Policy setup and propagation: Device-centric approach
This section provides a scenario for a device-centric approach to the centralized configuration of Kaspersky applications installed on managed devices. When you complete this scenario, the applications will be configured on all of the managed devices in accordance with the application policies and policy profiles that you define.
You might also want to consider user-centric security management as an alternative or additional option to the device-centric approach.
Process
The scenario of device-centric management of Kaspersky applications consists of the following steps:
- Configuring application policies
Configure settings for Kaspersky applications installed on the managed devices by creating a policy for each application. The set of policies will be propagated to the client devices.
When you configure the protection of your network in quick start wizard, Kaspersky Security Center Cloud Console creates the default policy for Kaspersky Endpoint Security for Windows. If you completed the configuration process by using this wizard, you do not have to create a new policy for this application. Proceed to the manual setup of Kaspersky Endpoint Security policy.
If you have a hierarchical structure of several administration groups, the child administration groups inherit the policies from the primary Administration Server by default. You can force the inheritance by the child groups to prohibit any modifications of the settings configured in the upstream policy. If you want only part of the settings to be forcibly inherited, you can lock them in the upstream policy. The remaining unlocked settings will be available for modification in the downstream policies. The created hierarchy of policies will allow you to effectively manage devices in the administration groups.
How-to instructions: Creating a policy
- Creating policy profiles (optional)
If you want devices within a single administration group to run under different policy settings, create policy profiles for those devices. A policy profile is a named subset of policy settings. This subset is distributed on target devices together with the policy, supplementing it under a specific condition called the profile activation condition. Profiles only contain settings that differ from the "basic" policy, which is active on the managed device.
By using profile activation conditions, you can apply different policy profiles, for example, to the devices located in a specific unit or security group of Active Directory, having a specific hardware configuration, or marked with specific tags. Use tags to filter devices that meet specific criteria. For example, you can create a tag called Windows, mark all devices running Windows operating system with this tag, and then specify this tag as an activation condition for a policy profile. As a result, Kaspersky applications installed on all devices running Windows will be managed by their own policy profile.
How-to instructions:
- Propagating policies and policy profiles to the managed devices
Kaspersky Security Center Cloud Console automatically synchronizes the Administration Server with the managed devices several times per hour. During the synchronization, the new or changed policies and policy profiles are propagated to the managed devices. You can circumvent auto-synchronization and run the synchronization manually by using the Force synchronization command. When synchronization is complete, the policies and policy profiles are delivered and applied to the installed Kaspersky applications.
You can check whether the policies and policy profiles were delivered to a device. Kaspersky Security Center Cloud Console specifies the delivery date and time in the properties of the device.
How-to instructions: Forced synchronization
Results
When the device-centric scenario is complete, the Kaspersky applications are configured according to the settings specified and propagated through the hierarchy of policies.
The configured application policies and policy profiles will be applied automatically to the new devices added to the administration groups.