Policies and policy profiles

In Kaspersky Security Center 13.1 Web Console, you can create policies for Kaspersky applications. This section describes policies and policy profiles, and provides instructions for creating and modifying them.

Hierarchy of policies, using policy profiles

This section provides information about how to apply policies to devices in administration groups. This section also provides information about policy profiles supported in Kaspersky Security Center, starting from version 10 Service Pack 1.

Hierarchy of policies

In Kaspersky Security Center, you use policies for defining a single collection of settings to multiple devices. For example, the policy scope of application P defined for administration group G includes managed devices with application P installed that have been deployed in group G and all of its subgroups, except for subgroups where the Inherit from parent group check box is cleared in the properties.

A policy differs from any local setting by lock icons () next to its settings. If a setting (or a group of settings) is locked in the policy properties, you must, first, use this setting (or group of settings) when creating effective settings and, second, you must write the settings or group of settings to the downstream policy.

Creation of the effective settings on a device can be described as follows: the values of all settings that have not been locked are taken from the policy, then they are overwritten with the values of local settings, and then the resulting collection is overwritten with the values of locked settings taken from the policy.

Policies of the same application affect each other through the hierarchy of administration groups: Locked settings from the upstream policy overwrite the same settings from the downstream policy.

There is a special policy for out-of-office users. This policy takes effect on a device when the device switches into out-of-office mode. Out-of-office policies do not affect other policies through the hierarchy of administration groups.

The out-of-office policy will not be supported in further versions of Kaspersky Security Center. Policy profiles will be used instead of out-of-office policies.

Policy profiles

Applying policies to devices only through the hierarchy of administration groups may be inconvenient in many circumstances. It may be necessary to create several instances of a single policy that differ in one or two settings for different administration groups, and synchronize the contents of those policies in the future.

To help you avoid such problems, Kaspersky Security Center, starting from version 10 Service Pack 1, supports policy profiles. A policy profile is a named subset of policy settings. This subset is distributed on target devices together with the policy, supplementing it under a specific condition called the profile activation condition. Profiles only contain settings that differ from the "basic" policy, which is active on the client device (computer or mobile device). Activation of a profile modifies the policy settings that were active on the device before the profile was activated. Those settings take values that have been specified in the profile.

The following restrictions are currently imposed on policy profiles:

• A policy can include a maximum 100 profiles.
• A policy profile cannot contain other profiles.
• A policy profile cannot contain notification settings.

Contents of a profile

A policy profile contains the following constituent parts:

• Name Profiles with identical names affect each other through the hierarchy of administration groups with common rules.
• Subset of policy settings. Unlike the policy, which contains all the settings, a profile only contains settings that are actually required (locked settings).
• Activation condition is a logical expression with the device properties. A profile is active (supplements the policy) only when the profile activation condition becomes true. In all other cases, the profile is inactive and ignored. The following device properties can be included in that logical expression:
  • Status of out-of-office mode.
  • Properties of network environment—Name of the active rule for Network Agent connection.
  • Presence or absence of specified tags on the device.
  • Device location in Active Directory unit: explicit (the device is right in the specified OU), or implicit (the device is in an OU, which is within the specified OU at any nesting level).
  • Device's membership in an Active Directory security group (explicit or implicit).
  • Device owner's membership in an Active Directory security group (explicit or implicit).
• Profile disabling check box. Disabled profiles are always ignored and their respective activation conditions are not verified.
• Profile priority. The activation conditions of different profiles are independent, so several profiles can be activated simultaneously. If active profiles contain non-overlapping collections of settings, no problems will arise. However, if two active profiles contain different values of the same setting, an ambiguity will occur. This ambiguity is to be avoided through profile priorities: The value of the ambiguous variable will be taken from the profile that has the higher priority (the one that is rated higher in the list of profiles).

Behavior of profiles when policies affect each other through the hierarchy

Profiles with the same name are merged according to the policy merge rules. Profiles of an upstream policy have a higher priority than profiles of a downstream policy. If editing settings is prohibited in the upstream policy (it is locked), the downstream policy uses the profile activation conditions from the upstream one. If editing settings is allowed in the upstream policy, the profile activation conditions from the downstream policy are used.

