Beruflich Dokumente
Kultur Dokumente
This module will provide information on the purpose of policies, along with how to create and edit
policy objects in the policy catalog. Students will be able to manage policy configuration and
assignment and validate policy inheritance.
A policy is a collection of settings that relate to the configuration of each product that can be
managed with ePO. It determines how a product behaves on managed systems, and that managed
security software products are configured and perform accordingly; for example, if end users disable
anti-virus scanning, you can set a policy that re-enables scanning at the policy enforcement interval
(five minutes by default).
Some policy settings are the same as the settings configured in the interface of the product installed
on the managed system. Other policy settings are the primary interface for configuring the product or
component.
ePO lets you to configure policy settings for all products and systems from a central location, known
as the Policy Catalog. From the Policy Catalog, you view, create, duplicate, delete, and rename
policies. In addition, you can import and export policies from here, and view policy assignments.
The Policy Catalog is accessed by clicking the Policy Catalog icon on the navigation bar or Menu >
Policy > Policy Catalog.
After checking in the extension, policies can be created for products, regardless if they have or haven
not yet been deployed to client machines. It is suggested that creating and deploying policy before
product installation ensures that products behave as expected immediately upon installation, rather
than waiting to apply policy after installation.
You can create a new policy from the Policy Catalog by clicking the button at the top left-hand side of
the Policy Catalog page labeled New Policy. This allows you to base the new policy on a duplicate of
an existing policy object. Policies created here are by default not assigned to any groups or systems.
When you create a policy here, you are adding a custom policy to the Policy Catalog. You can create
policies before or after a product is deployed.
In addition to specifying how the policy obtains its initial configuration, you must specify the name.
After the policy is created, you can change inheritance and any configuration contained within the
policy.
To create a new policy:
1. Click Menu on the navigation bar. Select Policy Catalog within the Policy section.
2. Select the Product and Category from the drop-down lists. All created policies for the selected
category appear in the details pane.
3. Click Actions - New Policy. The Create New Policy dialog appears.
4. Select the policy you want to duplicate from the Create a policy based on this existing policy
drop-down list. Type a name for the new policy and click OK. The Policy Settings wizard opens.
5. Edit the policy settings on each tab, as needed.
6. Click Save.
Duplicating Policies
You can create a new policy from the Policy Catalog by copying an existing policy and modifying its
configuration. Clicking the Duplicate link provided for any policy on the Policy Catalog page creates a
copy of the policy object. After naming the object, you can edit the policy settings for the new policy
object to meet your requirements by clicking on the policy name, which brings you to the Edit page.
Editing Policies
Policies can be edited in two locations. One location is in the Policy Catalog where you can click on
the blue hyperlink of the policy name. Policies can also be edited by clicking the hyperlink name of
the policy in the System Tree. This will open the policy viewing or policy editing dialog depending on
the policy and the rights of the user accessing it.
All policy objects other than the McAfee Default policy object my be edited, again by clicking the
hyperlink of the policy name. The policy viewing and editing screen can be opened from both the
Policy Catalog tab, or from any node within the ePO System Tree where the policy is assigned. When
validating policy assignment, it is best to find the machine in question in the System Tree, then go to
the Assigned Policies tab. This will show you for certain, which policies should be getting applied to
the machine.
Some policies may only be read-only, if you do not have permissions to change them. The McAfee
Default policies are all read-only and can only be duplicated. The Policy Edit page will indicate if the
policy you are viewing is read-only.
To rename a policy:
1. Click the Policy Catalog icon on the navigation bar. The Policy Catalog page opens.
2. Select the Product and Category from the drop-down lists. All created policies for the
selected category appear in the details pane.
3. Locate the desired policy, then click Rename in the desired policys row. The Rename Policy
dialog appears.
4. Type a new name for the existing policy, then click OK.
When you delete a policy, all groups and systems where it is currently applied inherit the policy of
their parent group. Before deleting a policy, review the groups and systems where it is assigned. If you
dont want the group or system to inherit the policy from the parent group, assign a different policy .
If you delete a policy that is applied to the My Organization group, the McAfee Default policy of this
category is assigned. To delete a policy:
1. From the Policy Catalog page, select the Product and Category from the drop-down lists. The
created policies for the selected category appear in the details pane.
2. Locate the desired policy, then click Delete in the policys row.
3. Click OK, when prompted.
Sharing policies among multiple ePO servers no longer requires you to export and import your
policies to each server. Use the Policy Sharing feature to share policies among all ePO servers in your
environment.
