3 Replies Latest reply on Oct 6, 2011 11:42 PM by HBullock

    Is it possible to 'layer' policies in ePO?

    JayMan

      Hi All,

       

      Just wondering if it is possible 'layer' policies in ePO, similar to what is done in Active Directory Group Policies.

       

      So... Instead of Setting Policy 1 at the Root, and then at a sub folder breaking inheritance & applying Policy 3... Can you set Policy 1 at the Root, and then at a sub folder set Policy 2 and have the policies combined to = Policy 3.

       

      This will save us from having to duplicate common setting across multiple policies (which is a massive management overhead).

       

      Cheers!

       

      Message was edited by: JayMan on 6/10/11 5:04:28 PM
        • 1. Re: Is it possible to 'layer' policies in ePO?
          HBullock

          You can not do what you want as a general rule. In the case of products such as Host Intrusion Prevention (HIPS) IPS policy that have "slotted" policy design, you can make multiple assignment of policies at different branches. They do not behave the same as Microsoft Group policy that supercede each other. The policies are combined following the rules of the product policy design.

           

          Policies that are not slotted can only have policy assignments that replace the policy of the parent once inheritance is broken.

           

          Take a look at https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 20000/PD20752/en_US/1-cor-multi-tnte-001-0808s.pdf.

           

          In ePO 4.6 you can also assign policy via policy assignment rules and tags which can be quite flexible to get specific policy assigned to computer without changing the policy on ePO branch/group.

           

          Message was edited by: HBullock on 10/6/11 10:44:56 PM CDT
          • 2. Re: Is it possible to 'layer' policies in ePO?
            JayMan

            Thanks for confirming my thoughts. I find it interesting that a Product Enhancement Request I loaded about 12 months ago was closed as 'already in product'.

             

            Policy assignment rules wont help with what I want unfortunately, as it still means having the same 'common' settings applied to mulitple policies. So then when maintaining those common settings you need to do so with multiple policies...

             

            As a person who looks after alot more than just ePO, this is a big pain in the butt, due to the extra management overhead...

            • 3. Re: Is it possible to 'layer' policies in ePO?
              HBullock

              I feel your pain.  I have implemented common generic policies at My Organization for just that reason. I can not maintain multiple policies when the same updates have to be applied to many policies.

               

              I have made some suggestions as well, but they are too involved to type them here and do them any justice in terms of completeness and clarity.

               

              They will again be raised at Focus once I get to the right person.

               

              Message was edited by: HBullock on 10/6/11 11:42:35 PM CDT