Working With Rules

The policy for each Endpoint Security component is made up of rules.

Each component has a default rule that applies to the Entire Organization. You can change the default rule for the component, but you cannot delete it.

For each component, you can add rules that apply to specific parts (entities) of the organization.

To create a rule, select an existing rule and from the Policy toolbar, click Create a Rule
To create a rule with same settings as an existing rule, right-click the rule and select Clone Rule.
To delete a rule, select the rule, right-click, and select Delete Rule.

Creating a Rule

For each component, you can add one or more rules that apply to specific parts (entities) of the organization.

The new rule is added to the bottom of the policy of the component.

To create a rule:

Select an existing rule
In the Policy toolbar, click Create a Rule
The Create Rule Wizard opens.
On the Select Enforcement state page, select Add Rule for and select a state: Connected, Disconnected or Restricted.
Endpoint Security can enforce policy rules on computers and users based on their connection and compliance state.
When you create a policy rule, you select the connection and compliance states for which the rule is enforced. You can define rules with these states:
- Connected state rule is enforced when a compliant endpoint computer has a connection to the Endpoint Security Management Server. This is the default rule for a component policy. It applies if there is no rule for the Disconnected or Restricted states of the component. All components have a Connected Rule.
- Disconnected state rule is enforced when an endpoint computer is not connected to the Endpoint Security Management Server. For example, you can enforce a more restrictive policy if users are working from home and are not protected by organizational resources. You can define a Disconnected policy for only some of the Endpoint Security components.
- Restricted state rule is enforced when an endpoint computer is not in compliance with the enterprise security requirements. In this state, you usually choose to prevent users from accessing some, if not all, network resources. You can define a Restricted policy for only some of the Endpoint Security components.
Click Next.
On the Select Entities page, select those OUs, groups or individuals that this rule applies to.
To search for an entity: Type text in the field.

You can add multiple entities.
Click Next.
On the Change Rule Actions page, right-click the applicable actions and configure the action.
Select from a pre-defined action. To create your own, select Edit Shared Action.
Click Next.
On the Edit rule Name and comment page, enter a descriptive Name and optionally Comment.
Click Finish.
In the Policy Management Toolbar, click Install to install the policy on Endpoint Security clients.

The Order in Which the Client Applies the Rules

If there is more than one rule for a Endpoint Security component, the Endpoint Security client applies the rules in this order:

First rule that applies to the user or computer in the "more rule(s)" section.
If no rule matches the user or computer, the default rule applies.

Best Practice - Put rules for specified users or computers, in the "more rule(s)" section, above rules for groups and containers they are members of.

Example

Read the comments in the rules.

No	Name	Applies to	Comment
-	Firewall
	Default Firewall settings for the entire organization	Entire Organization	This rule applies to users who do not belong to the OUs "Europe" or "US", and do not belong to the AD group "Managers".
-	2 more rules
1	Firewall rule for Europe and US	Europe \Directories\example.test.com\Example US \Directories\example.test.com\Example	This rule applies to users who belong to the OUs "Europe" and "US".
2	Firewall rule for managers	Managers \Directories\example.test.com\Example	This rule applies to users in the AD group "Managers" who do not belong to the OUs "Europe" or "US".

Changing the Order in Which the Client Applies the Rules

When there is more than one rule in the "more rule(s)" section, you can change the order in which the Client applies the rules.

To change the order in which the client applies the rules:

In the "more rule(s)" section, select a rule.
In the Policy Toolbar. use the Move Up and Move Down buttons to change the order of the rule.
Click Save rule

Example

This is how the Endpoint Security client applies the rules after you change order of the rules in the previous example policy.

Read the comments in the rules.

No	Name	Applies to	Comment
-	Firewall
	Default Firewall settings for the entire organization	Entire Organization	This rule applies to users who do not belong to the OUs "Europe" or "US", and do not belong to the AD group "Managers".
-	2 more rules
1	Firewall rule for managers	Managers \Directories\example.test.com\E...	This rule applies to users in the AD group "Managers".
2	Firewall rule for Europe and US	Europe \Directories\example.test.com\Example US \Directories\example.test.com\Example	This rule applies to users who belong to the OUs "Europe" and "US" who are not in the AD group "Managers".

Editing a Rule

You can modify a rule in the Policy Tab. You can change the:

Name
Entities that the rule Applies To. However, you cannot change the entities in a default rule. The default rule applies to the Entire Organization.
Actions - Best practice is to not change predefined actions. If you want to change a setting, create a custom action..
Comment

To edit name or comment of a rule:

Double-click the text in the name or comment of the rule, and modify it.

To add an entity to a rule:

In the Applies To column of the rule, click Add Assignment
Click
Select the entity from the organizational tree.

To remove an entity from a rule:

In the Applies To column of the rule, select the entity and click Remove

To edit an action of a rule:

If you edit an action that is used in more than one rule (a shared action), the change applies everywhere that the rule is used.

