As some users essentially are loose cannons, and manage to get every system they touch infected by something I would like to Tag the systems these users log on to to be able to apply a different policy on them.
Is this doable somehow?
I have a Tag that is set if the system has found an infection the last 7 days, but it is not enough as I want to prevent the infection in the first place (using HIPS).
You can define a tag where the criteria is based on the user account and set the tag to be evaluated on ever ASCI. Furthermore you can define a policy assignment rule to apply policies based on a tag (Menu | Policy | Policy Assignment Rules); however, their is a flaw in this which is it could take up to two hours for the client to actually enforce the new policy when the user logs on.
So when a new user logs in you have no idea where they are on the ASCI cycle which defaults to once an hour. If the agent just completed an ASCI right before the user logged in then it could take up to one hour for a new ASCI which would communicate the currently logged on user account to ePO. Then the tag criteria would run; however, because the tag was not applied when the property set was sent up to ePO (because the property that instructed ePO to apply the tag was just sent up) the client would not actually get the policy based on the tag until the next ASCI after that which means the policy you wish to set could take up to two hours after the user logs on until it gets applied. This may be fine if the logged on user is relatively stable but the other side of this is that if a different user logs on to that same machine it could then take up to two hours before THAT user gets the new policies.
The real solution here is user based policies; however, currently only Site Advisor Enterprise utilizes that feature in ePO. I would encourage you to submit a PER to have other point products (for you it sounds like HIPS) include this functionality on their next release.
Message was edited by: jstanley on 11/22/11 9:37:44 AM CST
If I understand you correctly, using the method you outline will require us to keep track of these user names, and set up the tag accordingly? That would quickly become quite complex in a larger environment...
What I am trying to achieve is to automate this and have ePO do it for me.
In an ideal world, it would look something like this:
Detect that a system has had a high number of Virus detections (no problem, this i know how to do)
Apply a different set of policies to it that raises the protection level (no problem here either, tag the system and then assign certain policy)
Have this set of polices follow the USER so that every system that user logs on to gets the elevated protection policies. (only possible for SAE?)