590 likes | 605 Vues
Policy Management. Key Terms. Cabinet – The highest-level container in a folder tree. A policy cannot be assigned to a cabinet. Folder – Organizational structure within a cabinet Policy – A group of defined settings assigned to endpoints
E N D
Key Terms • Cabinet – The highest-level container in a folder tree. A policy cannot be assigned to a cabinet. • Folder – Organizational structure within a cabinet • Policy – A group of defined settings assigned to endpoints • Policy Object – A single setting group within a policy • View – Filter used to display/control machines based on specific criteria (OS, IP range, applications installed, etc.)
Key Terms (continued) • Compliance – Determines whether settings applied to an endpoint are equal to the settings defined within the applied policies • Manual Override – Changing a setting within a module directly where that setting is defined within an assigned policy • Combining Policy Objects – When defined in more than one policy, these objects are all added to the endpoint • Conflicting Policy Objects – When defined in more than one policy, rules dictate which setting “wins”
Policy Management: Systems Management Tool
Systems Management Tool • The Systems Management tab provides a setup wizard which enables admins to quickly configure and apply machine management policies for a specific organization. Once configured, these polices are assigned to each machine managed on behalf of that organization. • Machine Groups inherit settings of their parent organization. Therefore, to configure all clients within a single organization to use the same settings, you need only define the settings at the highest level for that organization. • Customize settings for machine groups within an organization by completing the wizard for the individual group(s).
Systems Management Tool If you choose to enable Workstation Patch and Update Management, you must define a credential and password
Systems Management Tool Click Finish to commit the changes
Systems Management Tool • Once the wizard completes, the content will be downloaded (if not already present) from Kaseya to the VSA. • Installs pre-defined content. To differentiate Content Pack Views from ones created by VSA admins, all Kaseya-provided View content has a prefix of “zz[SYS]”:
Systems Management Tool • Managed Monitor Set content is visible within the System cabinet on the Monitor > Monitor Sets page:
Systems Management Tool • Managed Agent Procedure content is visible within the System cabinet on the Agent Procedure > Schedule/Create page:
Systems Management Tool • Managed Policy content is visible within the System cabinet on the Policy Management > Policies page:
Systems Management Tool • Content within the System cabinet should not be edited • To customize System content, copy the policy, monitor set, or agent procedure to a Private or Shared folder • Apply policy based from customized System content to an individual machine or group to take precedence over the System content
Policy Management: Creating Policies
Creating and Managing Policies • Create a manageable folder structure – by function or by client/org • Create Views specific to policy • Specific machine types (i.e., by OS, by application, server v. workstation, etc.) • Any changes to Views may impact endpoints – ensure Views are edited accurately • Creating Policy-specific Views can help minimize accidental changes to Views in use by Policy • Example: ExchangeServer Policy-ExchangeServer • Policy Mgmt > Policies > Add Policy • Select and configure desired policy objects • Select View to define which endpoint should receive the policy
Creating and Managing PoliciesSave v. Save and Apply • Save: Saves the changes to the policy. Policies are in a pending state. No changes are applied to endpoints. • A policy that is saved but NOT applied will appear with a yellow scroll icon on the Policies page: • A policy that has no View associated will appear with a red scroll icon on the Organization/Machine Group page: • Save and Apply: Saves changes to the policy and applies the changes to the endpoints • Apply Now: Apply the changes to all affected endpoints immediately. Can cause some performance issues, depending on overall workload of server. • Allow scheduler to apply: Changes will be applied at next deployment interval
Policy Management: Policy Precedence
Policy Precedence – Who Wins? • Multiple policies can be assigned to a single endpoint • Some policy objects will be combined and some will conflict • Rules determine which policy will “win” when there is a conflict
Policy Precedence - Combine Which policy objects combine? • Monitor Sets • Agent Procedures • Event Log Alerts • Distribute Files When more than one policy is applied to a machine, and each policy defines the above objects, the endpoint will receive ALL of the defined combinable objects
Policy PrecedenceCombine Example PolicyA defines two Agent Procedures: PolicyB defines different Procedures: PolicyA and PolicyB are assigned to the same endpoint, workstation1
Policy PrecedenceCombine Example (continued) • When the policies are applied to workstation1, all four Procedures are assigned: • Note: If the same procedure is scheduled in both policies, each with different schedules, policy precedent rules will determine which procedure schedule will be applied to the endpoint • For combinable objects, Policy Mgmt will use the same logic as the module. If the module allows the same object to be assigned multiple times to the same endpoint, all settings will be passed to the endpoint. If the module allows only ONE setting per machine for the selected object, policy precedent rules will be followed.
Policy Precedence - Conflict • Remaining Policy Objects conflict • When a conflict exists, the winning object is determined based on precedence. The more closely the policy is assigned to the machine level, the more precedence the policy has. • Possible layers are: Global, Org, Parent Group, Child Group (including nested child groups), Machine
Policy Precedence - Conflict • A policy assigned at the Global will apply to all endpoints • A policy applied at the org level will apply to all endpoints within the org. Any conflicting Global objects will be overwritten with the settings in policies applied at the Org level • A policy applied at the Parent Group level will apply to all endpoints in the group. Any conflicting objects applied at the Global or Org level will be overwritten with settings in the policies applied at the Group level • Child-group policies will overwrite any conflicts from global, org, or parent group policies • Policies assigned directly to an endpoint will win over conflicting settings at the higher levels.
