Managing policies

The applications installed on client devices are centrally configured by defining policies.

Policies created for applications in an administration group are displayed in the workspace, on the Policies tab. Before the name of each policy, an icon with its status is displayed.

After a policy is deleted or revoked, the application continues working with the settings specified in the policy. Those settings subsequently can be modified manually.

A policy is applied as follows: if a device is running resident tasks (real-time protection tasks), they keep running with the new setting values. Any periodic tasks (on-demand scan, update of application databases) that are started keep running with the values unchanged. Next time, they will be run with the new setting values.

Policies for applications with multitenancy support are inherited to lower-level administration groups as well as to upper-level administration groups: the policy is propagated to all client devices on which the application is installed.

If Administration Servers are structured hierarchically, secondary Administration Servers receive policies from the primary Administration Server and distribute them to client devices. When inheritance is enabled, policy settings can be modified on the primary Administration Server. After this, any changes made to the policy settings are propagated to inherited policies on secondary Administration Servers.

If the connection is terminated between the primary and secondary Administration Servers, the policy on the secondary Server continues, using the applied settings. Policy settings modified on the primary Administration Server are distributed to a secondary Administration Server after the connection is re-established.

If inheritance is disabled, policy settings can be modified on a secondary Administration Server independently from the primary Administration Server.

If the connection between Administration Server and a client device is interrupted, the client device starts running under the out-of-office policy (if it is defined), or the policy keeps running under the applied settings until the connection is re-established.

The results of policy distribution to the secondary Administration Server are displayed in the policy properties window of the console on the primary Administration Server.

The results of policy distribution to client devices are displayed in the policy properties window of the Administration Server to which they are connected.

Do not use private data in policy settings. For example, avoid specifying the domain administrator password.

Creating a policy

In Administration Console, you can create policies directly in the folder of the administration group for which a policy is to be created, or in the workspace of the Policies folder.

To create a policy in the folder of an administration group:

1. In the console tree, select an administration group for which you want to create a policy.
2. In the workspace of the group, select the Policies tab.
3. Run the New Policy Wizard by clicking the New policy button.

The New Policy Wizard starts. Follow the instructions of the Wizard.

To create a policy in the workspace of the Policies folder:

1. In the console tree, select the Policies folder.
2. Run the New Policy Wizard by clicking the New policy button.

The New Policy Wizard starts. Follow the instructions of the Wizard.

You can create several policies for one application from the group, but only one policy can be active at a time. When you create a new active policy, the previous active policy becomes inactive.

When creating a policy, you can specify a minimum set of parameters required for the application to function properly. All other values are set to the default values applied during the local installation of the application. You can change the policy after it is created.

Do not use private data in policy settings. For example, avoid specifying the domain administrator password.

Settings of Kaspersky applications that are changed after policies are applied are described in detail in their respective Guides.

After the policy is created, the settings locked from editing (marked with the lock icon ()) take effect on client devices regardless of which settings were previously specified for the application.

Displaying inherited policy in a subgroup

To enable the display of inherited policies for a nested administration group:

1. In the console tree, select the administration group for which inherited policies have to be displayed.
2. In the workspace of the selected group, select the Policies tab.
3. In the context menu of the list of policies, select View → Inherited policies.

Inherited policies are displayed in the list of policies with the following icon:

• —If they were inherited from a group created on the primary Administration Server.
• —If they were inherited from a top-level group.

When the settings inheritance mode is enabled, inherited policies are only available for modification in the group in which they were created. Modification of inherited policies is not available in the group that inherits them.

Activating a policy

To make a policy active for the selected group:

1. In the workspace of the group, on the Policies tab select the policy that you have to make active.
2. To activate the policy, perform one of the following actions:
   • In the context menu of the policy, select Active policy.
   • In the policy properties window open the General section and select Active policy from the Policy status settings group.

The policy becomes active for the selected administration group.

When a policy is applied to a large number of client devices, both the load on the Administration Server and the network traffic increase significantly for some time.

Activating a policy automatically at the Virus outbreak event

To make a policy perform automatic activation at a Virus outbreak event:

1. In the Administration Server properties window, open the Virus outbreak section.
2. Open the Policy activation window by clicking the Configure policies to activate when a Virus outbreak event occurs link and add the policy to the selected list of policies that are activated when a virus outbreak is detected.

If a policy has been activated on the Virus outbreak event, you can return to the previous policy only by using the manual mode.

Applying an out-of-office policy

The out-of-office policy takes effect on a device if it is disconnected from the corporate network.

To apply an out-of-office policy:

In the policy properties window, open the General section and in the Policy status settings group, select Out-of-office policy.

The out-of-office policy will be applied to the devices if they are disconnected from the corporate network.

Modifying a policy. Rolling back changes

To edit a policy:

1. In the console tree, select the Policies folder.
2. In the workspace of the Policies folder, select a policy and proceed to the policy properties window using the context menu.
3. Make the relevant changes.
4. Click Apply.

The changes made to the policy will be saved in the policy properties, in the Revision history section.

You can roll back changes made to the policy, if necessary.

To roll back changes made to the policy:

1. In the console tree, select the Policies folder.
2. Select the policy in which changes must to be rolled back, and proceed to the policy properties window using the context menu.
3. In the policy properties window, select the Revision history section.
4. In the list of policy revisions, select the number of the revision to which you need to roll back changes.
5. Click the Advanced button and select the Roll back value in the drop-down list.

