cancel
Showing results for 
Search instead for 
Did you mean: 

Multiple EPO Policy Application based on Tag

Hello,

We've been just installing 4.6.6 internally for a new network and are trying to make things as automated as possible.  We've got Tags/Policies setup to determine OS eg "Microsoft Server 2008 R2", "Microsoft Windows 8", "Microsoft SQL Server 2008 R2" and if its a VM or not "VMWare Tools" (checks on MAC address).

I had been hoping to assign mutiple tags & associated policies to a client but I've been told that the policies will only apply the top priority one.

For example

ServerABC is runnign Server 2008 R2, SQL Server 2008 R2 and is a virtual machine in my development network.

So lets take exclusions,

"Microsoft Server 2008 R2" excludes C:\Windows\*.*

"Microsoft SQL Server 2008 R2" excludes E:\Databases\*.* F:\Logs\*.*

"VMWare Tools" excludes C:\Program Files\VMWare\*.*

I wanted to some way have the resulting policy on the ServerABC to have a merged copy of the exclusions applied to "Microsoft Server 2008 R2", "Microsoft SQL Server 2008 R2" and "VMWare Tools"

i.e an exclusion list of -

C:\Windows\*.*

E:\Databases\*.*

F:\Logs\*.*

C:\Program Files\VMWare\*.*

But I've been told that only 1 category can be applied at one time, so in this instance my exclusions would only show C:\Windows\*.* as it was the higest priority.  Is there any way to do what I want to achieve which is essentially have a Policy based on Product so that if I need to change an exclusion for a certain product I only have to change it in one place rather than multiple policies?

I hope this makes sense to anyone reading it.

Any help much appreciated.

Best Regards,

Peter

9 Replies
Highlighted
rackroyd
Level 16
Report Inappropriate Content
Message 2 of 10

Re: Multiple EPO Policy Application based on Tag

You can only apply one policy of the same type to a machine at a time, so policy 'merging' like this is not possible - sorry.

You would need to make a policy object with all the exclusions you want and then maybe you can use tagging to assign that to appropriate machines.

Re: Multiple EPO Policy Application based on Tag

Thats disappointing, I'd assumed such a simple feature would have been included by default.  So essentially you need to make a policy object for each unique combination?

Would love this to be raised as a feature request!!

rackroyd
Level 16
Report Inappropriate Content
Message 4 of 10

Re: Multiple EPO Policy Application based on Tag

I'm afraid sometimes what appears simple to design is not in fact so simple to code.

Please feel free to log a feature request, anyone can do so through the McAfee PER process.

Steps on how to do log a PER are detailed in McAfee support article: KB60021 - How to submit a Product Enhancement Request (PER)

Re: Multiple EPO Policy Application based on Tag

Let me point out a couple of things just in case...

This exclusion ("c:\Windows\*.*") has two issues with it:

1. The syntax is wrong. It should stop at the last slash ("C:\Windows\").

2. This is insanely dangerous. Viruses love to live in the Windows and System 32 directory. You should never ever exclude them.

Re: Multiple EPO Policy Application based on Tag

Thanks Peter, these were just for illustrative purposes to try and keep things simple to get my point across.  I'd never consider excluding these folders!

Reliable Contributor andrep1
Reliable Contributor
Report Inappropriate Content
Message 7 of 10

Re: Multiple EPO Policy Application based on Tag

So simple, so obvious and yet missing for VSE.  This is my biggest beef with the product, specially considering it is supported in many other products from McAfee

A product enhancement request form is the way to go.

https://kc.mcafee.com/corporate/index?page=content&id=KB60021

Re: Multiple EPO Policy Application based on Tag

Yep, I (wrongly) assumed it was a standard implementation.  Totally gutted would massively reduce administration (for us at least).

2 PER's already raised.

1) Allow multiple policies to be applied (merged)

2) Inventory locally installed software and have a field called "Locally Installed Software" so you can create a tag based on this field.

pboedges
Level 10
Report Inappropriate Content
Message 9 of 10

Re: Multiple EPO Policy Application based on Tag

You should look into McAfee Risk Advisor, with it you get the Application Inventory Agent which performs a complete software inventory of a system.  You can then create a query with your filter on a specific piece of software, and through a Server Task run the query and apply a tag based on your requirements.  You can also apply policy within the same Server task based on your query.

on 12/3/13 3:29:52 PM GMT-05:00

Re: Multiple EPO Policy Application based on Tag

Nice one thanks, could be a good work around for my 2nd PER!  Still really need the 1st one implemented before the combination of the two will really start to reduce the admin work!!

More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community