Managing policy profiles

This section describes managing policy profiles and provides information about viewing the profiles of a policy, changing a policy profile priority, creating a policy profile, modifying a policy profile, copying a policy profile, creating a policy profile activation rule, and deleting a policy profile.

Viewing the profiles of a policy

To view profiles of a policy:

1. In the main menu, go to DEVICES → POLICIES & PROFILES.
2. Click the name of the policy whose profiles you want to view.

   The policy properties window opens with the General tab selected.

3. Open the Policy profiles tab.

The list of policy profiles appears in tabular format. If the policy does not have profiles, the empty table appears.

Changing a policy profile priority

To change a policy profile priority:

1. Proceed to the list of profiles of a policy that you want.

   The list of policy profiles appears.

2. On the Policy profiles tab, select the check box next to the policy profile for which you want to change priority.
3. Set a new position of the policy profile in the list by clicking Prioritize or Deprioritize.

   The higher a policy profile is located in the list, the higher its priority.

4. Click the Save button.

Priority of the selected policy profile is changed and applied.

Creating a policy profile

To create a policy profile:

1. Proceed to the list of profiles for the policy that you want.

   The list of policy profiles appears. If the policy does not have profiles, an empty table appears.

2. Click Add.
3. If you want, change the default name and default inheritance settings of the profile.
4. Select the Application settings tab.

   Alternatively, you can click Save and exit. The profile that you have created appears in the list of policy profiles, and you can edit its settings later.

5. On the Application settings tab, in the left pane select the category that you want and in the results pane on the right, edit the settings for the profile. You can edit policy profile settings in each category (section).

   When editing the settings, you can click Cancel to cancel the last operation.

6. Click Save to save the profile.

The profile will appear in the list of policy profiles.

Modifying a policy profile

The capability to edit a policy profile is only available for policies of Kaspersky Endpoint Security for Windows.

To modify a policy profile:

1. Proceed to the list of profiles of a policy that you want.

   The list of policy profiles appears.

2. On the Policy profiles tab, click the policy profile that you want to modify.

   The policy profile properties window opens.

3. Configure the profile in the properties window:
   • If necessary, on the General tab, change the profile name and enable or disable the profile.
   • Edit the profile activation rules.
   • Edit the application settings.

   For details about settings of security applications, please see the documentation of the corresponding application.

4. Click Save.

The modified settings will take effect either after the device is synchronized with the Administration Server (if the policy profile is active), or after an activation rule is triggered (if the policy profile is inactive).

Copying a policy profile

You can copy a policy profile to the current policy or to another, for example, if you want to have identical profiles for different policies. You can also use copying if you want to have two or more profiles that differ in only a small number of settings.

To copy a policy profile:

1. Proceed to the list of profiles of a policy that you want.

   The list of policy profiles appears. If the policy does not have profiles, an empty table appears.

2. On the Policy profiles tab, select the policy profile that you want to copy.
3. Click Copy.
4. In the window that opens, select the policy to which you want to copy the profile.

   You can copy a policy profile to the same policy or to a policy that you specify.

5. Click Copy.

The policy profile is copied to the policy that you selected. The newly copied profile gets the lowest priority. If you copy the profile to the same policy, the name of the newly copied profile will be expanded with the () index, for example: (1), (2).

Later, you can change the settings of the profile, including its name and its priority; the original policy profile will not be changed in this case.

Creating a policy profile activation rule

Expand all | Collapse all

To create a policy profile activation rule:

1. Proceed to the list of profiles of a policy that you want.

   The list of policy profiles appears.

2. On the Policy profiles tab, click the policy profile for which you need to create an activation rule.

   If the list of policy profiles is empty, you can create a policy profile.

3. On the Activation rules tab, click the Add button.

   The window with policy profile activation rules opens.

4. Specify a name for the rule.
5. Select the check boxes next to the conditions that must affect activation of the policy profile that you are creating:
   • General rules for policy profile activation

     Select this check box to set up policy profile activation rules on the device depending on the status of the device offline mode, rule for connection to Administration Server, and tags assigned to the device.

     For this option, specify at the next step:

     • Device status

       Defines the condition for device presence on the network:

       • Online—The device is on the network, and so the Administration Server is available.
       • Offline—The device is on an external network, which means that the Administration Server is not available.
       • N/A—The criterion will not be applied.
     • Rule for Administration Server connection is active on this device

       Choose the condition of policy profile activation (whether the rule is executed or not) and select the rule name.

       The rule defines the network location of the device for connection to the Administration Server, whose conditions must be met (or must not be met) for activation of the policy profile.

       A network location description of devices for connection to an Administration Server can be created or configured in a Network Agent switching rule.

