Custom policies with ERA 6 are locked on the client side?

[mstormo 0]

We just switched over to ERA 6 + Endpoint Security 6.x, and I'm having some issues with the new Policy Manager.

 

I simply want to set up a configuration default which is reasonable for our company, but still allow end-clients to modify their settings.

The problem is, if I create my own policy, tweak the settings, then apply it to the Static Group "All", the configuration is applied, but those settings are also turned to "Read-Only" on the client side.

 

How do I make the ERA apply policies on clients without turning the setting read-only? The built-in policies don't seem to make their settings Read-Only?

 

Unfortunately

    hxxp://help.eset.com/test/era_admin/6/en-US/index.html?admin_pol_policies_wizard.htm

    hxxp://help.eset.com/test/era_admin/6/en-US/index.html?amin_pol_assign_policy_to_group.htm

    hxxp://help.eset.com/test/era_admin/6/en-US/index.html?admin_pol_flags.htm

don't mention anything about Read-Only settings.

 

Any ideas?

 

I need to set Trusted Zones, Excluded Paths, a few firewall rules without locking it all down.

 

 

Thanks!

 

-- 

.marius

[Marcos 5,082]

To achieve this, don't set the said settings in the policy.

[b.kaiser 0]

To achieve this, don't set the said settings in the policy.

 

But if I don't set the setting how do I preconfigured a network in trusted zone?

[mstormo 0]

To achieve this, don't set the said settings in the policy.

 

Well, the point is to set the particular settings as a convenience to our employees (such as allowed ports for a lot of the tools we use internally, Synergy for example, exclude certain paths from scanning, Visual Studio paths, source and binary paths on developer machines etc) so they don't all have to do it themselves when we roll it out using the Agent. But, as they are all Administrators and we trust their judgement, we still want these settings to be editable, as they may have their own special needs.

 

So "don't set the said settings" is a bit of a "cop out" in my opinion. If I don't set the setting in the policy (to avoid the padlock), I will have to either instruct all the employees how to apply the various settings themselves, or do it myself X number of times..

 

Surely there must be a way to apply a setting without restricting it?

[jimwillsher 65]

A policy is a policy - you are telling the software which policies you want to be applied. Even if they were editable by the user, the next time the agent contacted ERA they would be reapplied.

I don't think you can achieve what you are aiming for.

Jim

[Marcos 5,082]

An administrator should get a list of all requirements from users (e.g. a list of ports that they need to have open) and add all the settings to the policy that is applied. As for excluding files from scanning, we don't recommend it as every exclusion creates a potential security hole. So use exclusions with care and only in cases when there are actual issues. Even then I'd strongly suggest contacting customer care, troubleshooting the issue with them and using exclusions only as an interim solution unless they recommend using them as a permanent workaround.

[frapetti 1]

I was also surprised to see it's read-only. Then what's the difference between apply an force?

I wanted to make the firewall recognize our internal networks as trusted, exclude them from IDS, etc, but that seems to limit what the users can set on the firewall.

Edited January 2, 2017 by frapetti

[Marcos 5,082]

"Apply" will apply a particular setting while "Force" will override "Apply" if set by another policy.