Policy sharing allows the administrator to designate policies that are developed on one server to be
transmitted to other servers for implementation. In earlier versions of ePO, sharing was possible only
by exporting a policy from the source server and importing it to the target servers one at a time.
The process has been simplified and automated. Now the administrator needs only to:
1. Create any policy. Share it either while creating, or after you have created. The McAfee Default
Policy cannot be Shared (Policy Catalog icon in navigation bar)
2. On a host ePO server, add registered server, and enable Policy Sharing. The connection test
should be successful. You can add any number of registered servers to a host server.
(Configuration > Registered Servers)
3. Schedule a server task to distribute the shared policy. Unless you run this task, Policy is not
shared with the registered server (Automation > Server Tasks)
Admins can update policies used by multiple ePO Servers on demand or via a schedule. Read only
copies of the designated policies are pushed to other ePO Servers. Once pushed out, the policy
assignments must then be handled at the local ePO Server(s), but policy updates can be pushed out
across the company after that.
10
Use these tasks to move policies between servers. To do this, you must export the policy to an XML
file from the Policy Catalog page of the source server, then import it to the Policy Catalog page on the
target server.
Exporting a Single Policy
Use this task to export a policy to an XML file. Use this file to import the policy to another ePO server,
or to keep as a backup of the policy.
1. Click the Policy Catalog icon on the navigation bar. The Policy Catalog page opens.
2. Select the Product and Category from the drop-down lists. All created policies for the
selected category appear in the details pane.
3. Locate the desired policy, then click Export next to the policy. The Download File page
appears. Right-click the link to download and save the file.
4. Name the policy XML file, and save it. If you plan to import this file into a different ePO server,
ensure that this location is accessible to the target ePO server.
Exporting All Policies
Use this task to export all policies of a product to an XML file. Use this file to import the policy to
another ePO server, or to keep as a backup of the policies.
1. From the Policy Catalog page, select the Product and Category. The policies created for the
selected category appear in the details pane. Click Export next to Product policies. The
Download File page appears.
2. Right-click the link to download and save the file.
3. Name the policy XML file and save it. If you plan to import this file into a different ePO server,
ensure that this location is accessible to the target ePO server.
2013 McAfee, Inc. All Rights Reserved.
11
Importing Policies
Use this task to import a policy XML file. Regardless of whether you exported a single policy or all
named policies, the import procedure is the same.
1. Click the Policy Catalog icon on the navigation bar. The Policy Catalog page opens.
2. Click Import next to Product policies.
3. Browse to and select the desired policy XML file, then click OK.
4. Select the policies you want to import and click OK. The policies are added to the Policy
Catalog.
NOTE: During policy import, if a policy with the same name exists then ePO will flag it in RED color
with the conflict column showing Yes.
12
Policy ownership provides that no one can modify or delete a policy except the policys owner or a
Global Administrator. Any user with appropriate permissions can assign any policy in the Policy
Catalog page, but only the owner or a global administrator can edit it.
All policies for products and features to which the user has permissions are available from the Policy
Catalog page. To prevent any user from editing other users policies, each policy is assigned an owner
the user who created it.
If a user assigns a policy that they do not own to managed systems, be aware that if the owner of the
named policy modifies it, all systems where this policy is assigned receive these modifications.
Therefore, if wishing to use a policy owned by a different user, McAfee recommends that you first
duplicate the policy, then assign the duplicate to the desired locations. This provides the user
ownership of the assigned policy.
NOTE: You can specify multiple non-global administrator users as owners of a single policy.
13
14
15
16
Assigning a Policy is the allocation of a specific named policy at a specific node within the ePO
System Tree. Policy may be assigned to any node with the ePO System Tree - the System Tree object
itself, to a group or an individual system.
Use this task to assign a policy to a specific group of the System Tree. You can assign policies before or
after a product is deployed.
1. Go to Systems > System Tree > Assigned Policies, then select the desired Product. Each
assigned policy per category appears in the details pane.
2. Locate the desired policy category, then click Edit Assignment. The Policy Assignment page
appears.
3. If the policy is inherited, select Break inheritance and assign the policy and settings below
next to Inherited from.
4. Select the desired policy from the Assigned policy drop-down list.
From this location, you can also edit the selected policys settings, or create a new policy.
