality. This functional scope includes general application settings that are not specified for other functional scopes, including: licensing, inventory tasks, application database and module update tasks, Self-Defense, advanced application settings, reports and storages, password protection and application interface settings.

Creating a policy

To create a policy:

1. Open the Kaspersky Security Center Administration Console.
2. Do one of the following:
   • Select the Managed devices folder in the Administration Console tree if you want to create a policy for all computers managed by Kaspersky Security Center.
   • In the Managed devices folder in the Administration Console tree, select the folder with the name of the administration group to which the relevant client computers belong.
3. In the workspace, select the Policies tab.
4. Do one of the following:
   • Click the New policy button.
   • Right-click to open the context menu and select Create Policy.

   The Policy Wizard starts.

5. Follow the instructions of the Policy Wizard.

As a result, Kaspersky Endpoint Security settings will be configured on client computers during the next synchronization. You can view information about the policy that is being applied to the computer in the Kaspersky Endpoint Security interface by clicking the Support button on the main screen (for example, the policy name). To do so, in the settings of the Network Agent policy, you need to enable the receipt of extended policy data. For more details about a Network Agent policy, please refer to the Kaspersky Security Center Help.

Editing policy settings

To edit policy settings:

1. Open the Kaspersky Security Center Administration Console.
2. In the Managed devices folder of the Administration Console tree, open the folder with the name of the relevant administration group for which you want to edit policy settings.
3. In the workspace, select the Policies tab.
4. Select the necessary policy.
5. Open the Properties: <Policy name> window by using one of the following methods:
   • In the context menu of the policy, select Properties.
   • Click the Configure policy link located in the right part of the Administration Console workspace.

   Kaspersky Endpoint Security policy settings include component settings and application settings. The Advanced Threat Protection, Essential Threat Protection and Security Controls sections of the Properties: <Policy name> window contain the settings of the protection and control components, the Data Encryption section contains settings for full disk encryption, file level encryption, and encryption of removable drives, the Endpoint Sensor section contains the settings of the Endpoint Sensor component, the Local tasks section contains the settings of local and group tasks, and the General Settings section contains the application settings.

   The settings of data encryption and control components in policy settings are displayed if the corresponding check boxes are selected in the Interface settings window of Kaspersky Security Center. By default, these check boxes are selected.

6. Edit the policy settings.
7. Save your changes.

Security level indicator in the policy properties window

The security level indicator is displayed in the top part of the Properties: <Policy name> window. The indicator can take one of the following values:

• High protection level. The indicator takes this value and turns green if all components from the following categories are enabled:
  • Critical. This category includes the following components:
    • File Threat Protection.
    • Behavior Detection.
    • Exploit Prevention.
    • Remediation Engine.
  • Important. This category includes the following components:
    • Kaspersky Security Network.
    • Web Threat Protection.
    • Mail Threat Protection.
    • Host Intrusion Prevention.
• Medium protection level. The indicator takes this value and turns yellow if one of the important components is disabled.
• Low protection level. The indicator takes this value and turns red in one of the following cases:
  • One or multiple critical components are disabled.
  • Two ore more important components are disabled.

If the indicator is displayed with Medium protection level or Low protection level, the Learn more link, which opens the Recommended protection components window, is available to the right of the indicator. In this window, you can enable any of the recommended protection components.