cancel
Showing results for 
Search instead for 
Did you mean: 

Performance impact of Policy Assignment Rules vs Tree Assignment

Jump to solution

I recall from attending FOCUS/M-POWER a few years ago that some large companies who try to maintain a single ePO server for all their endpoints mentioned that one of the things they had to do to achieve the stability that they had on the server was reduce their usage of Policy Assignment Rules, as every client check-in would cause ePO to re-visit the policy assignment rule list and evaluate it, while a direct assignment in the tree would not cause the same issue.

After a discussion with my workers, they indicated this might not be the case as ePO has already evaluated this and applied it accordingly.

So to summarize my question:  is there a measurable impact seen from using a policy assignment rule versus using direct assignment?  If we have numerous policy assignment rules, would that cause noticeable impact on ePO/its database?

1 Solution

Accepted Solutions
Reliable Contributor User91972758
Reliable Contributor
Report Inappropriate Content
Message 4 of 6

Re: Performance impact of Policy Assignment Rules vs Tree Assignment

Jump to solution

From what I've understood is it's user preference. I haven't heard of issues with using PAR's versus Tree Assignment. As Dave mentioned the company would have to be very large, and probably have to have a large selection of PAR's to parse through.

 

Tree assignment has been my primary method of sorting my environment, the only downside I've faced is trying to mimic policies across Dev and Production systems. It seems this is something that can be fixed from the start by exporting the policy and creating a group afterwards and then importing the copied policy.

 

Personally, the use of tree assignment is nice because you have a one stop shop to tell what's applied and can easily tell where inheritance is broken and are able to edit it based off the system tree. With PAR's I find it a bit tricky to dictate which PAR affects which systems until you dig deeper into the PAR itself.

View solution in original post

5 Replies
Reliable Contributor Daveb3d
Reliable Contributor
Report Inappropriate Content
Message 2 of 6

Re: Performance impact of Policy Assignment Rules vs Tree Assignment

Jump to solution

I don't believe so.  I suspect you would need a very large number of systems to really see significant impact.  

Re: Performance impact of Policy Assignment Rules vs Tree Assignment

Jump to solution

Do you know roughly when a threshold might be reached for that impact?  We've got about 15k systems with a multitude of products installed on them and our previous 5.3 server had about 77 rules, while the new 5.10 server has 49.  My coworker wants to do PAR's for all the individual server applications that require exclusions, rather than break them out in the tree.

Reliable Contributor User91972758
Reliable Contributor
Report Inappropriate Content
Message 4 of 6

Re: Performance impact of Policy Assignment Rules vs Tree Assignment

Jump to solution

From what I've understood is it's user preference. I haven't heard of issues with using PAR's versus Tree Assignment. As Dave mentioned the company would have to be very large, and probably have to have a large selection of PAR's to parse through.

 

Tree assignment has been my primary method of sorting my environment, the only downside I've faced is trying to mimic policies across Dev and Production systems. It seems this is something that can be fixed from the start by exporting the policy and creating a group afterwards and then importing the copied policy.

 

Personally, the use of tree assignment is nice because you have a one stop shop to tell what's applied and can easily tell where inheritance is broken and are able to edit it based off the system tree. With PAR's I find it a bit tricky to dictate which PAR affects which systems until you dig deeper into the PAR itself.

View solution in original post

Highlighted

Re: Performance impact of Policy Assignment Rules vs Tree Assignment

Jump to solution

Why create policies for each application? If the application has a specific enough exception then why not merge the exceptions to one policy that applies to all servers. We are going through this now to reduce the complexity in the environment. We will have two server policies, one for the majority of servers which will be assigned view system tree. The second policy will be for applications that require a board exception that we don't want on every server.

Re: Performance impact of Policy Assignment Rules vs Tree Assignment

Jump to solution

Hey mtravis,

This is because McAfee's general guidance on OAS exclusions is to have as few as possible in each policy, as it has to iterate through the list each time in memory while scanning the drive and a larger list of exclusions means longer scanning times for everything.  We have a large composite policy right now, which I fear is causing some of the performance worries from the business.  Following McAfee best practices and catering policies to certain groups (while drastically reducing the overall number of exclusions across the board) would hopefully relieve some of their concerns and improve performance.

The only problem with tree assignment is it might cause a sprawling System Tree setup.  My coworker is in direct opposition to that idea, as the previous server was a sprawling mess.  In regards to recognizing what's applied, thankfully 5.9/5.10 has the Applied Policies tab, as well as good old View Assigned Policies.

More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community