Kaspersky Security Center policies

A policy is a set of Kaspersky Endpoint Security settings that are applied to all client devices included in the administration group.

Multiple policies with different values of the settings can be configured for a single application. However, there can be only one active policy at a time for an application within an administration group. When you create a new policy, all other policies within an administration group become inactive. You can change the policy status later.

Policies have a hierarchy, similarly to administration groups. By default, a child policy inherits the settings from the parent policy. A child policy is a policy of a nested hierarchy level, that is, a policy for nested administration groups and secondary Administration Servers. You can enable inheritance of the settings from the parent policy.

You can locally modify the values of the settings specified by the policy for individual devices within the administration group, if modification of these settings is not prohibited by the policy.

Each policy setting has a "lock" attribute that indicates whether child policy settings and local application settings can be modified. The "lock" status of a setting within policy properties determines whether or not an application setting on a client device can be edited:

• When a setting is "locked" (), you cannot edit its value locally or in the policies of the nested hierarchy level. The setting value specified by the policy is used for all client devices within the administration group and nested groups.
• When a setting is "unlocked" (), you can edit its value locally or in the policies of the nested hierarchy level. If setting values are specified locally or in policy properties of a nested hierarchy level for client devices within an administration group, the setting value specified in the policy properties is not applied.

In the web plug-in and in the MMC plug-in, the number of parameters with "locks" is different. The web plug-in includes "locks" that are not present in the MMC plug-in.

For some exclusion lists, you can enable the merging of list items. To merge list itms, you need to do the following:

• In the properties of the child policy, on the General tab, enable the Inherit settings from parent policy setting.
• In the properties of the parent policy, click the padlock () icon to "lock" it.
• In the properties of the parent policy, enable the merging of settings by selecting the Merge inherited values check box. If the check box is selected, items in the list of the parent policy of Kaspersky Security Center are displayed in child policies, and items can be added to the list of child policies. If the check box is cleared, the list items are not merged when inheriting policy settings.

You cannot delete or modify inherited list items in a child policy. Exclusion list items that have been merged when inherited can be deleted or modified only in the parent policy. List items can be added, modified, or removed at lower levels. Thus, you can configure a list of exclusions in the parent policy, which will be applied to all child policies, and you can also add more exclusions to the list in the child policy.

A policy profile may contain settings that differ from the "base" policy settings and apply to client devices when the configured conditions (activation rules) are met. Using policy profiles allows you to flexibly configure application settings for different devices. You can create and configure profiles in the Policy profiles section of the policy properties.

Profile settings that are locked with a "padlock" override policy settings. That is, if the profile setting locked with a "padlock" is different from the policy setting, the application applies the setting from the profile. However, lists of settings are merged, supplementing each other. That is, if the settings in the list from the profile are missing from the "basic" policy, they are added to the resulting list of settings.

Some lists are not merged. If this happens, the settings from the profile override the settings of the "base" policy:

• Exclusions by process in the File Threat Protection and Behavior Detection components
• Protection scopes in the File Threat Protection and Anti-Cryptor components
• Monitoring scopes in the System Integrity Monitoring component
• List of rules (in the Application Control rules window) in the Application Control component
• List of rules in Web Control
• Process memory exclusions in application settings
• Trusted domains in network settings
• Trusted root certificates in network settings
• Monitored ports in network settings
• List of SVM addresses in SVM discovery settings

After the policy is applied for the first time, the application settings change in accordance with the policy settings.

If the application is not running when the policy is deleted, after application is started, this policy continues to be applied on the device and the application continues to operate with the settings specified by this policy.

For more information about policies and policy profiles, as well as the settings inheritance mechanism, see the Kaspersky Security Center Help.

Page top