Since a policy profile may contain the Device is offline property in its activation condition, profiles completely replace the feature of policies for out-of-office users, which will no longer be supported.

A policy for out-of-office users may contain profiles, but its profiles can only be activated after the device switches into out-of-office mode.

Inheritance of policy settings

A policy is specified for an administration group. Policy settings can be inherited, that is, received in the subgroups (child groups) of the administration group for which they were set. Hereinafter, a policy for a parent group is also referred to as a parent policy.

You can enable or disable two options of inheritance: Inherit settings from parent policy and Force inheritance of settings in child policies:

• If you enable Inherit settings from parent policy for a child policy and lock some settings in the parent policy, then you cannot change these settings for the child group. You can, however, change the settings that are not locked in the parent policy.
• If you disable Inherit settings from parent policy for a child policy, then you can change all the settings in the child group, even if some settings are locked in the parent policy.
• If you enable Force inheritance of settings in child policies in the parent group, this enables the Inherit settings from parent policy for each child policy. In this case, you cannot disable this option for any child policy. All the settings that are locked in the parent policy are forcibly inherited in the child groups, and you cannot change these settings in the child groups.
• In policies for the Managed devices group, the Inherit settings from parent policy does not affect any settings, because the Managed devices group does not have any upstream groups and therefore does not inherit any policies.

By default, the Inherit settings from parent policy option is enabled for a new policy.

If a policy has profiles, all the child policies inherit these profiles.

Page top

Managing policies

The applications installed on client devices are centrally configured by defining policies.

Policies created for applications in an administration group are displayed in the workspace, on the Policies tab. Before the name of each policy, an icon with its status is displayed.

After a policy is deleted or revoked, the application continues working with the settings specified in the policy. Those settings subsequently can be modified manually.

A policy is applied as follows: if a device is running resident tasks (real-time protection tasks), they keep running with the new setting values. Any periodic tasks (on-demand scan, update of application databases) that are started keep running with the values unchanged. Next time, they will be run with the new setting values.

Policies for applications with multitenancy support are inherited to lower-level administration groups as well as to upper-level administration groups: the policy is propagated to all client devices on which the application is installed.

If Administration Servers are structured hierarchically, secondary Administration Servers receive policies from the primary Administration Server and distribute them to client devices. When inheritance is enabled, policy settings can be modified on the primary Administration Server. After this, any changes made to the policy settings are propagated to inherited policies on secondary Administration Servers.

If the connection is terminated between the primary and secondary Administration Servers, the policy on the secondary Server continues, using the applied settings. Policy settings modified on the primary Administration Server are distributed to a secondary Administration Server after the connection is re-established.

If inheritance is disabled, policy settings can be modified on a secondary Administration Server independently from the primary Administration Server.

If the connection between Administration Server and a client device is interrupted, the client device starts running under the out-of-office policy (if it is defined), or the policy keeps running under the applied settings until the connection is re-established.

The results of policy distribution to the secondary Administration Server are displayed in the policy properties window of the console on the primary Administration Server.

The results of policy distribution to client devices are displayed in the policy properties window of the Administration Server to which they are connected.

Do not use private data in policy settings. For example, avoid specifying the domain administrator password.

Creating a policy

In Administration Console, you can create policies directly in the folder of the administration group for which a policy is to be created, or in the workspace of the Policies folder.

To create a policy in the folder of an administration group:

1. In the console tree, select an administration group for which you want to create a policy.
2. In the workspace of the group, select the Policies tab.
3. Run the New Policy Wizard by clicking the New policy button.

The New Policy Wizard starts. Follow the instructions of the Wizard.

To create a policy in the workspace of the Policies folder:

1. In the console tree, select the Policies folder.
2. Run the New Policy Wizard by clicking the New policy button.

The New Policy Wizard starts. Follow the instructions of the Wizard.

