Conditions for a device moving rule
Expand all | Collapse all
When you create or copy a rule to move client devices to administration groups, on the Rule conditions tab you set conditions for moving the devices. To determine which devices to move, you can use the following criteria:
- Tags assigned to client devices.
- Network parameters. For example, you can move devices with IP addresses from a specified range.
- Managed applications installed on client devices, for instance, Network Agent or Administration Server.
- Virtual machines, which are the client devices.
- Information about the Active Directory organizational unit (OU) with the client devices.
- Information about a cloud segment with the client devices.
Below, you can find the description on how to specify this information in a device moving rule.
If you specify several conditions in the rule, the AND logical operator works and all the conditions apply at the same time. If you do not select any options or keep some fields blank, such conditions do not apply.
Tags tab
On this tab, you can configure a device moving rule based on device tags that were previously added to the descriptions of client devices. To do this, select the required tags. Also, you can enable the following options:
- Apply to devices without the specified tags
If this option is enabled, all devices with the specified tags are excluded from a device moving rule. If this option is disabled, the device moving rule applies to devices with all the selected tags.
By default, this option is disabled.
- Apply if at least one specified tag matches
If this option is enabled, a device moving rule applies to client devices with at least one of the selected tags. If this option is disabled, the device moving rule applies to devices with all the selected tags.
By default, this option is disabled.
Network tab
On this tab, you can specify the network data of devices that a device moving rule considers:
- Device name on the Windows network
Windows network name (NetBIOS name) of the device, or the IPv4 or IPv6 address.
- Windows domain
A device moving rule applies to all devices included in the specified Windows domain.
- DNS name of the device
DNS domain name of the client device that you want to move. Fill this field if your network includes a DNS server.
If case sensitive collation is set for the database that you use for Kaspersky Security Center, keep case when you specify a device DNS name. Otherwise, the device moving rule will not work.
- DNS domain
A device moving rule applies to all devices included in the specified main DNS suffix. Fill this field if your network includes a DNS server.
- IP range
If this option is enabled, you can enter the initial and final IP addresses of the IP range in which the relevant devices must be included.
By default, this option is disabled.
- IP address for connection to Administration Server
If this option is enabled, you can set the IP addresses by which client devices are connected to Administration Server. To do this, specify the IP range that includes all necessary IP addresses.
By default, this option is disabled.
- Connection profile changed
Select one of the following values:
- Yes. A device moving rule only applies to client devices with a changed connection profile.
- No. The device moving rule only applies to the client devices whose connection profile has not changed.
- No value is selected. The condition does not apply.
- Managed by a different Administration Server
Select one of the following values:
- Yes. A device moving rule only applies to client devices managed by other Administration Servers. These Servers are different from the Server on which you configure the device moving rule.
- No. The device moving rule only applies to client devices managed by the current Administration Server.
- No value is selected. The condition does not apply.
Applications tab
On this tab, you can configure a device moving rule based on the managed applications and operating systems installed on client devices:
- Network Agent is installed
Select one of the following values:
- Yes. A device moving rule only applies to client devices with Network Agent installed.
- No. The device moving rule only applies to client devices on which Network Agent is not installed.
- No value is selected. The condition does not apply.
- Applications
Specify what managed applications should be installed on client devices, so a device moving rule applies to these devices. For example, you can select Kaspersky Security Center 14.2 Network Agent or Kaspersky Security Center 14.2 Administration Server.
If you do not select any managed application, the condition does not apply.
- Operating system version
You can cull client devices based on the operating system version. For this purpose, specify operating systems that should be installed on the client devices. As a result, a device moving rule applies to the client devices with the selected operating systems.
If you do not enable this option, the condition does not apply. By default, the option is disabled.
- Operating system bit size
You can cull client devices by the operating system bit sizes. In the Operating system bit size field, you can select one of the following values:
To check the operating system bit size of the client devices:
- In the main menu, go to the Devices → Managed devices section.
- Click the Columns settings button () on the right.
- Select the Operating system bit size option, and then click the Save button.
After that, the operating system bit size is displayed for every managed device.
- Operating system service pack version
In this field, you can specify the package version of the operating system (in the X.Y format), which will determine how the moving rule is applied to the device. By default, no version value is specified.
- User certificate
Select one of the following values:
- Installed. A device moving rule only applies to mobile devices with a mobile certificate.
- Not installed. The device moving rule only applies to mobile devices without a mobile certificate.
- No value is selected. The condition does not apply.
- Operating system build
This setting is applicable to Windows operating systems only.
You can specify whether the selected operating system must have an equal, earlier, or later build number. You can also configure a device moving rule for all build numbers except the specified one.
- Operating system release number
This setting is applicable to Windows operating systems only.
You can specify whether the selected operating system must have an equal, earlier, or later release number. You can also configure a device moving rule for all release numbers except the specified one.
Virtual machines tab
On this tab, you can configure a device moving rule according to whether client devices are virtual machines or part of a virtual desktop infrastructure (VDI):
- This is a virtual machine
In the drop-down list, you can select one of the following:
- N/A. The condition does not apply.
- No. Move devices that are not virtual machines.
- Yes. Move devices that are virtual machines.
- Virtual machine type
- Part of Virtual Desktop Infrastructure
In the drop-down list, you can select one of the following:
- N/A. The condition does not apply.
- No. Move devices that are not part of VDI.
- Yes. Move devices that are part of VDI.
Active Directory tab
On this tab, you can specify that it is necessary to move devices included in the Active Directory OU. You can also move devices from all child OUs of the specified Active Directory OU:
- Device is in an Active Directory organizational unit
If this option is enabled, a device moving rule applies to devices from the Active Directory organizational unit specified in the list under the option.
By default, this option is disabled.
- Include child organizational units
If this option is enabled, the selection includes devices from all child organizational units of the specified Active Directory organizational unit.
By default, this option is disabled.
- Move devices from child units to corresponding subgroups
- Create subgroups corresponding to containers of newly detected devices
- Delete subgroups that are not present in Active Directory
- This device is a member of an Active Directory group
If this option is enabled, a device moving rule applies to devices from the Active Directory group specified in the list under the option.
By default, this option is disabled.
Cloud segments tab
On this tab, you can specify that it is necessary to move devices that belong to specific cloud segments:
- Device is in a cloud segment
If you select this option, a device moving rule applies to the client devices that belong to a cloud segment. You can select the required cloud segment up to a subnet in the list under the option.
By default, the option is disabled.
- Include child objects
If you select this option, a device moving rule applies not only to the selected cloud segment, but also to the child objects of this segment.
By default, the option is disabled.
- Move devices from nested objects to corresponding subgroups
- Create subgroups corresponding to containers of newly detected devices
- Delete subgroups for which no match is found in the cloud segments
- Device discovered by using the API
In the drop-down list, you can select whether a device is detected by API tools:
- AWS. The device is discovered by using the AWS API, that is, the device is definitely in the AWS cloud environment.
- Azure. The device is discovered by using the Azure API, that is, the device is definitely in the Azure cloud environment.
- Google Cloud. The device is discovered by using the Google API, that is, the device is definitely in the Google Cloud environment.
- No. The device cannot be detected by using the AWS, Azure, or Google API, that is, it is either outside the cloud environment or it is in the cloud environment but it cannot be detected by using an API.
- No value. This condition does not apply.
Page top