Exclude clients from a policy that applies to all clients

[admindt 1]

Hi,

we have three clients (by clients I mean laptops) who are in IT department. The three laptops are inside of a AD group called "NB". The "NB" group also has every other laptop from various departments in our company including our three. If I apply a stricter policy where the recognized threat would be auto-deleted and want a softer policy for us in IT, and our three laptops WITHOUT MOVING them to a new "IT" OU - how would I accomplish this?

Is there an option to EXCLUDE couple of clients from the policy? I did not find it.

Cheers

[Ufoto 14]

Hi Admindt,

Yes, you can use the policy inheritance logic to achieve that. Since the most specific policy always takes precedence, you can assign your strict policy at the group level, and then assign the more loose policy to these specific devices. Since the latter will be more specific it will take precedence over the group assignment.

Just make sure that the conflicting settings are enabled by clicking on the blue dot next to the setting. Don't use the yellow lightning for the restrictive policy as this will prevent inheritance breaking. 

I hope this helps. 

Best Regards,

Edited March 22, 2022 by Ufoto

[admindt 1]

Hi Ufoto,

thank you for your answer.

Just want to confirm something, "Just make sure that the conflicting settings are enabled by clicking on the blue dot next to the setting. Don't use the yellow lightning for the restrictive policy as this will prevent inheritance breaking. "

So the software policy which would be used for all windows clients has the blue dot on most of the settings, lets called it a "Strict policy". The "soft policy" for us in IT has lighting on most of the settings, and it is applied only to the "IT Department" group which I created in the console and there are our three machines. Is this ok? 

Cheers

[Ufoto 14]

Hi Admindt,

Yes, this will do fine. If the "IT Department" group is a sub-group of the windows clients one, you don't even need to enable the lightning. The blue dot should be sufficient. You need to make sure that you do that for all settings that should be different. As if no blue dot, or lightning is enabled, the configuration of these settings will be inherited from windows clients.

Regards,

 

 

[admindt 1]

Really? So the lightning does not even have to be enabled - this is great, but like you said it will be inherited - it is a bit harder to grasp the concept, at least for me because I am afraid that one settings of the stricter policy will overwrite our softer policy. However this cannot happen, because they don't exist in the same groups. But if I would, lets say theoretically, apply both policies to "all" then I am thinking that the forced lighting options would be needed, because the two policy clash.

This is how it looks like, I have a strict policy for "NB", "WKS" because there are all of our machines.

 

[Ufoto 14]

You shouldn't be assigning two conflicting policies as the same level - especially the 'All' group. Indeed, if one of the policies has the lightning enabled these setting will take precedence over the other policy ,however they will be enforced to all systems in your organization. 

Looking at your structure, indeed the policy assigned to '_SYS' will affect all sub-groups except "NB", "WKS" where you said that you assigned the strict policy. Since this assignment is more specific, inheritance will be broken and the changed settings will take precedence. 

Regarding the 'IT Department' group, as far as I can see it is not a sub-group of '_SYS' so it is not related to it in any way. Systems located in the 'IT Department' group will inherit policies only from 'All'.

Regards,

[admindt 1]

Thank you, I now understand what and how I need to apply the policies.

Have a great day!

[Ufoto 14]

I am glad to help, I hope you have a great day too!