Handling Conflicts Global Org Group Machine Effective Settings X Credential Credential X Agent Menu Agent Menu Log History X WorkingDirectory Working Directory File Source LAN Cache X Patch Reboot Action Patch Reboot Action Remote Control
Policies Assignment Rules • Multiple policies can be assigned to any organization or machine group or machine. • A machine with multiple policies assigned to it has conflicting policies when both specify the same policy type. • Multiple policies are not in conflict if different policy types are specified. • The following policy types combine with each other so that no conflicts occur. • Event log alerts, distribute files, monitor sets, and agent procedures. • Policies are assigned by organization/machine group using the Organizations/Machine Groups page. • Policies assigned to a lower level in an organization hierarchy have precedence over policies assigned to a higher level in the same organization hierarchy. • Unless a lower level policy conflicts with it, policies assigned to a level apply to all lower levels. • When multiple policies are assigned to the same organization or machine group, the assigned policies have precedence in the order listed. • Policies can be assigned by machine using the Machines page. • Policies assigned by machine have precedence over all policies assigned to that machine by organization/machine group. • Policies assigned by machine have precedence in the order listed. • All policy assignments can be overridden by changing agent settings manually throughout the VSA. • Manual changes have precedence over all policies assignments. • A policy can be associated with a view definition in the Policies page. • When machine is assigned to a policy by organization or by machine group an associated view filters the machines associated with a policy. If a machine is not a member of the view definition, then the policy will not be propagated to that machine. • When a machine is assigned to a policy by machine, then the view associated with a policy is ignored and the policy will be propagated to that machine. • Associating a policy with a view does not, by itself, assign a policy to any machine. • The order of precedence for views depends on the policies they are associated with.
Assigning Policies by Org/Group • Assign policies to organizations or groups by dragging individual policies or folders to the org • When assigning folders, all policies within the folder will be assigned Drag folder from Policy list… …to an organization aarentals
“Higher” v. “Lower” precedence • Order the policies/folders based on the precedence you want applied. The higher in the list, the higher the precedence. Precedence determines which policy “wins” when a conflict is present If a policy in the Global Policies folder conflicts with a policy in the Windows Workstation… Folder, precedence rules dictate the settings in the Global Policies folder will “win” because it appears higher in the assignment list. aarentals
“Higher” v. “Lower” precedenceOrdering Policies • Drag/Drop assigned items to re-order the list. The lower in the list, the lesser the precedence With the reordering, all policies within Windows Workstation… folder will take precedence over polices in the Global Policies folder
Applying Policies to Machines • Policy > Machines allows you to assign a policy to an endpoint directly • When a policy is assigned directly to an endpoint, View settings are ignored • Precedence rules apply • Policies assigned directly to endpoint will take precedence over policies applied at the group, org, or global level • Machine-assigned policies can be ordered to determine precedence
Use this field to filter by policy name Or select the policy from the cabinet/folder tree Policies are listed in order of precedence. The higher in the list, the higher the precedence.
Matrix DetailWhat exactly is applied? Hover over policy icon to reveal the matrix detail
Matrix DetailMachine Effective Policy Settings Policy Object name, enabled on the Policies page Policy Name Setting Actual Configuration
Unassigning Policies • Change View settings • Remove from Org/Machine Group • Remove from endpoint • Disable Systems Management Tool • Unassigning policies does not remove the setting from the endpoint. It only disables the centralized management of settings by policy • To remove the settings from the endpoint, visit the individual Module pages and manually clear settings.
Policy Management: Settings
Policy Management > Settings • Deployment Interval: Frequency to apply policy settings to endpoints after changes/edits to policies • Changes to endpoints based on VIEW membership occurs via a backend process that runs once per hour • Compliance Check: Frequency of verification of settings assigned to endpoints as compared to settings defined by applied policies. Manual overrides are detected during compliance checks.
Policy Management: New Features in 6.3
Organization Credentials • Audit > Manage Credentials • Define a credential for all machines within the selected organization • Created by Systems Management tool (if Patch function enabled) or can be manually defined by an admin • Policy can leverage this credential • Allows admin to use single policy with Agent Credential object defined for multiple organizations/clients
Using Organization Credentials • Enable the policy object Credential • Check “Use organization defaults” • The credential defined in Audit > Manage Credentials will be used • This policy can be shared by multiple orgs • At this time, Policy is the only function that leverages the org credential
New 6.3 Policy Functions • Support for add-on modules such as KAM, KAV, KES, KDPM • LAN Cache assignment • LAN Cache must be created on host machine via Agent > LAN Cache • LAN Cache Assignment is separate from File Source. LAN Cache can be used as the patch file source, but assigning only the LAN cache policy object will NOT configure the Patch File Source object. • Remote Control Session Terminate messages
New 6.3 Policy Functions • Agent Procedure schedule can be edited • “Exclude Time” is no longer enabled by default in scheduler • Patch schedules will combine if one policy defines Scan schedule and second policy defines Update schedule • Effective Machine Policy Settings • Audit and Patch schedules can be set to “None” to prevent schedule settings from two policies from merging
New Policy Object FunctionsMerging Schedules • PolicyA defines Scan schedule: • PolicyB defines Update schedule: • If both policies are applied to a single endpoint, the endpoint will combine these two functions
New Policy Object FunctionsMerging Schedules • To prevent this combining, set the blank schedule to “None”: • When PolicyA and PolicyB are assigned to the endpoint, the Scan schedule will be left undefined (provided the policy defined above is the “winning” policy).
Additional New FeaturesSharing Policy Content • Cabinet contents can be shared with variable rights Right Click on Folder Then click “Share” Admin
Additional New FeaturesSharing Policy Content • When share permissions are granted on a folder, all contents of the folder inherit the permissions of the parent folder • Permissions can only be granted at folder levels • Contents of the System Cabinets are visible to Master admins only (for SaaS customers, the equivalent is “System” role)