5 Replies Latest reply on Mar 26, 2009 12:41 PM by jawuk

    Easy way to apply policy assignment across many groups (in one go)

      Hi there,


      i have just designed a new EPO structure for a client which has over 300 geographical sites, each site has a desktop and a laptop group. If i want to apply a say a Desktop/Laptop General On Access Scan Policy to all the Desktop and Laptop groups, it makes for a labourous process. Is there a quick way to apply this policy to in effect 600 groups all in one go.


      regards

      J
        • 1. RE: Easy way to apply policy assignment across many groups (in one go)
          jmaxwell
          Which version of ePO ?

          Can't you just set it at Directory level and enable propogation ?

          JIm
          • 2. RE: Easy way to apply policy assignment across many groups (in one go)
            This is EPO 4.0

            No this is not appropriate in this case. We have 300 individual sites as you see below but with like 15 ''major'' sites, which are high bandwidth links

            We have

            My Organisation
            |
            |
            Major Site Name 01
            | |
            | |
            | |
            | Branch Site 0182
            | | |
            | | Desktops
            | | Laptops
            | |
            | |
            | |
            | Branch Site 0183
            | |
            | Desktops
            | Laptops
            |
            |
            |
            Major Site Name 02
            | |
            | |
            | |
            | Branch Site 0128
            | | |
            | | Desktops
            | | Laptops
            | |
            | |
            | |
            | Branch Site 0129
            | |
            | Desktops
            | Laptops



            We need to link a Desktop/Laptop specific Policy to each Desktop and Laptop Group


            regards

            J





            • 3. RE: Easy way to apply policy assignment across many groups (in one go)
              going by your diagram, you seemed to have created the major sites on the same level as 'my organisation'. ideally, 'my organisation' should have been the only top-level site. all other sites should be created 1 level below this.

              The above is my personal opinion.

              back to your case, if possible, you may want to follow my suggestions and thus be able to set your desired policy right from 'my organisation' and enable the downlines to inherit it.

              hope this offers some light.
              • 4. RE: Easy way to apply policy assignment across many groups (in one go)
                jmaxwell
                Yes - just restructure it logically - what benefits did you think you were getting from this design structure ?

                Just move all your "top level" sites into the My Organisation Site - may need to recreate them as Groups....

                Jim
                • 5. RE: Easy way to apply policy assignment across many groups (in one go)
                  Hi there

                  thanks for your replys guys, to be honest the diagram didnt really come out as i though it would but i guess it gives you an idea

                  The reason it is designed this way is that desktops and laptops, distictly , will recieve differnt policies bases on there computer type, but as such, these computers will be at different sites, so they need to be at a level lower than the site they are at

                  I have design it with this logic in mind


                  Logical Network Segment Location >>>>>>Site Name>>>>>System Type >>>>>>System Role



                  This is down to a number of reasons and to allow for granular policy assignment across the wide range of mcafee products the client is going to use. Each of the Logical network segments are higher bandwidth sites, so branch sites underneath it will all inherite the McAfee Agent policy for the repository. . .they all inherit this. Each Logical Network Segment site has a differnt EPO Agent policy. Admittely that is not strictley nessacary either but there are other benefits such as being able to enable tasks affecting differnet sites only, scheduling scans , or updates to happen at specific times distinct from other sites. Also, going forward, delegation of security permissions within EPO and only giving access to specific areas in the system tree makes more sense, such as access to the PCI environment.

                  There are also certain policies that may affect workstations at individual sites (the sites are pretty much departments) so it is easier to assign a policy to a whole site than indivudal workstations, which is just messy


                  On the top level, there is also Data Center, DMZ and PCI environment. Underneath that they have the types of server, and then the roles of the server, with policies applied to those subgroups based on the server role.



                  Now, back to the desktops and laptops. Bascially there is a Desktop and a seperate Laptop group under each branch site (there are 300) with a varying amount off each Logical Network Segment Site. Where possible, policies which will affect all workstations in the envirnoment can and WILL inherit from higher levels such as . . On Access Email Scan Policy, but for HIPS there is a policy which tells the contents of the group which modules of HIPS are turned on or not, on laptops , the firewall module will be turned ON, on the Desktops, it will be turned off, thus, we need two seprate policies, and this the seperate policy will need to be assigned to two different groups, desktops and laptops. . .hence, the position i am in

                  J