Let us know breifly about Policy Assignment rules in E-Policy Orchestrator 4.5
From the ePO 4.5 product guide:
A policy is a collection of settings that you create, configure, then enforce. Policies ensure that the managed security software products are configured and perform accordingly.
Some policy settings are the same as the settings you configure in the interface of the product installed on the managed system. Other policy settings are the primary interface for configuring the product or component. The ePolicy Orchestrator console allows you to configure policy settings for all products and systems from a central location.
Policy settings for most products are grouped by category. Each policy category refers to a specific subset of policy settings. Policies are created by category. In the Policy Catalog page, policies are displayed by product and category. When you open an existing policy or create a new policy, the policy settings are organized across tabs.
Where policies are displayed
To see all of the policies that have been created per policy category, click Menu | Policy | Policy Catalog, then select a Product and Category from the drop-down lists. On the Policy Catalog page, users can see only policies of the products to which they have permissions.
To see which policies, per product, are applied to a specific group of the System Tree, click Menu | Systems | System Tree | Assigned Policies page, select a group, then select a Product from the drop-down list.
NOTE: A McAfee Default policy exists for each category. You cannot delete, edit, export or
rename these policies, but you can copy them and edit the copy.
How policy enforcement is set
For each managed product or component, choose whether the agent enforces all or none of its policy selections for that product or component. From the Assigned Policies page, choose whether to enforce policies for products or components on the selected group.
In the Policy Catalog page, you can view policy assignments, where they are applied, and if they are enforced. You can also lock policy enforcement to prevent changes to enforcement
below the locked node.
NOTE: If policy enforcement is turned off, systems in the specified group do not receive updated sitelists during an agent-server communication. As a result, managed systems in the group might not function as expected. For example, you might configure managed systems to communicate with Agent Handler A, but with policy enforcement turned off, the managed systems won't receive the new sitelist with this information, so they report to a different Agent Handler listed in an expired sitelist.
When policies are enforced
When you reconfigure policy settings, the new settings are delivered to, and enforced on, the managed systems at the next agent-server communication. The frequency of this communication is determined by the Agent-to-server-communication interval (ASCI) settings on the General tab of the McAfee Agent policy pages, or the McAfee Agent Wakeup client task schedule (depending on how you implement agent-server communication). This interval is set to occur once every 60 minutes by default.
Once the policy settings are in effect on the managed system, the agent continues to enforce policy settings locally at a regular interval. This enforcement interval is determined by the Policy enforcement interval setting on the General tab of the McAfee Agent policy pages. This interval is set to occur every five minutes by default.
Policy settings for McAfee products are enforced immediately at the policy enforcement interval, and at each agent-server communication if policy settings have changed.
Policy enforcement is a local occurrance and doesn't affect any traffic. I don't know that there is a limit, but it is not recommended to have it spread out too far. The purpose of that is to ensure policies remain enforced on a system. For larger environments, the default is 60 minutes, and for smaller it is 5 minutes. It is all determined by your needs on how long you want it to not enforce if policies are modified locally for any reason or services are temporarily turned off for antivirus.