1. Choose whether to lock policy inheritance. Locking policy inheritance prevents any systems
that inherit this policy from having another one assigned in its place.
2. Click Save.
17
18
19
ePolicy Orchestrator allows customers to assign policies to unique groups or to individual users
through the use of Policy Assignment Rules. This feature enables policy assignment based on the
Active Directory groups that users belong to, instead of the system they are using. You can include
individual users, groups, and Organizational Units (OUs) in a rule. You can also exclude specific users
from a rule.
Policy assignment rules give you the ability to create user-specific policy assignments. These
assignments are enforced at the target system when a user logs on. On a managed system, the agent
keeps a record of the users who log on to the network. The policy assignments you create for each
user are pushed down to the system they log on to, and are cached during each agent-server
communication. The agent applies the policies that you have assigned to each user.
NOTE: When a user logs on to a managed system for the first time, there can be a slight delay while
the agent contacts its assigned server for the policy assignments specific to this user. During this time,
the user has access only to that functionality allowed by the default machine policy, which typically is
your most secure policy.
Policy assignments rules reduce the overhead of managing numerous policies for individual users,
while maintaining more generic policies across your System Tree. For example, you can create a policy
assignment rule that is enforced for all users in your engineering group. You can then create another
policy assignment rule for members of your IT department so they can log on to any computer in the
engineering network with the access rights they need to troubleshoot problems on a specific system
in that network. This level of granularity in policy assignment limits the instances of broken
inheritance in the System Tree needed to accommodate the policy settings that particular users
require to perform special functions.
20
21
Policy assignment rules can be prioritized to simplify maintenance of policy assignment management.
When you set priority to a rule, it is enforced before other assignments with a lower priority. In some
cases, the outcome can be that some rule settings are overridden.
To perform these actions:
1. Go to Menu > Policy > Policy Assignment Rules.
2. Select the action to perform from the Actions menu or the Actions column.
By default, the priority for new policy assignment rules is assigned sequentially based on the number
of existing rules. You can edit the priority of this and any rule by clicking Edit Priority on the Policy
Assignment Rules page.
22
For example, consider a user who is included in two policy assignment rules, rules A and B. Rule A has
priority level 1, and allows included users unrestricted access to internet content. Rule B has priority
level 2, and heavily restricts the same users access to internet content. In this scenario, rule A is
enforced because it has higher priority. As a result, the user has unrestricted access to internet
content.
NOTE: The priority of rules is not considered for products with multi-slot policies, such as HostIPS.
23
Policy enforcement status is an inherited property that is independent from policy assignment. Policy
enforcement status is inherited from the System Tree root (My Organization) unless inheritance is
turned off. If a policy is not enforced it will not be implemented by the McAfee Agent. This means
that although the managed system has received the policy assigned to it, the policy will not be
applied on the system.
By default, all policies have an Enforcement status of Enforcing when they are assigned.
NOTE: If policy enforcement is turned off, systems in the specified group do not receive updated
sitelists during an agent-server communication. As a result, managed systems in the group might not
function as expected. For example, you might configure managed systems to communicate with
Agent Handler A, but with policy enforcement turned off, the managed systems do not receive the
new sitelist with this information, so they report to a different Agent Handler listed in an expired
sitelist.
Use this task to view assignments where policy enforcement, per policy category, is disabled.
1. Click the Policy Catalog icon on the navigation bar.
2. Select the desired Product and Category. All created policies for the selected category appear
in the details pane.
3. Click the link next to Product enforcement status, which indicates the number of assignments
where enforcement is disabled, if any. The Enforcement for <policy name> page appears.
4. Click any item in the list to go to its Assigned Policies page.
2013 McAfee, Inc. All Rights Reserved.
24
In the Policy Catalog page, you can view assignments, per policy, where it is applied - but not where it
is enforced.
25
Policy enforcement locking prevents other users from changing policy assignment settings in the
group where locking took place, and in any subgroups.
26
Where policies are viewed for a specific node anywhere within the System Tree, the inherited by
column will show policies inherited by all, (all inherit), indicating that all sub-groups inherit this policy,
or list how many nodes do not inherit this policy, (for example, 2 do not inherit).
If at least one sub-group does not inherit then the inherited by column entry will be a hyperlink
shown in blue allowing you to view where policy is not inherited (showing where inheritance is
broken).
Inheritance can be reset in two ways, (and are shown above):
Either by clicking on the text reading X doesn't inherit.