Comparing policies

You can compare two policies for a single managed application. After the comparison, you have a report that displays which policy settings match and which settings differ. For example, you may have to compare policies if different administrators in their respective offices have created multiple policies for a single managed application, or if a single top-level policy has been inherited by all local offices and modified for each office. You can compare policies in one of the following ways: by selecting one policy and comparing it to another, or by comparing any two policies from the list of policies.

To compare one policy to another:

1. In the console tree, select the Policies folder.
2. In the workspace of the Policies folder, select the policy that you require to compare to another.
3. In the context menu of the policy, select Compare policy to another policy.
4. In the Select policy window, select the policy to which your policy must be compared.
5. Click OK.

A report in HTML format is displayed for the comparison of the two policies for the same application.

To compare any two policies from the list of policies:

1. In the Policies folder, in the list of policies, use the Shift or Ctrl key to select two policies for a single managed application.
2. In the context menu, select Compare.

A report in HTML format is displayed for the comparison of the two policies for the same application.

The report on comparison of policy settings for Kaspersky Endpoint Security for Windows also provides details of the comparison of policy profiles. You can minimize the results of policy profile comparison. To minimize the section, click the arrow icon () next to the section name.

Deleting a policy

To delete a policy:

1. In the workspace of an administration group, on the Policies tab, select the policy that you want to delete.
2. Delete the policy in one of the following ways:
   • By selecting Delete in the context menu of the policy.
   • By clicking the Delete policy link in the information box for the selected policy.

Copying a policy

To copy a policy:

1. In the workspace of the required group, on the Policies tab select a policy.
2. In the context menu of the policy, select Copy.
3. In the console tree, select a group to which you want to add the policy.

   You can add a policy to the group from which it was copied.

4. From the context menu of the list of policies for the selected group, on the Policies tab select Paste.

The policy is copied with all its settings and is applied to the devices within the group to which it was copied. If you paste the policy into the same group from which it has been copied, the (<next sequence number>) index is automatically added to the policy name, for example: (1), (2).

An active policy becomes inactive while it is copied. If necessary, you can make it active.

Exporting a policy

To export a policy:

1. Export a policy in one of the following ways:
   • By selecting All tasks → Export in the context menu of the policy.
   • By clicking the Export policy to file link in the information box for the selected policy.
2. In the Save as window that opens, specify the policy file name and path. Click the Save button.

Importing a policy

To import a policy:

1. In the workspace of the relevant group, on the Policies tab select one of the following ways of importing policies:
   • By selecting All tasks → Import in the context menu of the list of policies.
   • By clicking the Import policy from file button in the management block for policy list.
2. In the window that opens, specify the path to the file from which you want to import a policy. Click the Open button.

The imported policy is displayed in the policy list. The settings and profiles of the policy are also imported. Regardless of the policy status that was selected during the export, the imported policy is inactive. You can change the policy status in the policy properties.

If the newly imported policy has a name identical to that of an existing policy, the name of the imported policy is expanded with the (<next sequence number>) index, for example: (1), (2).

Converting policies

Kaspersky Security Center can convert policies from earlier versions of managed Kaspersky applications to the up-to-date versions of the same applications. Converted policies keep the current administrator's settings specified before the update, as well as include new settings from the up-to-date versions of the applications. Management plug-ins for Kaspersky applications determine whether conversion is available for the policies of these applications. For information about converting policies for each supported Kaspersky application, refer to the relevant Help from the following list:

• Kaspersky applications for workstations:
  • Kaspersky Endpoint Security for Windows
  • Kaspersky Endpoint Security for Linux
  • Kaspersky Endpoint Security for Linux Elbrus Edition
  • Kaspersky Endpoint Security for Linux ARM Edition
  • Kaspersky Endpoint Security for Mac
  • Kaspersky Endpoint Agent
  • Kaspersky Embedded Systems Security for Windows
• Kaspersky Industrial CyberSecurity:
  • Kaspersky Industrial CyberSecurity for Nodes
  • Kaspersky Industrial CyberSecurity for Linux Nodes
  • Kaspersky Industrial CyberSecurity for Networks (centralized deployment is not supported)
• Kaspersky applications for mobile devices:
  • Kaspersky Endpoint Security for Android
  • Kaspersky Security for iOS
• Kaspersky applications for file servers:
  • Kaspersky Security for Windows Server
  • Kaspersky Endpoint Security for Windows
  • Kaspersky Endpoint Security for Linux
• Kaspersky applications for virtual machines:
  • Kaspersky Security for Virtualization Light Agent
  • Kaspersky Security for Virtualization Agentless
• Kaspersky applications for mail systems and SharePoint / collaboration servers:
  • Kaspersky Security for Linux Mail Server
  • Kaspersky Secure Mail Gateway
  • Kaspersky Security for Microsoft Exchange Servers
• Kaspersky applications for detection of targeted attacks:
  • Kaspersky Sandbox
  • Kaspersky Endpoint Detection and Response Optimum
  • Kaspersky Managed Detection and Response
• Kaspersky applications for KasperskyOS devices:
  • Kaspersky IoT Secure Gateway
  • Kaspersky Security Management Suite (plug-in for Kaspersky Thin Client)

To convert policies:

1. In the console tree, select the Administration Server for which you want to convert policies.
2. In the Administration Server context menu, select All Tasks → Policies and Tasks Batch Conversion Wizard.

The Policies and tasks batch conversion wizard starts. Follow the instructions of the wizard.

After the wizard completes, new policies are created that use the current administrator's settings of policies and the new settings from the up-to-date versions of Kaspersky applications.