4 Replies Latest reply on Aug 19, 2015 12:28 PM by secopsguy

    How Policy Enforcement is handled

    secopsguy

      I have a question that I have been trying to answer by combing through the docs associated with McAfee ePO, Agent, and VSE. Within ePO, if the Policy Enforcement status is set to "Not Enforcing" for a System Tree Group, does the Agent take over and begin enforcing the default, local policies?

       

      I am pretty sure the answer is yes but I would like to find where it is definitively answered in the docs. Anyone know the answer and where it can be explicitly found?

        • 1. Re: How Policy Enforcement is handled
          mmcgary

          This is all there is in the EPO product guide for 5.1.0 on page 167. You would generally never want to set any products to "not enforcing" unless you want to control that product locally only. There is no real benefit to this in an EPO-managed environment.

           

          If policy enforcement is turned off, systems in the specified group do not receive updated site lists

          during an agent-server communication. As a result, managed systems in the group might not function

          as expected. For example, you might configure managed systems to communicate with Agent Handler

          A, but with policy enforcement turned off, the managed systems will not receive the new site list with

          this information, so they report to a different Agent Handler listed in an expired site list.

          • 2. Re: How Policy Enforcement is handled
            secopsguy

            Thanks for your response.

             

            I saw that. But I don't see where it states that the local policies on the client will take over when ePO stops applying the policies it has in its configuration. Are we to accept/assume that because the docs speak of agents not pulling updates to site lists due to non-enforcement that local policies take over?

            • 3. Re: How Policy Enforcement is handled
              mmcgary

              "Not enforcing" just means EPO will not enforce the policies for that product on the sytem or systems that have the broken enforcement. The example from the Product Guide was given because it reinforces why it's not a good idea. Virusscan will enforce its own local policies on a system without a managed Agent the same way as if you have Virusscan installed but with a managed Agent and policy enforcement disabled. Local enforcement is implied because there is nothing else other than local and EPO policy enforcement.

              • 4. Re: How Policy Enforcement is handled
                secopsguy

                Good stuff. Thanks, Gary.