sanjay mehta 6 Posted April 25, 2017 Share Posted April 25, 2017 (edited) a laptop in the network that is connected to eras, has the policies applied and settings locked. USB & browsing restrictions apply. this user carries the laptop when he moves for a out of station posting. the requirement here is for a standalone system & there is no way to connect to their eras in internal network at headoffice. here all default settings would be preferred. no USB or browsing restrictions required. so the agent is uninstalled. but to his dismay, he realizes that the settings are still locked by eras, and he cannot change the same. he calls the headoffice. but since there is no way he can connect to eras on the headoffice network directly, the settings cannot be "unmanaged". in v5, there used to be just a pw required to unlock the settings & then revert to default. importing a config file could be an option, which will change the settings, but what i realize is that still the previously locked settings continue to remain unmanageable for the user. can eset consider giving an offline tool or some kind of password to restore an eset installation to default settings or effectively "unmanage" ? this is a cause for temporary distress at the user end. Edited April 25, 2017 by sanjay mehta added more feedback on the issue Link to comment Share on other sites More sharing options...
ESET Staff MichalJ 434 Posted April 25, 2017 ESET Staff Share Posted April 25, 2017 In 6.5 there is the possibility to enter "override mode", where the settings are temporarily unlocked for a limited time period. You can also apply different policies for "in house" and "outside" scenarios, using dynamic group template tight to connected network. Isn't it an option for you? Link to comment Share on other sites More sharing options...
hungtt 1 Posted April 25, 2017 Share Posted April 25, 2017 4 minutes ago, MichalJ said: In 6.5 there is the possibility to enter "override mode", where the settings are temporarily unlocked for a limited time period. You can also apply different policies for "in house" and "outside" scenarios, using dynamic group template tight to connected network. Isn't it an option for you? Hi MichaIJ, If ERA server is use IP local at company, when users out of company how to policy "in house" can push from ERA server ? Option "override mode" not help full because user can use this on company to drop all policy. Link to comment Share on other sites More sharing options...
sanjay mehta 6 Posted April 25, 2017 Author Share Posted April 25, 2017 4 hours ago, MichalJ said: In 6.5 there is the possibility to enter "override mode", where the settings are temporarily unlocked for a limited time period. You can also apply different policies for "in house" and "outside" scenarios, using dynamic group template tight to connected network. Isn't it an option for you? reply by hungtt answers yr queries. the need is to revert to default settings for an installation, without having to uninstall & reinstall the sw. this shd be possible without the presence of agent (which has been uninstalled already) & access to eras. an offline tool or a password to revert status to standalone or "unmanaged" can do the job. Link to comment Share on other sites More sharing options...
ESET Staff MichalJ 434 Posted April 25, 2017 ESET Staff Share Posted April 25, 2017 @hungtt You can pre-configure the agent, to enforce a policy in case of a membership in the dynamic group (internal network) on top of the master policy, which would be applied when the computer is not in the dynamic group. When dynamic group conditions are not met, the standard settings will be applied (features disabled, internet allowed). You need to define all the things in advance, as it is true, when computer is outside the network, ERA won´t have access to it (if you for example won´t have an alternative ERA proxy, that will be "internet facing", located somewhere in the DMZ. @sanjay We are planning to change the behavior, that when ERA agent is removed, Endpoint will "unlock" its settings. This is evaluate for the next major release of ERA / ENdpoints in Q4 (I can´t confirm that it will happen for sure, but it is in the backlog for this version). However, if the computer is not permanently removed from the management, this is not the way it should be done. Rather you should use various policy profiles, for different locations, as suggested in the point above. Link to comment Share on other sites More sharing options...
bbahes 29 Posted April 25, 2017 Share Posted April 25, 2017 10 hours ago, MichalJ said: In 6.5 there is the possibility to enter "override mode", where the settings are temporarily unlocked for a limited time period. You can also apply different policies for "in house" and "outside" scenarios, using dynamic group template tight to connected network. Isn't it an option for you? Does this rely on firewall zones? Link to comment Share on other sites More sharing options...
sanjay mehta 6 Posted April 26, 2017 Author Share Posted April 26, 2017 9 hours ago, MichalJ said: @hungtt You can pre-configure the agent, to enforce a policy in case of a membership in the dynamic group (internal network) on top of the master policy, which would be applied when the computer is not in the dynamic group. When dynamic group conditions are not met, the standard settings will be applied (features disabled, internet allowed). You need to define all the things in advance, as it is true, when computer is outside the network, ERA won´t have access to it (if you for example won´t have an alternative ERA proxy, that will be "internet facing", located somewhere in the DMZ. @sanjay We are planning to change the behavior, that when ERA agent is removed, Endpoint will "unlock" its settings. This is evaluate for the next major release of ERA / ENdpoints in Q4 (I can´t confirm that it will happen for sure, but it is in the backlog for this version). However, if the computer is not permanently removed from the management, this is not the way it should be done. Rather you should use various policy profiles, for different locations, as suggested in the point above. enforcing a policy dynamically is not an option, because the user leaves the network for good & is not going to return immediately. one cannot apply restrictions for connected computers & remove the restrictions if they are not connected. would it not be dangerous ? my discussion is limited to computer that is removed permanently from the network. agree that removing the agent must unblock all the settings. seems logical. that is how it should be. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,070 Posted April 26, 2017 Administrators Share Posted April 26, 2017 17 minutes ago, sanjay mehta said: enforcing a policy dynamically is not an option, because the user leaves the network for good & is not going to return immediately. one cannot apply restrictions for connected computers & remove the restrictions if they are not connected. would it not be dangerous ? Conditions for dynamic group membership are evaluated by agent, ie. regardless of whether the ERA Server is accessible or not. Link to comment Share on other sites More sharing options...
sanjay mehta 6 Posted April 26, 2017 Author Share Posted April 26, 2017 2 minutes ago, Marcos said: Conditions for dynamic group membership are evaluated by agent, ie. regardless of whether the ERA Server is accessible or not. need to understand this in more details before it sinks in . shall revert in some time. Link to comment Share on other sites More sharing options...
Recommended Posts