Editing a Shared Action

You can edit an action in these ways:

Edit a Shared Action

A Policy action can be used in more than one rule. That is why it is called a Shared Action.

Important - If you edit a shared action, the change applies everywhere the action is used. For example, if you change an action that is used in rule A and in rule B, the change happens in both rules.

Clone an Action

If an action is used in more than one rule and you want to change the action in one rule and not the others, clone the action. Then, use the cloned action in one of the rules, and changed the settings of the cloned action. You can use the cloned action in more than one rule. Custom actions show below the predefined actions

Use a Predefined Action

Many actions have more than one predefined setting You can easily change the action by selecting a different predefined setting.

Best Practice- Do not change predefined actions. If you want to change a setting, create a custom action.

To edit a rule action:

In the Policy rule, click the action.
Edit the action in one of these ways:
- Edit Shared Action to edit the properties of the action. Changes affect all the rules that use the action.
- Clone Action to create a custom action.
- Select a different predefined action.

To find out where an action is used:

In the Policy rule, click the action.
Click Edit Shared Action.
In the Description section, look for the Wide Impact Icon
Click the Used in N rules link to see where the action is used.

What Happens when you Delete an Entity

If an entity is deleted - for example, an Active Directory group, user or computer - and there is a rule for the deleted entity:

The rule is automatically moved to a section of the component policy called Rule with no assignments.
The Applies To column shows Deleted Entities.

To restore a rule with a deleted entity:

Right-click the rule and select Restore Rule.
Select new entities for the rule.

Saving and Installing Policy Changes on Clients

When you create or modify a rule, you have to save it and install it before becomes available to the Endpoint Security clients.

This lets you save changes to the Policy without immediately affecting users. It also lets you deploy the Policy at the most convenient time, for example, at night.

The policy becomes available for endpoints to download on the next heartbeat or the next time user logs in.

Changes to Virtual Groups

If you make changes to an object that is related to Virtual Groups, the changes are enforced immediately. For example, if you move an object into a virtual group, the rules for that group apply to the object immediately. However, if you change a policy that is assigned to a virtual group, the changes to the policy only apply after you install policies.

To save a rule:

Select a rule, and in the Policy tab, click Save rule.
or
Select a rule, and from the File menu, select Save.

To install the Policy on Endpoint Security clients:

In the Policy tab, click Install.
or
From the File menu, select Install Policies.

Showing the Policy that Applies to a User or Computer

By default, the Policy tab shows default rules that apply to Entire Organization, and other rules that apply to other entities.

You can filter the view in the Policy tab and show the Policy for a specific part of the organization.

To show the Policy for a specific part of the organization:

In the Policy tab, in the Show for area of the toolbar, type the name of a user, computer, OU, or other entity.

If you show the Policy for a specific user, you can select the associated computer.

You cannot edit the policy when list is filtered

To restore the default view and show the entire Policy, click Clear .

Direct Assignment of Rules to Users and Computers

You can assign rules to an entity. This is called Direct Assignment. You can also see which rules are assigned to an entity.

To assign a rule to an entity:

Open the Users and Computers tab.
In the All Organization Folders area, search for the entity
In the Blades area, select a component.
In the Rule area, review the rule that is assigned to the entity for this component.
To change the rule specifically for the entity, click Edit rule.
In the Edit Specific Rule page, select Differentiate <name of entity>.
Click Next.
In the Change rule action settings page, Select the actions you want to change, and change the settings.
Click Next.
In the Enter rule name and comment page, add the details.
Click Finish.
Click Save.
When you create or modify a rule, you have to save it and install it before becomes available to the Endpoint Security clients.
This lets you save changes to the Policy without immediately affecting users. It also lets you deploy the Policy at the most convenient time, for example, at night.

The policy becomes available for endpoints to download on the next heartbeat or the next time user logs in.

Changes to Virtual Groups

If you make changes to an object that is related to Virtual Groups, the changes are enforced immediately. For example, if you move an object into a virtual group, the rules for that group apply to the object immediately. However, if you change a policy that is assigned to a virtual group, the changes to the policy only apply after you install policies.

To save a rule:
- Select a rule, and in the Policy tab, click Save rule.
  or
- Select a rule, and from the File menu, select Save.
To install the Policy on Endpoint Security clients:
- In the Policy tab, click Install.
  or
- From the File menu, select Install Policies.

Review the rule that is assigned to the entity for this component. Notice that Inherited From shows Direct Assignment. In the Policy tab, you can see the new component rule for the entity.

To remove direct assignment from an entity:

Open the Users and Computers tab.
In the All Organization Folders area, search for the entity
In the Blades area, select a component.
In the Rule area, review the rule that is assigned to the entity for this component. Inherited From shows Direct Assignment.
Click Remove Direct Assignment.
Click Yes.

Review the rule that is assigned to the entity for this component. Notice that Inherited From shows Entire Organization. In the Policy tab, the component rule for the entity has been deleted.