Virtual Groups in Policy Rules

You can use these types of groups in SmartEndpoint A Check Point GUI application which connects to the Endpoint Security Management Server, to manage your Endpoint Security environment - to deploy, monitor and configure Endpoint Security clients and policies.:

• Active Directory group - These are synchronized automatically from Active Directory using the Directory Scanner A component of Endpoint Security Management Server that scans the defined Active Directory and copies the existing Active Directory structure to the server database.. You cannot modify an Active Directory group.

• Virtual group - Create these in SmartEndpoint or use one of the predefined virtual groups. There are two types of virtual group:

  • Virtual Group - Can contain users and computers.

  • Computer Group - Can contain only computers.

Virtual Groups work like Active Directory groups. You can:

• Create groups and then add users and computers to the groups automatically or manually.

• Assign policies to virtual groups or users.

• Put users and computers into more than one group.

• Select which policies have priority for endpoints that belong to more than one virtual group.

You can use Virtual Groups with Active Directory for added flexibility or as an alternative to Active Directory.

Members of Active Directory OUs or groups can also be members of Virtual Groups.

Important - You can use virtual groups to manage computers and servers in all environments. To manage users with a virtual group, you must do one of these steps: Use Full Disk Encryption A component on Endpoint Security Windows clients. This component combines Pre-boot protection, boot authentication, and strong encryption to make sure that only authorized users are given access to information stored on desktops and laptops. Acronym: FDE. and enable User Acquisition. Import objects into Endpoint Security with the Active Directory Scanner. Then, you can move them between virtual groups manually.

For each Endpoint Security component, only one rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. can be assigned to a user or computer. Therefore, if a user belongs to more than one group, with a different rules assigned to each group, the Endpoint Security Management Server A Security Management Server that manages your Endpoint Security environment. Includes the Endpoint Security policy management and databases. It communicates with endpoint clients to update their components, policies, and protection data. applies the first rule that matches the users or computer.

Why Use Virtual Groups

You may want to use Virtual Groups if you are:

• Using Active Directory but do not want to use it for Endpoint Security. For example:

  • Different administrators manage the Active Directory and Endpoint Security.

  • Your Endpoint Security requirements are more complex than the Active Directory groups. For example, you want different groups for laptop and desktop computers.

• Using a non-Active Directory LDAP tool.

• Working without LDAP.

• Creating computer-based policies for Endpoint Security components that normally support only user-based Policies.

Prerequisites for Using virtual groups

Important - To manage users with a virtual group, you must do one of these steps: Use Full Disk Encryption and enable User Authorization before Encryption. Import objects into Endpoint Security with the Active Directory Scanner. Then, you can move them between virtual groups manually.

Types of Virtual Groups

There are two types of virtual groups:

• Virtual Group - Can contain users and computers.

• Computer Group - Only contains computers. Computers in this group have computer-based policies if there is a policy assigned to the group. The priority of the policies is based on the sequence of rules in the Policy Rule Base All rules configured in a given Security Policy. Synonym: Rulebase..

  For example, Media Encryption & Port Protection A component on Endpoint Security Windows clients. This component protects data stored on the computers by encrypting removable media devices and allowing tight control over computers' ports (USB, Bluetooth, and so on). Acronym. MEPP. policy rules normally apply to users, regardless of which endpoint computer they use. However, if a Media Encryption & Port Protection rule is applied to a Computer Group, that rule can be effective before a rule that applies to a user. This is true if the Computer Group rule is above the user's rule in the Policy Rule Base.

If you add objects to a virtual group with an installation package, the objects are not automatically put into these virtual groups. You must do so manually. See Adding Objects with an Installation Package,

Predefined Virtual Groups

Users and computers with Endpoint Agent installed are automatically assigned to these predefined virtual groups:

• All Laptops

• All Desktops

• All Servers

• All Mac OS X Desktops

• All Mac OS X Laptops

• All Windows Desktops

• All Windows Laptops

• Capsule Docs external users - Users that are not part of the organization's Active Directory but are registered on the Endpoint Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. as an external user. See Working with External Users. These are typically users who are not part of the organization, but must be able to view documents which originated in the organization.

• Capsule Docs internal users -Users that are part of the organization's Active Directory.

The users and computers can be added to another virtual group, or removed from a virtual group and added to another virtual group.

If you add objects to a virtual group with an installation package, the objects are not automatically put into these virtual groups. You must do so manually. See .

Managing Virtual Groups

Work with virtual groups in the Virtual Group branch of the Users and Computers tree.

When you create a new virtual group, you set the group type, which you cannot change. Changes to a virtual group are saved automatically and installed immediately on the Endpoint Security clients.

