You can create a tag and then use the functionallity in the Policy assignment rules to assign a spesific HIPS policy to the clients that have that tag.
You can then tag the clients that you wish to have the more relaxed policy.
Please be aware that there is a bug with this functionallity for HIPS 8 Patch 2 at the moment. This is probably caused by some issue with the extension.
I have a case open in regards to this that has been escalated to dev. Hopefully they will fix it soon.
This is going to sound stupid, but how does one get the tag on the client? Do you manually assign that to the agent/client?
I'm just wondering if the person who setup our EPO layout for HIPS simply made a directory group with the tag of say: XYZ
Then created the policy assigned to tag XYZ
and then moved the agents into that group so that they get the tag
Although I guess it's the same amount of work to find the device, move it, as it is to find the device, and set its tag
You can assign the tag manually, but the most efficient way is probably to create a query that will return the clients that you are interested in and then create a server tasks that assigns the tag to the clients returned in the queriy. You run the server task on a certain interval (Daily, hourly, etc) to update the clients that need the tag.
If the option that you look at for determining if a client should have the tag is something easy, like the format of the name, then the filter might be available to be set directly on the tag so that whenever a client comunicates with the EPO server it will get the tag if it should have it. These filter options can bee seen when you create a new tag.
It all depends on what you will be using as the basis for determining if a client should have the tag or not.
In regards to the directory group (if i understand your question correctly) The only way of assigning a tag by location (group) would be to create a query that returned all the computers in that group and then used a server task to set the tag on them. There is no way of directly setting the tag if the computers is in a certain location as far as i know.
Please let me know if i made the situation clearer or just more confusing :-)
Okay sorry for the long delay. I see how easy it is to create tags and assign the tags to the devices.
What I do NOT See is an easy way to assign a policy to a tag
It seems you can only assign a policy to a GROUP in the hierarchy and that GROUP has a tag.
Thus this kinda gets me back to the sorting issue where this will cause machines to be moved to different groups
I THOUGHT there was a way to build a HIPS Firewall policy (for example) and assign it to the "root" of the System Tree and only apply to devices with TAG = BLAH
But it seems you can only assign to a GROUP and have the GROUP (ie: folder) in the Tree sorting criteria based upon tagging.
What I had wanted was a way to create a policy (Firewall-disabled), assign it to the entire tree, but only apply to devices that have a TAG of say: Firewall-Disabled that we can set manually.
I know that the tags can be assigned manually, but I don't see a way to do the assignment.
Or am I missing something?
1 of 1 people found this helpful
Policy Assignment Rules
You can create a Policy Assignment Rule that says if machine X has the Firewall-Disabled tag then overide the default policy with the Firewall-diabled policy. All other policies will remain the same.
You could for instance assign your default policies at the top of the System Tree so that they are applied to all sub groups. Use Policy Assignment Rules and Tags for the exceptions. Then you can organize the System Tree anyway you want, since it no longer matters what group the machine is under, it get's any exceptions to the default policy based on its tags.
Thanks redbeardrc. I will have to look more closely at the EPO 4.6 docs/admin console (in the process of migrating from 4.5 to 4.6)