You can create several policies for one application from the group, but only one policy can be active at a time. When you create a new active policy, the previous active policy becomes inactive.

When creating a policy, you can specify a minimum set of parameters required for the application to function properly. All other values are set to the default values applied during the local installation of the application. You can change the policy after it is created.

Do not use private data in policy settings. For example, avoid specifying the domain administrator password.

Settings of Kaspersky applications that are changed after policies are applied are described in detail in their respective Guides.

After the policy is created, the settings locked from editing (marked with the lock icon ()) take effect on client devices regardless of which settings were previously specified for the application.

Displaying inherited policy in a subgroup

To enable the display of inherited policies for a nested administration group:

1. In the console tree, select the administration group for which inherited policies have to be displayed.
2. In the workspace of the selected group, select the Policies tab.
3. In the context menu of the list of policies, select View → Inherited policies.

Inherited policies are displayed in the list of policies with the following icon:

• —If they were inherited from a group created on the primary Administration Server.
• —If they were inherited from a top-level group.

When the settings inheritance mode is enabled, inherited policies are only available for modification in the group in which they were created. Modification of inherited policies is not available in the group that inherits them.

Activating a policy

To make a policy active for the selected group:

1. In the workspace of the group, on the Policies tab select the policy that you have to make active.
2. To activate the policy, perform one of the following actions:
   • In the context menu of the policy, select Active policy.
   • In the policy properties window open the General section and select Active policy from the Policy status settings group.

The policy becomes active for the selected administration group.

When a policy is applied to a large number of client devices, both the load on the Administration Server and the network traffic increase significantly for some time.

Activating a policy automatically at the Virus outbreak event

To make a policy perform automatic activation at a Virus outbreak event:

1. In the Administration Server properties window, open the Virus outbreak section.
2. Open the Policy activation window by clicking the Configure policies to activate when a Virus outbreak event occurs link and add the policy to the selected list of policies that are activated when a virus outbreak is detected.

If a policy has been activated on the Virus outbreak event, you can return to the previous policy only by using the manual mode.

Applying an out-of-office policy

The out-of-office policy takes effect on a device if it is disconnected from the corporate network.

To apply an out-of-office policy:

In the policy properties window, open the General section and in the Policy status settings group, select Out-of-office policy.

The out-of-office policy will be applied to the devices if they are disconnected from the corporate network.

Modifying a policy. Rolling back changes

To edit a policy:

1. In the console tree, select the Policies folder.
2. In the workspace of the Policies folder, select a policy and proceed to the policy properties window using the context menu.
3. Make the relevant changes.
4. Click Apply.

The changes made to the policy will be saved in the policy properties, in the Revision history section.

You can roll back changes made to the policy, if necessary.

To roll back changes made to the policy:

1. In the console tree, select the Policies folder.
2. Select the policy in which changes must to be rolled back, and proceed to the policy properties window using the context menu.
3. In the policy properties window, select the Revision history section.
4. In the list of policy revisions, select the number of the revision to which you need to roll back changes.
5. Click the Advanced button and select the Roll back value in the drop-down list.

Comparing policies

You can compare two policies for a single managed application. After the comparison, you have a report that displays which policy settings match and which settings differ. For example, you may have to compare policies if different administrators in their respective offices have created multiple policies for a single managed application, or if a single top-level policy has been inherited by all local offices and modified for each office. You can compare policies in one of the following ways: by selecting one policy and comparing it to another, or by comparing any two policies from the list of policies.

To compare one policy to another:

1. In the console tree, select the Policies folder.
2. In the workspace of the Policies folder, select the policy that you require to compare to another.
3. In the context menu of the policy, select Compare policy to another policy.
4. In the Select policy window, select the policy to which your policy must be compared.
5. Click OK.

A report in HTML format is displayed for the comparison of the two policies for the same application.

To compare any two policies from the list of policies:

1. In the Policies folder, in the list of policies, use the Shift or Ctrl key to select two policies for a single managed application.
2. In the context menu, select Compare.

