About the policy profile
Dec 4, 2023
Policy profile is a named collection of settings of a policy that is activated on a client device (computer or mobile device) when the device satisfies specified activation rules. Activation of a profile modifies the policy settings that were active on the device before the profile was activated. Those settings take values that have been specified in the profile.
Policy profiles are necessary for devices within a single administration group to run under different policy settings. For example, a situation may occur when policy settings have to be modified for some devices in an administration group. In this case, you can configure policy profiles for such a policy, which allows you to edit policy settings for selected devices in the administration group. For example, the policy prohibits running any GPS navigation software on all devices in the Users administration group. GPS navigation software is necessary only on a single device in the Users administration group—the device owned by the user employed as a courier. You can tag that device as simply "Courier" and reconfigure the policy profile so that it allows GPS navigation software to run only on the device tagged as "Courier", while preserving all the remaining policy settings. In this case, if a device tagged as "Courier" appears in the Users administration group, it will be allowed to run GPS navigation software. Running GPS navigation software will still be prohibited on other devices in the Users administration group unless they are tagged as "Courier", too.
Profiles are only supported by the following policies:
- Policies of Kaspersky Endpoint Security for Windows
- Policies of Kaspersky Endpoint Security for Mac
- Policies of the Kaspersky Mobile Device Management plug-in ranging from version 10 Service Pack 1 to version 10 Service Pack 3 Maintenance Release 1
- Policies of the Kaspersky Device Management for iOS plug-in
- Policies of Kaspersky Security for Virtualization 5.1 Light Agent for Windows
- Policies of Kaspersky Security for Virtualization 5.1 Light Agent for Linux
Policy profiles simplify the management of the client devices that the policies apply to:
- The policy profile settings may differ from the policy settings.
- You do not have to maintain and manually apply several instances of a single policy that differ only by a few settings.
- You do not have to allocate a separate policy for out-of-office users.
- You can export and import policy profiles, as well as create new policy profiles based on existing ones.
- A single policy can have multiple active policy profiles. Only profiles that meet the activation rules effective on the device will be applied to that device.
- Profiles are subject to the policy hierarchy. An inherited policy includes all profiles of the higher-level policy.
Priorities of profiles
Profiles that have been created for a policy are sorted in descending order of priority. For example, if profile X is higher in the list of profiles than profile Y, then X has a higher priority than the latter. Multiple profiles can be simultaneously applied to a single device. If values of a setting vary in different profiles, the value from the highest-priority profile will be applied on the device.
Profile activation rules
A policy profile is activated on a client device when an activation rule is triggered. Activation rules are a set of conditions that, when met, start the policy profile on a device. An activation rule can contain the following conditions:
- Network Agent on a client device connects to the Administration Server that has a specified set of connection settings, such as Administration Server address, port number, and so forth.
- The client device is offline.
- The client device has been assigned specified tags.
- The client device is explicitly (the device is immediately located in the specified unit) or implicitly (the device is located in a unit that is in the specified unit at any nesting level) located in a specific unit of Active Directory®, the device or its owner is located in a security group of Active Directory.
- The client device belongs to a specified owner, or the owner of the device is included in an internal security group of Kaspersky Security Center.
- The owner of the client device has been assigned a specified role.
Policies in the hierarchy of administration groups
If you are creating a policy in a low-level administration group, this new policy inherits all profiles of the active policy from the higher-level group. Profiles with identical names are merged. Policy profiles for the higher-level group have the higher priority. For example, in administration group A, policy P(A) has profiles X1, X2, and X3 (in descending order of priority). In administration group B, which is a subgroup of group A, policy P(B) has been created with profiles X2, X4, X5. Then policy P(B) will be modified with policy P(A) so that the list of profiles in policy P(B) will appear as follows: X1, X2, X3, X4, X5 (in descending order of priority). The priority of profile X2 will depend on the initial state of X2 of policy P(B) and X2 of policy P(A). After the policy P(B) is created, the policy P(A) is no longer displayed in subgroup B.
The active policy is recalculated every time you run Network Agent, enable and disable offline mode, or edit the list of tags assigned to the client device. For example, the RAM size has been increased on the device, which, in turn, has activated the policy profile that is applied on devices with large RAM size.
Properties and restrictions of policy profiles
Profiles have the following properties:
- Profiles of an inactive policy have no impact on client devices.
- If a policy is set to the Out-of-office policy status, profiles of the policy will also be applied when a device is disconnected from the corporate network.
- Profiles do not support static analysis of access to executable files.
- A policy profile cannot contain any settings of event notifications.
- If UDP port 15000 is used for connecting a device to Administration Server, the corresponding policy profile is activated within one minute after you assign a tag to the device.
- You can use rules for Network Agent connection to the Administration Server, when you create policy profile activation rules.