Jump to content

Exclude clients from a policy that applies to all clients


admindt
Go to solution Solved by Ufoto,

Recommended Posts

Hi,

we have three clients (by clients I mean laptops) who are in IT department. The three laptops are inside of a AD group called "NB". The "NB" group also has every other laptop from various departments in our company including our three. If I apply a stricter policy where the recognized threat would be auto-deleted and want a softer policy for us in IT, and our three laptops WITHOUT MOVING them to a new "IT" OU - how would I accomplish this?

Is there an option to EXCLUDE couple of clients from the policy? I did not find it.

Cheers

Link to comment
Share on other sites

Hi Admindt,

Yes, you can use the policy inheritance logic to achieve that. Since the most specific policy always takes precedence, you can assign your strict policy at the group level, and then assign the more loose policy to these specific devices. Since the latter will be more specific it will take precedence over the group assignment.

Just make sure that the conflicting settings are enabled by clicking on the blue dot next to the setting. Don't use the yellow lightning for the restrictive policy as this will prevent inheritance breaking. 

I hope this helps. 

Best Regards,

Edited by Ufoto
Link to comment
Share on other sites

Hi Ufoto,

thank you for your answer.

Just want to confirm something, "Just make sure that the conflicting settings are enabled by clicking on the blue dot next to the setting. Don't use the yellow lightning for the restrictive policy as this will prevent inheritance breaking. "

So the software policy which would be used for all windows clients has the blue dot on most of the settings, lets called it a "Strict policy". The "soft policy" for us in IT has lighting on most of the settings, and it is applied only to the "IT Department" group which I created in the console and there are our three machines. Is this ok? 

Cheers

Link to comment
Share on other sites

Hi Admindt,

Yes, this will do fine. If the "IT Department" group is a sub-group of the windows clients one, you don't even need to enable the lightning. The blue dot should be sufficient. You need to make sure that you do that for all settings that should be different. As if no blue dot, or lightning is enabled, the configuration of these settings will be inherited from windows clients.

Regards,

 

 

Link to comment
Share on other sites

Really? So the lightning does not even have to be enabled - this is great, but like you said it will be inherited - it is a bit harder to grasp the concept, at least for me because I am afraid that one settings of the stricter policy will overwrite our softer policy. However this cannot happen, because they don't exist in the same groups. But if I would, lets say theoretically, apply both policies to "all" then I am thinking that the forced lighting options would be needed, because the two policy clash.

This is how it looks like, I have a strict policy for "NB", "WKS" because there are all of our machines.

 

Struktur.JPG

Link to comment
Share on other sites

  • Solution

You shouldn't be assigning two conflicting policies as the same level - especially the 'All' group. Indeed, if one of the policies has the lightning enabled these setting will take precedence over the other policy ,however they will be enforced to all systems in your organization. 

Looking at your structure, indeed the policy assigned to '_SYS' will affect all sub-groups except "NB", "WKS" where you said that you assigned the strict policy. Since this assignment is more specific, inheritance will be broken and the changed settings will take precedence. 

Regarding the 'IT Department' group, as far as I can see it is not a sub-group of '_SYS' so it is not related to it in any way. Systems located in the 'IT Department' group will inherit policies only from 'All'.

Regards,

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...