A report in HTML format is displayed for the comparison of the two policies for the same application.

The report on comparison of policy settings for Kaspersky Endpoint Security for Windows also provides details of the comparison of policy profiles. You can minimize the results of policy profile comparison. To minimize the section, click the arrow icon () next to the section name.

Deleting a policy

To delete a policy:

1. In the workspace of an administration group, on the Policies tab, select the policy that you want to delete.
2. Delete the policy in one of the following ways:
   • By selecting Delete in the context menu of the policy.
   • By clicking the Delete policy link in the information box for the selected policy.

Copying a policy

To copy a policy:

1. In the workspace of the required group, on the Policies tab select a policy.
2. In the context menu of the policy, select Copy.
3. In the console tree, select a group to which you want to add the policy.

   You can add a policy to the group from which it was copied.

4. From the context menu of the list of policies for the selected group, on the Policies tab select Paste.

The policy is copied with all its settings and is applied to the devices within the group to which it was copied. If you paste the policy into the same group from which it has been copied, the (<next sequence number>) index is automatically added to the policy name, for example: (1), (2).

An active policy becomes inactive while it is copied. If necessary, you can make it active.

Exporting a policy

To export a policy:

1. Export a policy in one of the following ways:
   • By selecting All tasks → Export in the context menu of the policy.
   • By clicking the Export policy to file link in the information box for the selected policy.
2. In the Save as window that opens, specify the policy file name and path. Click the Save button.

Importing a policy

To import a policy:

1. In the workspace of the relevant group, on the Policies tab select one of the following ways of importing policies:
   • By selecting All tasks → Import in the context menu of the list of policies.
   • By clicking the Import policy from file button in the management block for policy list.
2. In the window that opens, specify the path to the file from which you want to import a policy. Click the Open button.

The imported policy is displayed in the policy list. The settings and profiles of the policy are also imported. Regardless of the policy status that was selected during the export, the imported policy is inactive. You can change the policy status in the policy properties.

If the newly imported policy has a name identical to that of an existing policy, the name of the imported policy is expanded with the (<next sequence number>) index, for example: (1), (2).

Converting policies

Kaspersky Security Center can convert policies from earlier versions of managed Kaspersky applications to the up-to-date versions of the same applications. Converted policies keep the current administrator's settings specified before the update, as well as include new settings from the up-to-date versions of the applications. Management plug-ins for Kaspersky applications determine whether conversion is available for the policies of these applications. For information about converting policies for each supported Kaspersky application, refer to the relevant Help from the following list:

• Kaspersky applications for workstations:
  • Kaspersky Endpoint Security for Windows
  • Kaspersky Endpoint Security for Linux
  • Kaspersky Endpoint Security for Linux Elbrus Edition
  • Kaspersky Endpoint Security for Linux ARM Edition
  • Kaspersky Endpoint Security for Mac
  • Kaspersky Endpoint Agent
  • Kaspersky Embedded Systems Security for Windows
• Kaspersky Industrial CyberSecurity:
  • Kaspersky Industrial CyberSecurity for Nodes
  • Kaspersky Industrial CyberSecurity for Linux Nodes
  • Kaspersky Industrial CyberSecurity for Networks (centralized deployment is not supported)
• Kaspersky applications for mobile devices:
  • Kaspersky Endpoint Security for Android
  • Kaspersky Security for iOS
• Kaspersky applications for file servers:
  • Kaspersky Security for Windows Server
  • Kaspersky Endpoint Security for Windows
  • Kaspersky Endpoint Security for Linux
• Kaspersky applications for virtual machines:
  • Kaspersky Security for Virtualization Light Agent
  • Kaspersky Security for Virtualization Agentless
• Kaspersky applications for mail systems and SharePoint / collaboration servers:
  • Kaspersky Security for Linux Mail Server
  • Kaspersky Secure Mail Gateway
  • Kaspersky Security for Microsoft Exchange Servers
• Kaspersky applications for detection of targeted attacks:
  • Kaspersky Sandbox
  • Kaspersky Endpoint Detection and Response Optimum
  • Kaspersky Managed Detection and Response
• Kaspersky applications for KasperskyOS devices:
  • Kaspersky IoT Secure Gateway
  • Kaspersky Security Management Suite (plug-in for Kaspersky Thin Client)

To convert policies:

1. In the console tree, select the Administration Server for which you want to convert policies.
2. In the Administration Server context menu, select All Tasks → Policies and Tasks Batch Conversion Wizard.

