4 Replies Latest reply on May 19, 2010 12:30 PM by eobiont

    Can you assign policy based on a tag?

      I know you can assign client tasks based on tags, but can you also assign policy based on tags?  This would really make things easier for me as I redesign my DAT rollouts in the aftermath of the 5958 DAT debacle.  I'm on ePO 4.5 patch 1 and agent 4.5.  Any help would be appreciated.

        • 1. Re: Can you assign policy based on a tag?

          Hi Tbol,


          This is most certainly possible, however bear in mind that if you have multiple systems with a tag, it will break policy inheritance on your System Tree and you may run into situations where policy control becomes too broken to coherently administer - you can always use the Reset Policy Inheritance options or the described methods in my reply here to solve these issues.


          Anyway, to do this, you would make use of a Server Task (under the Automation menu):


          Use the "Run Query" Server Task to find systems (using a Table Query you create prior) with the Tag you're looking for (on the Filtering criteria).  Then use the sub-action Assign Policy on these systems. You can stagger the subtasks to assign multple policies to the systems.  There are also options to reset policy inheritance to revert back to the parent policy.


          I've used this method quite successfully using Automatic Responses 2 Queries, 2 Server Tasks and custom VSE policies (for OA and Access Protection)  - the Automatic Response kicks off Server Task one that finds systems where a specific threat has been detected in x number of hours - ePO then assigns a more stringent VSE scan policy and AP rules on these systems and wakes them up in order for them to retrieve the newly assigned policy.  Server Task 2 executes on a regular schedule and the associated second query finds systems where the threat has not been been detected in the x number of hours and resets the VSE policy back to the parent group, reverting to the defacto scan policy for the organisation - automatic outbreak control waxed!  


          Another useful technique is to assign policies for specific server roles onto those systems using Tags - i.e. if your organisation has a naming convention for systems, you can create tags for Database Servers, AD Servers, Citrix, etc and assign specific policies for products (like VSE with best-practice exclusions for these apps) using this method.


          Hope this helps!




          • 2. Re: Can you assign policy based on a tag?

            Or you could download the latest dat to the Eval Branch and just deploy to group of test systems, test first and then deploy to the rest of your envornment.  For more details check here



            1 of 1 people found this helpful
            • 3. Re: Can you assign policy based on a tag?

              Thanks for both responses so far.  I'm pretty much doing the same thing that the KB article describes.  What I'm trying to automate is the second step where you assign the agent policy to update from the Evaluation branch instead of the Current branch.  I don't have all the machines in the same system tree (and don't want them that way) so I had to assign the policy one machine at a time.  I'm looking for a more automated way to accomplish this going forward and I think I've found it with Server Tasks.  I had forgotten you can use them for assigning policy based on a query.  Thanks for the reminder!

              • 4. Re: Can you assign policy based on a tag?

                Applying policies using tags is great for the application of policies, but you run itno trouble when the tag is removed - it doesn;t remove the policy.


                You would need to be pretty carful about how this was set up.  In practice, EPO is pretty terrible at functioning when you have multiple McAfee products and need to have a mix of policies and you have 10s of thousands of clients.  The idea of assigning policies to each machine is kind of stupid.  Really, McAfee needs to look at the model microsoft is using for Group Policy and adopt some sort of scheme like that.


                The idea of running a task to assign policies by tags, right now is the best McAfee has to offer.  It is a pretty poor implementation.