mstormo 0 Posted July 31, 2015 Share Posted July 31, 2015 We just switched over to ERA 6 + Endpoint Security 6.x, and I'm having some issues with the new Policy Manager. I simply want to set up a configuration default which is reasonable for our company, but still allow end-clients to modify their settings. The problem is, if I create my own policy, tweak the settings, then apply it to the Static Group "All", the configuration is applied, but those settings are also turned to "Read-Only" on the client side. How do I make the ERA apply policies on clients without turning the setting read-only? The built-in policies don't seem to make their settings Read-Only? Unfortunately hxxp://help.eset.com/test/era_admin/6/en-US/index.html?admin_pol_policies_wizard.htm hxxp://help.eset.com/test/era_admin/6/en-US/index.html?amin_pol_assign_policy_to_group.htm hxxp://help.eset.com/test/era_admin/6/en-US/index.html?admin_pol_flags.htm don't mention anything about Read-Only settings. Any ideas? I need to set Trusted Zones, Excluded Paths, a few firewall rules without locking it all down. Thanks! -- .marius Link to comment Share on other sites More sharing options...
Administrators Marcos 5,235 Posted August 2, 2015 Administrators Share Posted August 2, 2015 To achieve this, don't set the said settings in the policy. Link to comment Share on other sites More sharing options...
b.kaiser 0 Posted August 2, 2015 Share Posted August 2, 2015 To achieve this, don't set the said settings in the policy. But if I don't set the setting how do I preconfigured a network in trusted zone? Link to comment Share on other sites More sharing options...
mstormo 0 Posted August 2, 2015 Author Share Posted August 2, 2015 To achieve this, don't set the said settings in the policy. Well, the point is to set the particular settings as a convenience to our employees (such as allowed ports for a lot of the tools we use internally, Synergy for example, exclude certain paths from scanning, Visual Studio paths, source and binary paths on developer machines etc) so they don't all have to do it themselves when we roll it out using the Agent. But, as they are all Administrators and we trust their judgement, we still want these settings to be editable, as they may have their own special needs. So "don't set the said settings" is a bit of a "cop out" in my opinion. If I don't set the setting in the policy (to avoid the padlock), I will have to either instruct all the employees how to apply the various settings themselves, or do it myself X number of times.. Surely there must be a way to apply a setting without restricting it? Link to comment Share on other sites More sharing options...
jimwillsher 65 Posted August 3, 2015 Share Posted August 3, 2015 A policy is a policy - you are telling the software which policies you want to be applied. Even if they were editable by the user, the next time the agent contacted ERA they would be reapplied. I don't think you can achieve what you are aiming for. Jim Link to comment Share on other sites More sharing options...
Administrators Marcos 5,235 Posted August 3, 2015 Administrators Share Posted August 3, 2015 An administrator should get a list of all requirements from users (e.g. a list of ports that they need to have open) and add all the settings to the policy that is applied. As for excluding files from scanning, we don't recommend it as every exclusion creates a potential security hole. So use exclusions with care and only in cases when there are actual issues. Even then I'd strongly suggest contacting customer care, troubleshooting the issue with them and using exclusions only as an interim solution unless they recommend using them as a permanent workaround. Link to comment Share on other sites More sharing options...
frapetti 2 Posted January 2, 2017 Share Posted January 2, 2017 (edited) I was also surprised to see it's read-only. Then what's the difference between apply an force? I wanted to make the firewall recognize our internal networks as trusted, exclude them from IDS, etc, but that seems to limit what the users can set on the firewall. Edited January 2, 2017 by frapetti Link to comment Share on other sites More sharing options...
Administrators Marcos 5,235 Posted January 2, 2017 Administrators Share Posted January 2, 2017 "Apply" will apply a particular setting while "Force" will override "Apply" if set by another policy. Link to comment Share on other sites More sharing options...
Recommended Posts