The Policies and tasks batch conversion wizard starts. Follow the instructions of the wizard.

After the wizard completes, new policies are created that use the current administrator's settings of policies and the new settings from the up-to-date versions of Kaspersky applications.

Managing policy profiles

This section describes managing policy profiles and provides information about viewing the profiles of a policy, changing a policy profile priority, creating a policy profile, modifying a policy profile, copying a policy profile, creating a policy profile activation rule, and deleting a policy profile.

About the policy profile

Policy profile is a named collection of settings of a policy that is activated on a client device (computer or mobile device) when the device satisfies specified activation rules. Activation of a profile modifies the policy settings that were active on the device before the profile was activated. Those settings take values that have been specified in the profile.

Policy profiles are necessary for devices within a single administration group to run under different policy settings. For example, a situation may occur when policy settings have to be modified for some devices in an administration group. In this case, you can configure policy profiles for such a policy, which allows you to edit policy settings for selected devices in the administration group. For example, the policy prohibits running any GPS navigation software on all devices in the Users administration group. GPS navigation software is necessary only on a single device in the Users administration group—the device owned by the user employed as a courier. You can tag that device as simply "Courier" and reconfigure the policy profile so that it allows GPS navigation software to run only on the device tagged as "Courier", while preserving all the remaining policy settings. In this case, if a device tagged as "Courier" appears in the Users administration group, it will be allowed to run GPS navigation software. Running GPS navigation software will still be prohibited on other devices in the Users administration group unless they are tagged as "Courier", too.

Profiles are only supported by the following policies:

• Policies of Kaspersky Endpoint Security 10 Service Pack 1 for Windows or later
• Policies of Kaspersky Endpoint Security 10 Service Pack 1 for Mac
• Policies of the Kaspersky Mobile Device Management plug-in ranging from version 10 Service Pack 1 to version 10 Service Pack 3 Maintenance Release 1
• Policies of the Kaspersky Device Management for iOS plug-in
• Policies of Kaspersky Security for Virtualization 5.1 Light Agent for Windows
• Policies of Kaspersky Security for Virtualization 5.1 Light Agent for Linux

Policy profiles simplify the management of the client devices that the policies apply to:

• The policy profile settings may differ from the policy settings.
• You do not have to maintain and manually apply several instances of a single policy that differ only by a few settings.
• You do not have to allocate a separate policy for out-of-office users.
• You can export and import policy profiles, as well as create new policy profiles based on existing ones.
• A single policy can have multiple active policy profiles. Only profiles that meet the activation rules effective on the device will be applied to that device.
• Profiles are subject to the policy hierarchy. An inherited policy includes all profiles of the higher-level policy.

Priorities of profiles

Profiles that have been created for a policy are sorted in descending order of priority. For example, if profile X is higher in the list of profiles than profile Y, then X has a higher priority than the latter. Multiple profiles can be simultaneously applied to a single device. If values of a setting vary in different profiles, the value from the highest-priority profile will be applied on the device.

Profile activation rules

A policy profile is activated on a client device when an activation rule is triggered. Activation rules are a set of conditions that, when met, start the policy profile on a device. An activation rule can contain the following conditions:

• Network Agent on a client device connects to the Administration Server that has a specified set of connection settings, such as Administration Server address, port number, and so forth.
• The client device is offline.
• The client device has been assigned specified tags.
• The client device is explicitly (the device is immediately located in the specified unit) or implicitly (the device is located in a unit that is in the specified unit at any nesting level) located in a specific unit of Active Directory, the device or its owner is located in a security group of Active Directory.
• The client device belongs to a specified owner, or the owner of the device is included in an internal security group of Kaspersky Security Center.
• The owner of the client device has been assigned a specified role.

