Skip to content

Assigning policies

Endpoints are initially assigned with the default policy. Once you have defined the necessary policies in the Policies page, you can assign them to endpoints.

Assign policies

You can assign policies in two ways:

  • Device-based assignment, meaning that you manually select the target endpoints to which you assign the policies. These policies are also known as device policies.

  • Rule-based assignment, meaning that a policy is assigned to a managed endpoint if the network settings on the endpoint match the given conditions of an existing assignment rule.

Note

You can assign only policies created by you. To assign a policy created by another user, you have to clone it first in the Policies page.

Assigning device policies

In GravityZone, you can assign policies in multiple ways:

  • Assign the policy directly to the target.

  • Assign the policy of the parent group through inheritance.

  • Force policy inheritance to the target.

By default, each endpoint or group of endpoints inherits the policy of the parent group. If you change the policy of the parent group, all descendants will be affected, excepting those with an enforced policy.

To assign a device policy:

  1. Go to the Network page.

  2. Select the target endpoints. You can select one or several endpoints or groups of endpoints.

  3. Click the policy.png Assign Policy button at the upper side of the table, or select the Assign Policy option from the contextual menu.

    The Policy Assignment page is displayed:

    network-policy_assignment.png

  4. Check the table with target endpoints. For each endpoint, you can view:

    • The assigned policy.

    • The parent group from which the target inherits the policy, if the case.

      If the group is enforcing the policy, you can click its name to view the Policy Assignment page with this group as target.

    • The enforcement status.

      This status shows whether the target is forcing policy inheritance or is forced to inherit the policy.

      Notice the targets with enforced policy (Is forced status). Their policies cannot be replaced. In such case, a warning message is displayed.

  5. In case of warning, click the Exclude these targets link to continue.

  6. Choose one of the available options to assign the policy:

    • Assign the following policy template – to appoint a specific policy directly to the target endpoints.

    • Inherit from above – to use the policy of the parent group.

  7. If you chose to assign a policy template:

    1. Select the policy from the drop-down list.

    2. Select Force policy inheritance to child groups to achieve the following:

      • Assign the policy to all descendants of the target groups, with no exception.

      • Prevent changing it from elsewhere lower in the hierarchy.

      A new table displays recursively all affected endpoints and groups of endpoints, together with the policies that will be replaced.

  8. Click Finish to save and apply changes. Otherwise, click Back or Cancel to return to the previous page.

When finished, policies are pushed to target endpoints immediately. Settings should be applied on endpoints in less than a minute (provided they are online). If an endpoint is not online, settings will be applied as soon as it gets back online.

To check if the policy was successfully assigned:

  1. In the Network page, click the name of the endpoint you are interested in. Control Center will display the Information window.

  2. Check the Policy section to view the status of the current policy. It must show Applied

Another method to check the assignment status is from the policy details:

  1. Go to the Policies page.

  2. Find the policy you assigned.

    In the Active/Applied/Pending column, you can view the number of endpoints for each of the three statuses.

  3. Click any number to view the list of endpoints with the respective status in the Network page.

Assigning rule-based policies

The Policies > Assignment Rules page enables you to define assignment rules for policies, for a specific location. For example, you can apply more restrictive firewall rules if the user connects to the internet from outside the company or you can define different frequencies for on-demand tasks when outside the company.

This is what you need to know about assignment rules:

  • Endpoints can have only one active policy at a time.

  • A policy applied through a rule will overwrite the device policy set on the endpoint.

  • If none of the assignment rules is applicable, then the device policy is applied.

  • Rules are ordered and processed by priority, with 1 being the highest one. You may have several rules for the same target.

    In such case, the first rule that matches the active connection settings on the target endpoint will apply.

Important

Make sure you consider sensitive settings such as exclusions, communication or proxy details when creating rules.

As best practice, it is recommended to use policy inheritance to keep the critical settings from the device policy also in the policy used by assignment rules.

To create a new rule:

  1. Go to the Assignment Rules page.

  2. Click the add.png Add button at the upper side of the table.

  3. Select Location Rule.

  4. Configure the rule settings as needed.

  5. Click Save to save the changes and apply the rule to target endpoints of the policy.

To change the settings of an existing rule:

  1. In the Assignment Rules page, find the rule you are looking for and click its name to edit it.

  2. Configure the rule settings as needed.

  3. Click Save to apply the changes and close the window. To leave the window without saving changes, click Cancel.

If you no longer want to use a rule, select the rule and click the delete.png Delete button at the upper side of the table. Click Yes to confirm your action.

