2 Replies Latest reply on Dec 20, 2012 3:29 AM by JoeBidgood

    Policy Assignment Rules - Not applying

    rsdeuce

      Hello all,

       

      My first post, and I am completely stumped.

       

      I am running ePO 4.6.4 (Build: 202) and attempting to build a complex series of Policy Assignment Rule-sets to apply most of my more difficult policies to machines. I have 22 rules. The rules apply mostly to HIPS (8.0) but I also have rules in place for VSE for Linux (1.7) and Policy Auditor (6.1)

       

      I cannot get the rule-sets to apply. During agent-server communication a rule refuses to apply (and according to what I can find in the product guide for 4.5 and 4.6, that is when it should occur.) I have done everything I can think of, including ensuring the tag works, the Agent-Server communication is up, the Products that a rule-set were applied to were installed on the System (in this case HIPS 8.0 has been installed via Client Task) and making sure that my policies can be manually applied to the system.

       

      Here is an example of the issue:

       

      Server Name: Server1

      Tag applied: Server1 Object (Tag is assigned to all objects with a matching System Name and works correctly.)

      System Location (in Tree): My Organization > SubFolder > Subfolder > Subfolder


      Policy Assignment Rule Name: Apply Server1 Firewall Ruleset

      Description: Applies the "Server1 Firewall Rule" to objects with the "Server1 Object" tag.

      Type: System

      System Criteria:

           /My Organization

           OR (Subfolder)

           OR (SubFolder > Subfolder)

           OR (SubFolder > Subfolder > Subfolder) (This is where the system is located in the tree)

      Tag Criteria: Has Tag: Server1 Object

      User Criteria: No user criteria selected

      Assigned Policies: HIPS 8.0: Firewall > Firewall Rules (Windows) > Server1 Firewall Rule

       

      For the life of me I cannot see why this (or any of my other) policies will not assign automatically. As this is a key part of my design (and must be fully re-producable by a non-experienced technician in the field, the whole reason I want to deal with the rules in the first place) I really need this to work as expected.

       

      Can anyone tell me what I am missing here?

        • 1. Re: Policy Assignment Rules - Not applying
          rsdeuce

          Ok, so a day later I have finally bothered to replace the HIPS General "McAfee Default" policy with my normal HIPS UI policy. The important difference between the two is that my policy allows the UI to appear in the tray. I knew that the product had installed, but had not actually opened HIPS. Lo and behold, checking the HIPS Firewall policy as actually applied on the server shows that the correct Firewall policy is there, even if EPO does not really reflect that.


          I have been relying on ePO to tell me what policies are assigned to my systems, assuming that when I select the server as listed in the policy above, and select Actions > Agent > Modify Policies on a Single System that I would see that the Policy Assignment Rule had changed the assigned policy. Not only that, but normally when you manually assign a single policy (exactly what the PAR is doing) you can see that inheritance has been broken in the Assigned Policies section of the System Tree.

           

          The systems administrators that will be in charge of these servers will not be ePO Subject Matter Experts. What is the best way to have them verify that policies are being assigned? I cannot find a log or a way to verify that all of my PARs are working as intended, and it is too cumbersome to have them check every server. If it is it not easily checked, I am better off making them assign the policies manually so at least they can tell what the currently assigned policiy is in the System Tree.

           

          Thanks,

           

          -Ron

          • 2. Re: Policy Assignment Rules - Not applying
            JoeBidgood

            If you're using policy rules, then if you use Actions > Directory Management > View Assigned Policies instead of "Modify policies on a single system" it should give you what you're looking for.

             

            HTH -

             

            Joe