Policies in the hierarchy of administration groups

If you are creating a policy in a low-level administration group, this new policy inherits all profiles of the active policy from the higher-level group. Profiles with identical names are merged. Policy profiles for the higher-level group have the higher priority. For example, in administration group A, policy P(A) has profiles X1, X2, and X3 (in descending order of priority). In administration group B, which is a subgroup of group A, policy P(B) has been created with profiles X2, X4, X5. Then policy P(B) will be modified with policy P(A) so that the list of profiles in policy P(B) will appear as follows: X1, X2, X3, X4, X5 (in descending order of priority). The priority of profile X2 will depend on the initial state of X2 of policy P(B) and X2 of policy P(A). After the policy P(B) is created, the policy P(A) is no longer displayed in subgroup B.

The active policy is recalculated every time you run Network Agent, enable and disable offline mode, or edit the list of tags assigned to the client device. For example, the RAM size has been increased on the device, which, in turn, has activated the policy profile that is applied on devices with large RAM size.

Properties and restrictions of policy profiles

Profiles have the following properties:

• Profiles of an inactive policy have no impact on client devices.
• If a policy is set to the Out-of-office policy status, profiles of the policy will also be applied when a device is disconnected from the corporate network.
• Profiles do not support static analysis of access to executable files.
• A policy profile cannot contain any settings of event notifications.
• If UDP port 15000 is used for connecting a device to Administration Server, the corresponding policy profile is activated within one minute after you assign a tag to the device.
• You can use rules for Network Agent connection to the Administration Server, when you create policy profile activation rules.

Creating a policy profile

Profile creation is available only for the policies of the following applications:

• Kaspersky Endpoint Security 10 Service Pack 1 for Windows and later versions
• Kaspersky Endpoint Security 10 Service Pack 1 for Mac
• Kaspersky Mobile Device Management plug-in versions 10 Service Pack 1 to 10 Service Pack 3 Maintenance Release 1
• Kaspersky Device Management for iOS plug-in
• Kaspersky Security for Virtualization 5.1 Light Agent for Windows and Linux

To create a policy profile:

1. In the console tree, select the administration group for whose policy you have to create a policy profile.
2. In the workspace of the administration group, select the Policies tab.
3. Select a policy and switch to the policy properties window using the context menu.
4. Open the Policy profiles section in the policy properties window and click the Add button.

   The New Policy Profile Wizard starts.

5. In the Policy profile name window of the Wizard, specify the following:
   1. Name of the policy profile

      The profile name cannot include more than 100 characters.

   2. Policy profile status (Enabled or Disabled)

      We recommend that you create and enable inactive policy profiles only after you are completely finished with the settings and conditions of policy profile activation.

6. Select the After closing the New Policy Profile Wizard, proceed to configuring the policy profile activation rule check box to start the New Policy Profile Activation Rule Wizard. Follow the Wizard steps.
7. Edit the policy profile settings in the policy profile properties window, in the way you require.
8. Save the changes by clicking OK.

   The profile is saved. The profile will be activated on devices that meet the activation rules.

You can create multiple profiles for a single policy. Profiles that have been created for a policy are displayed in the policy properties, in the Policy profiles section. You can modify a policy profile and change the profile priority, as well as remove the profile.

Modifying a policy profile

Editing the settings of a policy profile

The capability to edit a policy profile is only available for policies of Kaspersky Endpoint Security for Windows.

To modify a policy profile:

1. In the console tree, select the administration group for which the policy profile has to be modified.
2. In the workspace of the group, select the Policies tab.
3. Select a policy and switch to the policy properties window using the context menu.
4. Open the Policy profiles section in the policy properties.

   This section contains a list of profiles that have been created for the policy. Profiles are displayed in the list in accordance with their priorities.

