cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ccastbr
Level 10
Report Inappropriate Content
Message 1 of 5

Strategies for ENS/ENSL policy separate assignment Windows/Linux

Jump to solution

We have Windows Servers, Windows Workstations, and Red Hat Enterprise Linux systems.     To maintain separate policies for the operating systems, and because our system tree structure does not separate Linux and Windows, but separates by site and function, we have assigned policies by system tag generated by OS.

What is the common way to do this?    Is it correct that Policy assignments by tag are honored over policy assignments by system tree.   To temporarily modify a policy for a single system, does a second policy assignment rule overrule the first?  What is the best way to accomplish that?     (For example - for testing, to swap out an options policy on a single system or group of systems, change system's tag?)

We do not use ENS FW on Linux.   Exclusion files and paths are different for Windows and Linux.  

Thank you

2 Solutions

Accepted Solutions
chealey
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: Strategies for ENS/ENSL policy separate assignment Windows/Linux

Jump to solution

Hi @ccastbr 

Many thanks for posting on the Community.

It's a very good idea indeed to have separate policies for ENS Windows and ENSL machines. Of course many road lead to Rome but using Policy Assignment Rules is a good way of applying the specific policies, unless you are using separate OUs within the System Tree.

You are correct, Rule assignments take priority over system tree assignments and you can always check which policy is effective on the machine, by selecting the machine within the system tree > actions > view effective policy.

If you needed to temporarily modify the policy applied to that machine, then yes it becomes a little more tricky. I'd probably say the easiest way would then either be set a specific tag which has a rule with a higher priority.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

View solution in original post

chealey
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: Strategies for ENS/ENSL policy separate assignment Windows/Linux

Jump to solution

If you look within the Rule Assignment Rules, you'll see they are numbered. This is the order in which they take priority. So if you created a temporary policy/ rule, you'd need to ensure that this rule is higher in the list than the original one. Otherwise the original policy & rule will take precedence.

Hope that makes sense.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

View solution in original post

4 Replies
chealey
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: Strategies for ENS/ENSL policy separate assignment Windows/Linux

Jump to solution

Hi @ccastbr 

Many thanks for posting on the Community.

It's a very good idea indeed to have separate policies for ENS Windows and ENSL machines. Of course many road lead to Rome but using Policy Assignment Rules is a good way of applying the specific policies, unless you are using separate OUs within the System Tree.

You are correct, Rule assignments take priority over system tree assignments and you can always check which policy is effective on the machine, by selecting the machine within the system tree > actions > view effective policy.

If you needed to temporarily modify the policy applied to that machine, then yes it becomes a little more tricky. I'd probably say the easiest way would then either be set a specific tag which has a rule with a higher priority.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

View solution in original post

ccastbr
Level 10
Report Inappropriate Content
Message 3 of 5

Re: Strategies for ENS/ENSL policy separate assignment Windows/Linux

Jump to solution

Thank you

When you say:  "If you needed to temporarily modify the policy applied to that machine, then yes it becomes a little more tricky. I'd probably say the easiest way would then either be set a specific tag which has a rule with a higher priority."

how do you set a rule with a higher priority?    For instance, if I apply a tag of "TEST-No-OAS"  and an option policy that disables on access scanning is applied, how would that be made to be a higher priority?

 

chealey
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: Strategies for ENS/ENSL policy separate assignment Windows/Linux

Jump to solution

If you look within the Rule Assignment Rules, you'll see they are numbered. This is the order in which they take priority. So if you created a temporary policy/ rule, you'd need to ensure that this rule is higher in the list than the original one. Otherwise the original policy & rule will take precedence.

Hope that makes sense.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

View solution in original post

ccastbr
Level 10
Report Inappropriate Content
Message 5 of 5

Re: Strategies for ENS/ENSL policy separate assignment Windows/Linux

Jump to solution

Perfect.  I did not realize that.   Thank you.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community