Creating a policy profile activation rule

Expand all | Collapse all

To create a policy profile activation rule:

1. In the console tree, select the administration group for which you have to create a policy profile activation rule.
2. In the workspace of the group, select the Policies tab.
3. Select a policy and switch to the policy properties window using the context menu.
4. Select the Policy profiles section in the policy properties window.
5. Select the policy profile for which you need to create an activation rule, and click the Properties button.

   The policy profile properties window opens.

   If the list of policy profiles is empty, you can create a policy profile.

6. Select the Activation rules section, and click the Add button.

   The New policy profile activation rule wizard starts.

7. In the Policy profile activation rules window, select the check boxes next to the conditions that must affect activation of the policy profile that you are creating:
   • General rules for policy profile activation

     Select this check box to set up policy profile activation rules on the device depending on the status of the device offline mode, rule for connection to Administration Server, and tags assigned to the device.

   • Rules for Active Directory usage

     Select this check box to set up rules for policy profile activation on the device depending on the presence of the device in an Active Directory organizational unit (OU), or on membership of the device (or its owner) in an Active Directory security group.

   • Rules for a specific device owner

     Select this check box to set up rules for policy profile activation on the device depending on the device owner.

   • Rules for hardware specifications

     Select this check box to set up rules for policy profile activation on the device depending on the memory volume and the number of logical processors.

   The number of additional pages of the wizard depends on the settings that you select at the first step. You can modify policy profile activation rules later.

8. In the General conditions window, specify the following settings:
   • In the Device is offline field, in the drop-down list specify the condition for device presence on the network:
     • Yes

       The device is in an external network, which means that the Administration Server is not available.

     • No

       The device is on the network, so the Administration Server is available.

     • No value is selected

       The criterion will not be applied.

   • In the The device is in the specified network location box, use the drop-down lists to set up the policy profile activation if the Administration Server connection rule is executed / not executed on this device:
     • Executed / Not executed

       Condition of policy profile activation (whether the rule is executed or not).

     • Rule name

       Network location description of the device for connection to the Administration Server, whose conditions must be met (or must not be met) for activation of the policy profile.

       A network location description of devices for connection to an Administration Server can be created or configured in a Network Agent switching rule.

   The General conditions window is displayed if the General rules for policy profile activation check box is selected.

9. In the Conditions using tags window, specify the following settings:
   • Tag list

     In the list of tags, specify the rule for device inclusion in the policy profile by selecting the check boxes next to the relevant tags.

     You can add new tags to the list by entering them in the field over the list and clicking the Add button.

     The policy profile includes devices with descriptions containing all the selected tags. If check boxes are cleared, the criterion is not applied. By default, these check boxes are cleared.

   • Apply to devices without the specified tags

     Enable this option if you have to invert your selection of tags.

     If this option is enabled, the policy profile includes devices with descriptions that contain none of the selected tags. If this option is disabled, the criterion is not applied.

     By default, this option is disabled.

   The Conditions using tags window is displayed if the General rules for policy profile activation check box is selected.

10. In the Conditions using Active Directory window, specify the following settings:
    • Device owner's membership in Active Directory security group

      If this option is enabled, the policy profile is activated on the device whose owner is a member of the specified security group. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

    • Device membership in Active Directory security group

      If this option is enabled, the policy profile is activated on the device. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

    • Device allocation in Active Directory organizational unit

      If this option is enabled, the policy profile is activated on the device which is included in the specified Active Directory organizational unit (OU). If this option is disabled, the profile activation criterion is not applied.

      By default, this option is disabled.

    The Conditions using Active Directory window is displayed if the Rules for Active Directory usage check box is selected.

11. In the Conditions using the device owner window, specify the following settings:
    • Device owner

      Enable this option to configure and enable the rule for profile activation on the device according to its owner. In the drop-down list under the check box, you can select a criterion for the profile activation:

      • The device belongs to the specified owner ("=" sign).
      • The device does not belong to the specified owner ("#" sign).

        If this option is enabled, the profile is activated on the device in accordance with the criterion configured. You can specify the device owner when the option is enabled. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

    • The device owner is included in an internal security group

      Enable this option to configure and enable the rule of profile activation on the device by the owner's membership in an internal security group of Kaspersky Security Center. In the drop-down list under the check box, you can select a criterion for the profile activation:

      • The device owner is a member of the specified security group ("=" sign).
      • The device owner is not a member of the specified security group ("#" sign).

        If this option is enabled, the profile is activated on the device in accordance with the criterion configured. You can specify a security group of Kaspersky Security Center. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

    • Activate policy profile by specific role of device owner

      Select this option to configure and enable the rule of profile activation on the device depending on the owner's role. Add the role manually from the list of existing roles.

      If this option is enabled, the profile is activated on the device in accordance with the criterion configured.

    The Conditions using the device owner window is displayed if the Rules for a specific device owner check box is selected.

12. In the Conditions using equipment specifications window, specify the following settings:
    • RAM size, in MB

      Enable this option to configure and enable the rule of profile activation on the device by the RAM volume available on that device. In the drop-down list under the check box, you can select a criterion for the profile activation:

      • The device RAM size is less than the specified value ("<" sign).
      • The device RAM size is greater than the specified value (">" sign).

      If this option is enabled, the profile is activated on the device in accordance with the criterion configured. You can specify the RAM volume on the device. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

    • Number of logical processors

      Enable this option to configure and enable the rule of profile activation on the device by the number of logical processors on that device. In the drop-down list under the check box, you can select a criterion for the profile activation:

      • The number of logical processors on the device is less than or equal to the specified value ("<" sign).
      • The number of logical processors on the device is greater than or equal to the specified value (">" sign).

      If this option is enabled, the profile is activated on the device in accordance with the criterion configured. You can specify the number of logical processors on the device. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

    The Conditions using equipment specifications window is displayed if the Rules for hardware specifications check box is selected.

13. In the Name of policy profile activation rule window, in the Rule name field, specify a name for the rule.

The profile will be saved. The profile will be activated on the device when activation rules are triggered.

Policy profile activation rules created for the profile are displayed in the policy profile properties in the Activation rules section. You can modify or remove any policy profile activation rule.

Multiple activation rules can be triggered simultaneously.

See also: Policy setup and propagation: Device-centric approach

Page top