• A user or a computer can belong to multiple virtual groups

• Only computers can be added to Computer virtual groups

• You can copy users and computers to other virtual groups.

• You can remove users and computers from a virtual group

• You can copy Active Directory users, computers and members of Active Directory groups to a virtual group.

Assign the Virtual Groups in a Policy rule, as for any other entity.

To create a new virtual group:

1. In the Users and Computers tree, click Global Actions > New Virtual Group.

2. In the New Virtual Group window:

   • Enter a name for the group.

   • Optional: Enter a Comment.

   • Select Virtual Group or Computer Group.

3. Click Next.

4. In the Select Entities window, select the members of the group.

5. Click Finish.

To add computers and users from Active Directory to a Virtual Group:

1. Right-click an OU on the Directories branch of the Users and Computers tree.

2. Select Add content to Virtual Group.

3. Select a Virtual Group and click OK.

   All users and computers in the specified OU are added to the Virtual Group.

   If select one of the default Virtual Groups, only those users and computers applicable to that group are added. For example, if you select the All Laptops Virtual Group, only laptops computers and their users are added to the group.

To copy a user or computer to another virtual group:

1. Right-click the user, computer or Active Directory group.

2. Select Add to Virtual Group.

3. Select the destination virtual group.

The source object becomes a member of the destination group while remaining a member of the source group.

To remove a user or computer from a virtual group:

1. Right-click the user or computer.

2. Select Remove from Virtual Group.

Using a Computer Group in a User-Based Policy

You can assign a rule to a Virtual Group, as you can for any other entity.

This example shows how to use a Computer Group in the Media Encryption & Port Protection Policy, which is user-based.

Best Practice - In a component policy that is user-based, put computer group rules above user rules in the "more rule(s)" section

Read the comments in the rules.

No	Name	Applies to	Comment
-	Media Encryption & Port Protection
	Default Media Encryption & Port Protection settings for the entire organization	Entire Organization	This rule applies to all users that are not logged into computers in "Media Encryption computer Group"
-	1 more rule
1	Media Encryption & Port Protection Rule for "Media Encryption computer Group"	Media Encryption computer Group \Virtual Groups	Media Encryption & Port Protection policy rules normally apply to users, regardless of which endpoint computer they use. However, this rule applies to computers in "Media Encryption Computer Group" regardless of which users are logged in to the computer.

Example Deployment Rules for Virtual Groups

You can deploy Endpoint Security components to Endpoint Security clients according to Virtual Groups.

This example shows Software Deployment Rules that specify the components to be deployed to the All Laptops and All Desktops Virtual Groups.

Read the comments in the rules.

No	Name	Applies to	Actions	Comment
-	Software Deployment
	Default Deployment	Entire Organization	Do Not install	Default Software Deployment settings for the entire organization
-	2 more rules
1	Deployment to Desktops	All Desktops \Virtual Groups	Endpoint Client Version 80.88.4122 Selected blades
2	Deployment to laptops	All Laptops \Virtual Groups	Endpoint Client Version 80.88.4122 Selected blades	Same as desktop plus Full Disk Encryption and Endpoint Security VPN

Adding Objects with an Installation Package

When you distribute a new Endpoint Security client installation package, you can assign users and computers to a destination group. Computers and users that use this package are automatically assigned to the group when they connect to the server for the first time.

For example, an MSP that services 5 organizations can export 5 installation packages to divide endpoints into 5 different groups. Users who install the package designated for Group A are automatically put in Group A. Users who install the package designated for Group B are automatically put in Group B.

To configure a virtual group destination for an installation package:

1. In the Users and Computers tab, create a virtual group.

2. In the Deployment tab, click Packages for Export.

3. Select a package and change the rule settings to Export to the new virtual group.

   Change other rule settings as necessary. If you are upgrading from version R73 or earlier, make sure that you configure the legacy version passwords.

4. Right-click the package and select Export Package from the option menu.

5. In the Export Package window, select the platform type and 32-bit or 64-bit.

6. Define the path to the directory that the package is saved to.

7. Click OK.

   The package downloads to the specified location.

Monitoring Virtual Groups

Virtual Groups show in Reporting reports like other objects. You can create for monitoring and other purposes. Endpoints can be members of more than one group.

For example, if you want to do a test of a new Endpoint Security upgrade, you can create a Virtual Group that contains only those endpoints included in the test. Then you can create a report for the deployment and activity of these endpoints.

To see activity for virtual group objects:

1. Go to the Reporting tab and select Software Deployment from the tree.

2. Click the ... button in the Endpoint List section of the Software Deployment Status pane.

3. Select Virtual Groups and then the select the virtual group that you want to see.