Print Download PDF Send Feedback

Previous

Next

Working with Virtual Groups

You can assign Policy rules to groups.

Groups can contain users and computers.

For each Endpoint Security component, only one rule can be assigned to a user or computer. Therefore, if a user belongs to more than one group, with a different rules assigned to each group, the Endpoint Security Management Server applies the first rule that matches the user or computer.

Active Directory Groups and Virtual Groups

You can use these types of groups in SmartEndpoint:

Virtual Groups work like Active Directory groups. You can:

Why Use Virtual Groups

You may want to use Virtual Groups if you are:

Prerequisites for Using virtual groups

Important - To manage users with a virtual group, you must do one of these steps:

  • Use Full Disk Encryption and enable User Acquisition.
  • Import objects into Endpoint Security with the Active Directory Scanner. Afterwards you can move them between virtual groups manually.

 

Predefined Virtual Groups

Users and computers with Endpoint Agent installed are automatically assigned to these predefined virtual groups:

The users and computers can be added to another virtual group, or removed from a virtual group and added to another virtual group.

If you add objects to a virtual group with an installation package, the objects are not automatically put into these virtual groups. You must do so manually.

Managing Virtual Groups

Work with virtual groups in the Virtual Group branch of the Users and Computers tree.

When you create a new virtual group, you set the group type, which you cannot change. Changes to a virtual group are saved automatically and installed immediately on the Endpoint Security clients.

Assign the Virtual Groups in a Policy rule, as for any other entity.

To create a new virtual group:

  1. In the Users and Computers tree, click Global Actions > New Virtual Group.
  2. In the New Virtual Group window:
    • Enter a name for the group.
    • Optional: Enter a Comment.
    • Select Virtual Group or Computer Group.
  3. Click Next.
  4. In the Select Entities window, select the members of the group.
  5. Click Finish.

To add computers and users from Active Directory to a Virtual Group:

  1. Right-click an OU on the Directories branch of the Users and Computers tree.
  2. Select Add content to Virtual Group.
  3. Select a Virtual Group and click OK.

    All users and computers in the specified OU are added to the Virtual Group.

    If select one of the default Virtual Groups, only those users and computers applicable to that group are added. For example, if you select the All Laptops Virtual Group, only laptops computers and their users are added to the group.

To copy a user or computer to another virtual group:

  1. Right-click the user, computer or Active Directory group.
  2. Select Add to Virtual Group.
  3. Select the destination virtual group.

The source object becomes a member of the destination group while remaining a member of the source group.

To remove a user or computer from a virtual group:

  1. Right-click the user or computer.
  2. Select Remove from Virtual Group.

Using a Computer Group in a User-Based Policy

You can assign a rule to a Virtual Group, as you can for any other entity.

This example shows how to use a Computer Group in the Media Encryption & Port Protection Policy, which is user-based.

Best Practice - In a component policy that is user-based, put computer group rules above user rules in the "more rule(s)" section

Read the comments in the rules.

No

Name

Applies to

Comment

 -

Media Encryption & Port Protection

 

 

 

Default Media Encryption & Port Protection settings for the entire organization

Entire Organization

This rule applies to all users that are not logged into computers in "Media Encryption computer Group"

 

-

1 more rule

 

 

1

Media Encryption & Port Protection Rule for "Media Encryption computer Group"

Media Encryption computer Group

\Virtual Groups

Media Encryption & Port Protection policy rules normally apply to users, regardless of which endpoint computer they use. However, this rule applies to computers in "Media Encryption Computer Group" regardless of which users are logged in to the computer.

 

Example Deployment Rules for Virtual Groups

You can deploy Endpoint Security components to Endpoint Security clients according to Virtual Groups.

This example shows Software Deployment Rules that specify the components to be deployed to the All Laptops and All Desktops Virtual Groups.

Read the comments in the rules.

No

Name

Applies to

Actions

Comment

 -

Software Deployment

 

 

 

 

Default Deployment

Entire Organization

Do Not install

Default Software Deployment settings for the entire organization

 

-

2 more rules

 

 

 

1

Deployment to Desktops

All Desktops

\Virtual Groups

Endpoint Client Version 80.88.4122

Selected blades

 

 

2

Deployment to laptops

All Laptops

\Virtual Groups

Endpoint Client Version 80.88.4122

Selected blades

Same as desktop plus Full Disk Encryption and Endpoint Security VPN

Monitoring Virtual Groups

Virtual Groups show in Reporting reports like other objects. You can create for monitoring and other purposes. Endpoints can be members of more than one group.

For example, if you want to do a test of a new Endpoint Security upgrade, you can create a Virtual Group that contains only those endpoints included in the test. Then you can create a report for the deployment and activity of these endpoints.

To see activity for virtual group objects:

  1. Go to the Reporting tab and select Software Deployment from the tree.
  2. Click the ... button in the Endpoint List section of the Software Deployment Status pane.
  3. Select Virtual Groups and then the select the virtual group that you want to see.