OR
1. Click Menu from the navigation bar to go to the Menu page.
2. Click System Tree within the Systems section.
3. Select Assigned Policies. All assigned policies, organized by product, appear in the details pane.
4. The desired policy row, under Broken Inheritance, displays the number of groups and systems
where this policys inheritance is broken.
NOTE: This is the number of groups or systems where the policy inheritance is broken, not the
number of systems that do not inherit the policy. For example, if only one group does not inherit the
policy, this is represented by 1 doesn't inherit, regardless of the number of systems within the group.
5. Click the link indicating the number of child groups or systems that have broken inheritance. The
View broken inheritance page displays a list of the names of these groups and systems.
6. To reset the inheritance of any of these, select the checkbox next to the name, then click Actions
and select Reset Inheritance.
2013 McAfee, Inc. All Rights Reserved.
27
You can also click the Edit Assignment blue hyperlink and then select the dont inherit hyperlink,
which then reveals the View broken inheritance window. This opens the lower graphic above and
shows where policy inheritance is broken, and can be reset.
28
Use these tasks to copy and paste policy assignments from one group or system to another. This is an
easy way to share multiple assignments between groups and systems from different portions of the
System Tree.
To copy policy assignments:
1. Click the System Tree icon on the navigation bar.
2. Select Assigned Policies, then select the desired group in the System Tree.
3. In the details pane, highlight the desired policy category to copy, and then click Actions >Copy
Assignments.
To paste policy assignments to a group:
1. Click the System Tree icon on the navigation bar.
2. Select Assigned Policies, then select the desired group in the System Tree.
3. In the details pane, click Actions >Paste Assignments.
If the group already has policies assigned for some categories, the Override Policy Assignments page
appears.
29
30
Policies are enforced when the agent communicates with the server, or Agent Handler, at the
configured agent-to-server communications interval (ASCI), which has a default value of 60 minutes
and at every Policy Enforcement. Sending an Agent Wake Up call from the ePO server will also cause
policies to be updated and enforced on the client, when the agent calls in.
Also, if the client end-user has access to the McAfee Agent Status Monitor (set by policy), then they
can use the Check New Policies button to initiate communication with the server/agent handler to
collect and enforce policy changes.
When you reconfigure policy settings, the new settings are delivered to, and enforced on, the
managed systems at the next agent-to-server communication. The frequency of this communication
is determined by the Agent-to-server-communication interval (ASCI) settings on the General tab of
the McAfee Agent policy pages, or the McAfee Agent Wakeup client task schedule (depending on
how you implement agent-server communication). This interval is set to occur once every 60 minutes
by default.
Once the policy settings are in effect on the managed system, the agent continues to enforce policy
settings locally at a regular interval. This enforcement interval is determined by the Policy
enforcement interval setting on the General tab of the McAfee Agent policy pages. This interval is
set to occur every five minutes by default.
Policy settings for McAfee products are enforced immediately at the policy enforcement interval, and
at each agent-to-server communication if policy settings have changed.
31
To view, or to view and edit policies, you must have the appropriate permissions. Global
Administrators always have permission to view and change policy settings, but other administrators
may need permissions set.
As you add new extensions to the ePO server by installing new point-products, you will have new
permission sets that control the access to the policies for those products. They will install with no
permissions by default for users other than the Global Administrator.
32
When troubleshooting policy update or enforcement issues, the agent log files will contain the
actions triggered or taken by the McAfee Agent.
Agent_<system_name>.log - Generated on client systems when the server deploys an Agent to them.
This file contains details related to:
Agent-to-Server communication
Policy enforcement
Other Agent tasks
33
To troubleshoot incremental policy update issues from the server-side, do the following.
1. Create the DWORD registry value SAVEAGENTPOLICY = 1 in:
HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR
This setting will cause the ePO server to save agent policy files to the db\debug folder to see what the
ePO server is sending to the client machine as policy.
2. Restart all ePolicy Orchestrator services.
The ePolicy Orchestrator server creates the file
<AGENTGUID>_<TIMESTAMP>_SERVER.XML in the <INSTALLATION PATH>\DB\DEBUG folder,
which contains a copy of the content that the server deployed.
NOTE: The DB\DEBUG subfolder does not exist by default and should be created.
NOTE: This setting will produce a lot of files and impact the performance, so it should be turned off
as soon as the debugging is complete.
34
35