Jump to content

ERA 6.4 applied policy behaviour


Go to solution Solved by MichalJ,

Recommended Posts

Testing ERA 6.4 Virtual appliance with EES 6.4 on Windows 10 x64.

 

I had strange situation with policies I applied on static group. I've made contact to local ESET support and we where able to solve situation but we don't know is that by design or bug.

So, here goes.

 

I have made static group and applied policy to that group. I've made installer that moves client in that group.

 

After making few changes in policy and confirming it's been applied to client I've deleted policy and created second policy with same name but different settings.

 

These settings applied also. However after deleting third time policy and creating third policy with same name and settings that where in original policy, client was left with settings of second deleted policy.

 

Even with force or apply I was unable to change settings on client.

 

I also deleted policy and client still had settings from second deleted policy.

 

With local ESET support we tried to create new policy with different name and finally client got settings from new policy. However I had to Apply all settings that where set in second deleted policy.

 

 

My question is, does client hold last policy settings even if I delete it and apply no policy to his group?

 

 

Regards!

 

 

 

 

Link to comment
Share on other sites

  • ESET Staff
  • Solution

Basically, policy behavior works as follows:

  1. You configure a setting in ERA policy (choose "apply" / "force" flag next to it) - there is no difference between apply / force, except the one, that when you have different overwriting policies, the policy lover in the hierarchy could not overwrite a value, which is set with "force". So the value will be kept from the policy higher in the hierarchy. Please check the documentation about this behavior:
    1. hxxp://help.eset.com/era_admin/64/en-US/index.html?admin_pol_flags.htm
    2. hxxp://help.eset.com/era_admin/64/en-US/index.html?admin_pol_how_policies_are_applied.htm 
  2. When you remove the policy, setting remains set on the client (it won´t revert to the default value), unless it is overwritten by a different policy (!) So in this case, it might happen, that the policy number "3" have not set the same set of settings, so the values from the policy number "2" were kept, unless they were overwritten by the policy number "3".

So yes, when you remove the policy, settings will be kept, until they are overwritten with a different policy. The difference is, that they are no longer "enforced". So ideally, you should have a "default" policy for each client type set on the "all" group, meaning that if a client for example moves from some dynamic group, the original (desired) settings would be restored.

It is described here: hxxp://help.eset.com/era_admin/64/en-US/index.html?admin_pol.htm

Edited by MichalJ
Link to comment
Share on other sites

Basically, policy behavior works as follows:

  1. You configure a setting in ERA policy (choose "apply" / "force" flag next to it) - there is no difference between apply / force, except the one, that when you have different overwriting policies, the policy lover in the hierarchy could not overwrite a value, which is set with "force". So the value will be kept from the policy higher in the hierarchy. Please check the documentation about this behavior:
    1. hxxp://help.eset.com/era_admin/64/en-US/index.html?admin_pol_flags.htm
    2. hxxp://help.eset.com/era_admin/64/en-US/index.html?admin_pol_how_policies_are_applied.htm 
  2. When you remove the policy, setting remains set on the client (it won´t revert to the default value), unless it is overwritten by a different policy (!) So in this case, it might happen, that the policy number "3" have not set the same set of settings, so the values from the policy number "2" were kept, unless they were overwritten by the policy number "3".

So yes, when you remove the policy, settings will be kept, until they are overwritten with a different policy. The difference is, that they are no longer "enforced". So ideally, you should have a "default" policy for each client type set on the "all" group, meaning that if a client for example moves from some dynamic group, the original (desired) settings would be restored.

It is described here: hxxp://help.eset.com/era_admin/64/en-US/index.html?admin_pol.htm

 

Thanks for answer!

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...