5. Select a policy profile and click the Properties button.
6. Configure the profile in the properties window:
   • If necessary, in the General section, change the profile name and enable or disable the profile using the Enable profile check box.
   • In the Activation rules section, edit the profile activation rules.
   • Edit the policy settings in the corresponding sections.
7. Click OK.

The modified settings will take effect either after the device is synchronized with the Administration Server (if the policy profile is active), or after an activation rule is triggered (if the policy profile is inactive).

Changing the priority of a policy profile

The priorities of policy profiles define the activation order of profiles on a client device. Priorities are used if identical activation rules are set for different policy profiles.

For example, two policy profiles have been created: Profile 1 and Profile 2 that differ by the respective values of a single setting (Value 1 and Value 2). The priority of Profile 1 is higher than that of Profile 2. Moreover, there are also profiles with priorities that are lower than that of Profile 2. The activation rules for those profiles are identical.

When an activation rule is triggered, Profile 1 will be activated. The setting on the device will take Value 1. If you remove Profile 1, then Profile 2 will have the highest priority, so the setting will take Value 2.

On the list of policy profiles, profiles are displayed in accordance with their respective priorities. The profile with the highest priority is ranked first. You can change the priority of a profile by using the up arrow and the down arrow buttons.

Deleting a policy profile

To delete a policy profile:

1. In the console tree, select the administration group whose policy profile you want to delete.
2. In the workspace of the administration group, select the Policies tab.
3. Select a policy and switch to the policy properties window using the context menu.
4. Open the Policy profiles section in the properties of the policy of Kaspersky Endpoint Security.
5. Select the policy profile that you want to delete and click the Delete button.

The policy profile will be deleted. The active status will pass either to another policy profile whose activation rules are triggered on the device, or to the policy.

Creating a policy profile activation rule

Expand all | Collapse all

To create a policy profile activation rule:

1. In the console tree, select the administration group for which you have to create a policy profile activation rule.
2. In the workspace of the group, select the Policies tab.
3. Select a policy and switch to the policy properties window using the context menu.
4. Select the Policy profiles section in the policy properties window.
5. Select the policy profile for which you need to create an activation rule, and click the Properties button.

   The policy profile properties window opens.

   If the list of policy profiles is empty, you can create a policy profile.

6. Select the Activation rules section, and click the Add button.

   The New Policy Profile Activation Rule Wizard starts.

7. In the Policy profile activation rules window, select the check boxes next to the conditions that must affect activation of the policy profile that you are creating:
   • General rules for policy profile activation

     Select this check box to set up policy profile activation rules on the device depending on the status of the device offline mode, rule for connection to Administration Server, and tags assigned to the device.

   • Rules for Active Directory usage

     Select this check box to set up rules for policy profile activation on the device depending on the presence of the device in an Active Directory organizational unit (OU), or on membership of the device (or its owner) in an Active Directory security group.

   • Rules for a specific device owner

     Select this check box to set up rules for policy profile activation on the device depending on the device owner.

   • Rules for hardware specifications

     Select this check box to set up rules for policy profile activation on the device depending on the memory volume and the number of logical processors.

   The number of additional windows of the Wizard depends on the settings that you select at this step. You can modify policy profile activation rules later.

8. In the General conditions window, specify the following settings:
   • In the Device is offline field, in the drop-down list specify the condition for device presence on the network:
     • Yes

       The device is in an external network, which means that the Administration Server is not available.

     • No

       The device is on the network, so the Administration Server is available.

     • No value is selected

       The criterion will not be applied.

   • In the The device is in the specified network location box, use the drop-down lists to set up the policy profile activation if the Administration Server connection rule is executed / not executed on this device:
     • Executed / Not executed

       Condition of policy profile activation (whether the rule is executed or not).

     • Rule name

       Network location description of the device for connection to the Administration Server, whose conditions must be met (or must not be met) for activation of the policy profile.

       A network location description of devices for connection to an Administration Server can be created or configured in a Network Agent switching rule.

   The General conditions window is displayed if the General rules for policy profile activation check box is selected.