To make sure the latest information is being displayed, click the refresh.png Refresh button at the upper side of the table.

Configuring location rules

A location is a network segment identified by one or several network settings, such as a specific gateway, a specific DNS used to resolve URLs, or a subset of IPs. For example, you can define locations such as the company’s LAN, the servers farm or a department.

In the rule configuration window, follow these steps:

  1. Enter a suggestive name and a description for the rule you want to create.

  2. Set the priority of the rule. The rules are ordered by priority, with the first rule having the highest priority. The same priority cannot be set twice or more.

  3. Select the policy for which you create the assignment rule.

  4. Define the locations to which the rule applies.

    1. Select the type of the network settings from the menu at the upper side of the Locations table. These are the available types:

      Type

      Value

      IP/network prefix

      Specific IP addresses in a network or sub-networks. For sub-networks use the CIDR format.

      For example: 10.10.0.12 or 10.10.0.0/16

      WINS server address

      IP address of the WINS server

      Important

      This option does not apply on Linux and Mac systems.

      DNS server address

      IP address of the DNS server

      DHCP connection DNS suffix

      DNS name without the hostname for a specific DHCP connection

      For example: hq.company.biz

      DHCP connection DNS suffix

      DNS name without the hostname for a specific DHCP connection

      For example: hq.company.biz

      Endpoint can resolve host

      Hostname.

      For example: fileserv.company.biz

      Network type

      Wireless/Ethernet

      When choosing Wireless, you can also add the network SSID.

      Important

      This option does not apply on Linux and Mac systems.

      Hostname

      Hostname

      For example: cmp.bitdefender.com

      Important

      You can also use wildcards. Asterisk (*) substitutes for zero or more characters and the question mark (?) substitutes exactly one character. Examples:

      *.bitdefender.com

      cmp.bitdefend??.com

    2. Enter the value for the selected type. Where applicable, you can enter multiple values in the dedicated field, separated by semicolon (;) and without additional spaces. For example, when you enter 10.10.0.0/16;192.168.0.0/24, the rule applies to target endpoints with the IPs matching ANY of these sub-networks.

      Warning

      You can use only one network setting type per location rule. For example, if you added a location using the IP/network prefix, you cannot use this setting again in the same rule.

    3. Click the add_inline.png Add button at the right side of the table.

    The network settings on endpoints must match ALL provided locations, for the rule to apply to them. For example, to identify the office LAN network you can enter the gateway, network type and DNS; furthermore, if you add a sub-network, you identify a department within the company’s LAN.

    policies-location-rule.png

    Click the Value field to edit the existing criteria and then press Enter to save changes.

    To remove a location, select it and click the delete_inline.png Delete button.

  5. You may want to exclude certain locations from the rule. To create an exclusion, define the locations to be excepted from the rule:

    1. Select the Exclusions check box under the Locations table.

    2. Select the type of the network settings from the menu at the upper side of the Exclusions table. You have the same options as in the Location table.

    3. Enter the value for the selected type. You can enter multiple values in the dedicated field, separated by semicolon (;) and without additional spaces.

    4. Click the add_inline.png Add button at the right side of the table.

    The network settings on endpoints must match ALL conditions provided in the Exclusions table, for the exclusion to apply.

    Click the Value field to edit the existing criteria and then press Enter to save changes.

    To remove an exclusion, click the delete_inline.png Delete button at the right side of the table.

  6. Click Save to save the assignment rule and apply it.

    Once created, the location rule automatically applies to all target endpoints that are managed.

Configuring user rules

Important

  • You can create user rules only if an Active Directory integration is available.

  • You can define user rules only for Active Directory users and groups. Rules based on Active Directory groups are not supported on Linux systems.

In the rule configuration window, follow these steps:

  1. Enter a suggestive name and a description for the rule you want to create.

  2. Set the priority. The rules are ordered by priority, with the first rule having the highest priority. The same priority cannot be set twice or more.

  3. Select the policy for which you create the assignment rule.

  4. In the Targets section, select the users and security groups you want the policy rule to apply to. You can view your selection in the table on the right.

  5. Click Save.

    Once created, the user-aware rule applies to managed target endpoints at user login.

Page Menu