Creating a policy

To create a policy:

1. In the main window of the Web Console, select Devices → Policies and policy profiles.

   The list of policies opens.

2. Select the administration group containing client devices to which the policy should be applied. To do so, click the link in the Current path field in the upper part of the window and select an administration group in the window that opens.

   The list displays only the policies configured for the selected administration group.

3. Click Add.

   The Policy Wizard starts.

4. In the drop-down list, select Kaspersky Endpoint Security 12.0 for Linux.

   Proceed to the next step of the wizard.

5. Decide whether you want to use Kaspersky Security Network. Carefully read the Kaspersky Security Network Statement and do one of the following:
   • If you agree with all the terms and conditions of the Statement and want the application to use Kaspersky Security Network, select I confirm that I have fully read, understand, and accept the terms and conditions of Kaspersky Security Network Statement.
   • If you do not want to use Kaspersky Security Network, select I do not accept the terms and conditions of the Kaspersky Security Network Statement and confirm your decision in the window that opens.

   Refusal to use Kaspersky Security Network does not interrupt the policy creation process. At any time, you can enable or disable use of Kaspersky Security Network or change the KSN mode for managed devices in the policy settings.

   Proceed to the next step of the wizard.

6. Specify the Kaspersky Endpoint Security usage mode:
   • Standalone mode – the application is used to protect devices running Linux operating systems.
   • Light Agent mode for protecting virtual environments – as part of the Kaspersky Security for Virtualization Light Agent solution, the application is used to protect virtual machines running Linux guest operating systems.
7. If you are using the application in Light Agent mode to protect virtual environments, configure the SVM discovery settings:
   1. Select the method that Light Agents use to discover SVMs available for connection.
      • Use the Integration Server

        If this option is selected, Light Agent connects to Integration Server to get a list of SVMs available for connection and their details.

      • Use a custom list of SVM addresses

        If this option is selected, you can specify a list of SVMs that Light Agents managed by this policy can connect to. Light agents will only connect to SVMs specified in the list.

      If you select the Use a custom list of SVM addresses option, the Light Agent is using the advanced SVM selection algorithm, and large infrastructure protection mode is enabled on an SVM (for more information, see the Kaspersky Security for Virtualization Light Agent Help), then connecting a Light Agent to this SVM is only possible if the SVM path is ignored. In the SVM selection algorithm section, you need to set the SVM path setting to Ignore SVM path. If any other value is set, Light Agents will not be able to connect to the SVM.

   2. If you select Integration Server, the wizard displays the current settings for connecting Light Agents to the Integration Server: address and port for connecting. If necessary, specify new connection settings:
      1. Click the Configure button and specify new connection settings in the window that opens:
         • Address

           IP address in IPv4 format or fully qualified domain name (FQDN) of the device on which the Integration Server is installed.

           If a NetBIOS name, "localhost", or 127.0.0.1 is specified as the address, the connection to the Integration Server fails with an error.

         • Port

           Port for connecting to the Integration Server.

           Port 7271 is used by default.

      2. Click the Check button.
      3. The web plug-in checks the SSL certificate received from the Integration Server. If the certificate contains an error or is not trusted, a corresponding message is displayed in the Connection to the Integration Server window.

         You can view information about the certificate received from the Integration Server by clicking on the View the received certificate line. If you encounter problems with an SSL certificate, we recommend to make sure that the data transmission channel you are using is secure.

         To save the received certificate and continue connecting to the Integration Server, in the Select an action block, select the Ignore option.

      4. Specify the password of the Integration Server administrator (password of the admin account) and click the Test button.

         The New Policy Wizard connects to the Integration Server. If the connection fails, an error message appears in the window. If the connection succeeds, the Connection to the Integration Server window closes, and the Connection to the Integration Server field of the New Policy Wizard window shows the Connected status.

   3. If you select a manually defined list of SVM addresses, the window displays a list of SVMs that Light Agents managed by this policy can connect to. To add an SVM to the list, click the Add button and in the window that opens specify the IP address in IPv4 format or the fully qualified domain name (FQDN) of the SVM. You can enter multiple IP addresses or FQDNs of SVMs on a new line.

      Specify only fully qualified domain names (FQDNs) that map to a single IP address. Using a fully qualified domain name that corresponds to multiple IP addresses can lead to errors in the application.

      You can delete addresses selected in the list by clicking the Delete button.

   Proceed to the next step of the wizard.

8. The General tab of the new policy settings window opens. Specify a name for the new policy.

   You can also configure the following policy settings:

   • Policy status:
     • Active. The policy that is currently applied to the device. If this option is selected, this policy becomes active on the device upon the next device synchronization with the Administration Server. This option is selected by default.
     • Inactive. The policy that is not currently applied to the device. If this option is selected, the policy becomes inactive but remains in the Policies folder. You can activate the inactive policy later.
     • Out-of-office. Policy that becomes active when the device leaves the corporate network. If this option is selected, the policy becomes active when the device leaves the organization network.
   • Policy settings inheritance:
     • Inherit settings from parent policy. If this option is enabled, the policy settings values are inherited from the upper-level group policy and, therefore, are locked. The check toggle button is switched on by default.
     • Enforce settings inheritance for child policies If this option is enabled, the settings values of the child policies are locked. The toggle button is switched off by default.

   For general information about the policy settings, refer to Kaspersky Security Center documentation.

9. On the Application settings tab, you can modify the policy settings.
10. Click Save.

The created policy will be displayed in the list of policies. You can change the policy settings later. For general information about managing policies, refer to Kaspersky Security Center documentation.