Policy setup and propagation: User-centric approach
Oct 23, 2023
This section describes the scenario of user-centric approach to the centralized configuration of Kaspersky applications installed on the managed devices. When you complete this scenario, the applications will be configured on all of the managed devices in accordance with the application policies and policy profiles that you define.
You might also want to consider device-centric security management as an alternative or additional option to the user-centric approach. Learn more about two management approaches.
The scenario of user-centric management of Kaspersky applications consists of the following steps:
- Configuring application policies
Configure settings for Kaspersky applications installed on the managed devices by creating a policy for each application. The set of policies will be propagated to the client devices.
When you configure the protection of your network in quick start wizard, Kaspersky Security Center Cloud Console creates the default policy for Kaspersky Endpoint Security. If you completed the configuration process by using this wizard, you do not have to create a new policy for this application. Proceed to the manual setup of Kaspersky Endpoint Security policy.
If you have a hierarchical structure of several administration groups, the child administration groups inherit the policies from the primary Administration Server by default. You can force the inheritance by the child groups to prohibit any modifications of the settings configured in the upstream policy. If you want only part of the settings to be forcibly inherited, you can lock them in the upstream policy. The remaining unlocked settings will be available for modification in the downstream policies. The created hierarchy of policies will allow you to effectively manage devices in the administration groups.
How-to instructions: Creating a policy
- Specifying owners of the devices
Assign the managed devices to the corresponding users.
How-to instructions: Assigning a user as a device owner
- Defining user roles typical for your enterprise
Think about different kinds of work that the employees of your enterprise typically perform. You must divide all employees in accordance with their roles. For example, you can divide them by departments, professions, or positions. After that you will need to create a user role for each group. Keep in mind that each user role will have its own policy profile containing application settings specific for this role.
- Creating user roles
Create and configure a user role for each group of employees that you defined at the previous step or use the predefined user roles. The user roles will contain set of rights of access to the application features.
How-to instructions: Creating a user role
- Defining the scope of each user role
For each of the created user roles, define users and/or security groups and administration groups. Settings associated with a user role apply only to devices that belong to users who have this role, and only if these devices belong to groups associated with this role, including child groups.
How-to instructions: Editing the scope of a user role
- Creating policy profiles
Create a policy profile for each user role in your enterprise. The policy profiles define which settings will be applied to the applications installed on users' devices depending on the role of each user.
How-to instructions: Creating a policy profile
- Associating policy profiles with the user roles
Associate the created policy profiles with the user roles. After that: the policy profile becomes active for a user that has the specified role. The settings configured in the policy profile will be applied to the Kaspersky applications installed on the user's devices.
How-to instructions: Associating policy profiles with roles
- Propagating policies and policy profiles to the managed devices
Kaspersky Security Center Cloud Console automatically synchronizes the Administration Server with the managed devices several times per hour. During the synchronization, the new or changed policies and policy profiles are propagated to the managed devices. You can circumvent auto-synchronization and run the synchronization manually by using the Force synchronization command. When synchronization is complete, the policies and policy profiles are delivered and applied to the installed Kaspersky applications.
You can check whether the policies and policy profiles were delivered to a device. Kaspersky Security Center Cloud Console specifies the delivery date and time in the properties of the device.
How-to instructions: Forced synchronization
When the user-centric scenario is complete, the Kaspersky applications are configured according to the settings specified and propagated through the hierarchy of policies and policy profiles.
For a new user, you will have to create a new account, assign the user one of the created user roles, and assign the devices to the user. The configured application policies and policy profiles will be automatically applied to the devices of this user.