   • Rules for specific device owner

     For this option, specify at the next step:

     • Device owner

       Enable this option to configure and enable the rule for profile activation on the device according to its owner. In the drop-down list under the check box, you can select a criterion for the profile activation:

       • The device belongs to the specified owner ("=" sign).
       • The device does not belong to the specified owner ("#" sign).

         If this option is enabled, the profile is activated on the device in accordance with the criterion configured. You can specify the device owner when the option is enabled. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

     • Device owner is included in an internal security group

       Enable this option to configure and enable the rule of profile activation on the device by the owner's membership in an internal security group of Kaspersky Security Center. In the drop-down list under the check box, you can select a criterion for the profile activation:

       • The device owner is a member of the specified security group ("=" sign).
       • The device owner is not a member of the specified security group ("#" sign).

         If this option is enabled, the profile is activated on the device in accordance with the criterion configured. You can specify a security group of Kaspersky Security Center. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

   • Rules for hardware specifications

     Select this check box to set up rules for policy profile activation on the device depending on the memory volume and the number of logical processors.

     For this option, specify at the next step:

     • RAM size, in MB

       Enable this option to configure and enable the rule of profile activation on the device by the RAM volume available on that device. In the drop-down list under the check box, you can select a criterion for the profile activation:

       • The device RAM size is less than the specified value ("<" sign).
       • The device RAM size is greater than the specified value (">" sign).

       If this option is enabled, the profile is activated on the device in accordance with the criterion configured. You can specify the RAM volume on the device. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

     • Number of logical processors

       Enable this option to configure and enable the rule of profile activation on the device by the number of logical processors on that device. In the drop-down list under the check box, you can select a criterion for the profile activation:

       • The number of logical processors on the device is less than or equal to the specified value ("<" sign).
       • The number of logical processors on the device is greater than or equal to the specified value (">" sign).

       If this option is enabled, the profile is activated on the device in accordance with the criterion configured. You can specify the number of logical processors on the device. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

   • Rules for role assignment

     For this option, specify at the next step:

     Activate policy profile by specific role of device owner

     Select this option to configure and enable the rule of profile activation on the device depending on the owner's role. Add the role manually from the list of existing roles.

     If this option is enabled, the profile is activated on the device in accordance with the criterion configured.

   • Rules for tag usage

     Select this check box to set up rules for policy profile activation on the device depending on the tags assigned to the device. You can activate the policy profile to the devices that either have the selected tags or do not have them.

     For this option, specify at the next step:

     • Tag

       In the list of tags, specify the rule for device inclusion in the policy profile by selecting the check boxes next to the relevant tags.

       You can add new tags to the list by entering them in the field over the list and clicking the Add button.

       The policy profile includes devices with descriptions containing all the selected tags. If check boxes are cleared, the criterion is not applied. By default, these check boxes are cleared.

     • Apply to devices without the specified tags

       Enable this option if you have to invert your selection of tags.

       If this option is enabled, the policy profile includes devices with descriptions that contain none of the selected tags. If this option is disabled, the criterion is not applied.

       By default, this option is disabled.

   • Rules for Active Directory usage

     Select this check box to set up rules for policy profile activation on the device depending on the presence of the device in an Active Directory organizational unit (OU), or on membership of the device (or its owner) in an Active Directory security group.

     For this option, specify at the next step:

     • Device owner's membership in Active Directory security group

       If this option is enabled, the policy profile is activated on the device whose owner is a member of the specified security group. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

     • Device membership in Active Directory security group

       If this option is enabled, the policy profile is activated on the device. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

     • Device allocation in Active Directory organizational unit

       If this option is enabled, the policy profile is activated on the device which is included in the specified Active Directory organizational unit (OU). If this option is disabled, the profile activation criterion is not applied.

       By default, this option is disabled.

   The number of additional pages of the Wizard depends on the settings that you select at the first step. You can modify policy profile activation rules later.

6. Check the list of the configured parameters. If the list is correct, click Create.

The profile will be saved. The profile will be activated on the device when activation rules are triggered.

Policy profile activation rules created for the profile are displayed in the policy profile properties on the Activation rules tab. You can modify or remove any policy profile activation rule.

Multiple activation rules can be triggered simultaneously.

Deleting a policy profile

To delete a policy profile:

1. Proceed to the list of profiles of a policy that you want.

   The list of policy profiles appears.

2. On the Policy profiles tab, select the check box next to the policy profile that you want to delete, and click Delete.
3. In the window that opens, click Delete again.

The policy profile is deleted. If the policy is inherited by a lower-level group, the profile remains in that group, but becomes the policy profile of that group. This is done to eliminate significant change in settings of the managed applications installed on the devices of lower-level groups.