Defining Endpoint Security Policies

In This Section: Policy Rule Base Concepts Working With Rules Working with Virtual Groups

Policy Rule Base Concepts

To manage the Security Policies for Endpoint Security, use the Policy tab of the SmartEndpoint console.

The Policy tab contains the Policy Management Toolbar and the Policy Rule Base.

The Policy Rule Base contains a policy for each of the Endpoint Security components (formerly known as a Blades). These policies enforce protections on endpoint computers.

The policy for each component is made up of rules. This shows some example of rules in the Policy tab:

Each rule applies to a specific component, and to a specific part of the organization. Each rule has a set of actions.

The policy for each component has a default rule that applies to the entire organization.

You can change the default rules, and add rules that apply to specific parts of the organization. You cannot delete the default rule.

Columns of a Policy Rule Base

These are the columns in a policy rule:

Column	Description
No.	Rule Number
Name	Rule Name
Applies To	The part of the organization (the entity) to which the rule applies
Actions	The configurations that apply to the Endpoint Security component
Comment Modified On Version	Informational fields. Right-click a column to select the fields to show. You can also show: Created On Deployed In Modified By

The Policy Toolbar

The Policy tab contains the Policy Toolbar and the Policy Rule Base.

This is the Policy Toolbar:

To do this	Click this
Add and delete rules
Save, refresh and install policy changes
Show only the actions that are different than the default rule for that component
Change the order of the rules for the component. Re-order the rules to define the assignment priority of rules for a specific component
Search for text and highlight it in the Endpoint Security policy
Show the policy for a specific part of the organization

User and Computer Rules

One user may have multiple computers. Some computers may have multiple users.

One user with multiple computers:		One computer with multiple users:

The policies for some Endpoint Security components are enforced for each user. Other policies are enforced for each computer.

• User Rules are independent of computer the user is connected to. However, you can override user rules using Virtual Groups for computers.
• Computer Rules are independent of the user who is logged on to the computer.

Connected, Disconnected and Restricted Rules

Endpoint Security can enforce policy rules on computers and users based on their connection and compliance state.

When you create a policy rule, you select the connection and compliance states for which the rule is enforced. You can define rules with these states:

• Connected state rule is enforced when a compliant endpoint computer has a connection to the Endpoint Security Management Server. This is the default rule for a component policy. It applies if there is no rule for the Disconnected or Restricted states of the component. All components have a Connected Rule.
• Disconnected state rule is enforced when an endpoint computer is not connected to the Endpoint Security Management Server. For example, you can enforce a more restrictive policy if users are working from home and are not protected by organizational resources. You can define a Disconnected policy for only some of the Endpoint Security components.
• Restricted state rule is enforced when an endpoint computer is not in compliance with the enterprise security requirements. In this state, you usually choose to prevent users from accessing some, if not all, network resources. You can define a Restricted policy for only some of the Endpoint Security components.

Rule Types for Each Endpoint Security component

The table shows if the policy for each Endpoint Security component is enforced for each user or for each computer (the Rule Type).

The table also shows that you can define a Connected policy for all components. For some components you can also define Disconnected and Restricted policies.

Note - Deployment Rules are defined for computers, not for users.

	Component	Rule Type	Connected	Disconnected	Restricted
	Full Disk Encryption	Computer
	Media Encryption & Port Protection	User
	OneCheck User Settings	User
	Capsule Docs	User
	Anti-Malware	User
	SandBlast Agent Anti-Ransomware, Behavioral Guard and Forensics	Computer
	SandBlast Agent Anti-Bot	User
	SandBlast Agent Threat Extraction, Emulation and Anti-Exploit	User
	Compliance	User
	URL Filtering	Computer
	Firewall	User
	Access Zones	User
	Application Control	User
	Client Settings	User

Rule Entities

When you configure a rule, you specify the entities that the rule Applies To.

These are some of the entities you can specify:

• Entire Organization (the root of the organization folders)
• OUs
• Network IP ranges
• AD Groups
• Virtual Groups
• Users (for User Policies only)
• Computers (for Computer Policies only)

Protection for Servers

These components can be installed on supported servers in the same way that they are installed on workstations:

• Anti-Malware
• Firewall
• Compliance

  Important - Application Control is not supported on all versions of Windows Server. Do not deploy this component on clients that run operating systems that are not supported. You can also disable it in the policy. To disable components on operating systems that are not supported: Configure a rule that disables the unsupported component. Install the policy on all clients that run operating systems that do not support the component.

If you install Anti-Malware and Firewall policies on servers, it is best for the policies to be machine-based and not user-based. In machine-based policy, the policies assigned to the machine have priority over the policies assigned to users who connect to the machine.

To enforce machine-based policies, we strongly recommend that you put all servers in a server virtual group.

For supported servers, see the Release Notes for your Endpoint Security client version.