9. In the Conditions using tags window, specify the following settings:
   • Tag list

     In the list of tags, specify the rule for device inclusion in the policy profile by selecting the check boxes next to the relevant tags.

     You can add new tags to the list by entering them in the field over the list and clicking the Add button.

     The policy profile includes devices with descriptions containing all the selected tags. If check boxes are cleared, the criterion is not applied. By default, these check boxes are cleared.

   • Apply to devices without the specified tags

     Enable this option if you have to invert your selection of tags.

     If this option is enabled, the policy profile includes devices with descriptions that contain none of the selected tags. If this option is disabled, the criterion is not applied.

     By default, this option is disabled.

   The Conditions using tags window is displayed if the General rules for policy profile activation check box is selected.

10. In the Conditions using Active Directory window, specify the following settings:
    • Device owner's membership in Active Directory security group

      If this option is enabled, the policy profile is activated on the device whose owner is a member of the specified security group. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

    • Device membership in Active Directory security group

      If this option is enabled, the policy profile is activated on the device. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

    • Device allocation in Active Directory organizational unit

      If this option is enabled, the policy profile is activated on the device which is included in the specified Active Directory organizational unit (OU). If this option is disabled, the profile activation criterion is not applied.

      By default, this option is disabled.

    The Conditions using Active Directory window is displayed if the Rules for Active Directory usage check box is selected.

11. In the Conditions using the device owner window, specify the following settings:
    • Device owner

      Enable this option to configure and enable the rule for profile activation on the device according to its owner. In the drop-down list under the check box, you can select a criterion for the profile activation:

      • The device belongs to the specified owner ("=" sign).
      • The device does not belong to the specified owner ("#" sign).

        If this option is enabled, the profile is activated on the device in accordance with the criterion configured. You can specify the device owner when the option is enabled. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

    • The device owner is included in an internal security group

      Enable this option to configure and enable the rule of profile activation on the device by the owner's membership in an internal security group of Kaspersky Security Center. In the drop-down list under the check box, you can select a criterion for the profile activation:

      • The device owner is a member of the specified security group ("=" sign).
      • The device owner is not a member of the specified security group ("#" sign).

        If this option is enabled, the profile is activated on the device in accordance with the criterion configured. You can specify a security group of Kaspersky Security Center. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

    • Activate policy profile by specific role of device owner

      Select this option to configure and enable the rule of profile activation on the device depending on the owner's role. Add the role manually from the list of existing roles.

      If this option is enabled, the profile is activated on the device in accordance with the criterion configured.

    The Conditions using the device owner window opens if the Rules for a specific device owner check box is selected.

12. In the Conditions using equipment specifications window, specify the following settings:
    • RAM size, in MB

      Enable this option to configure and enable the rule of profile activation on the device by the RAM volume available on that device. In the drop-down list under the check box, you can select a criterion for the profile activation:

      • The device RAM size is less than the specified value ("<" sign).
      • The device RAM size is greater than the specified value (">" sign).

      If this option is enabled, the profile is activated on the device in accordance with the criterion configured. You can specify the RAM volume on the device. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

    • Number of logical processors

      Enable this option to configure and enable the rule of profile activation on the device by the number of logical processors on that device. In the drop-down list under the check box, you can select a criterion for the profile activation:

      • The number of logical processors on the device is less than or equal to the specified value ("<" sign).
      • The number of logical processors on the device is greater than or equal to the specified value (">" sign).

      If this option is enabled, the profile is activated on the device in accordance with the criterion configured. You can specify the number of logical processors on the device. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

    The Conditions using equipment specifications window is displayed if the Rules for hardware specifications check box is selected.

13. In the Name of policy profile activation rule window, in the Rule name field, specify a name for the rule.

The profile will be saved. The profile will be activated on the device when activation rules are triggered.

Policy profile activation rules created for the profile are displayed in the policy profile properties in the Activation rules section. You can modify or remove any policy profile activation rule.

Multiple activation rules can be triggered simultaneously.