Managing policy profiles

This section describes managing policy profiles and provides information about viewing the profiles of a policy, changing a policy profile priority, creating a policy profile, modifying a policy profile, copying a policy profile, creating a policy profile activation rule, and deleting a policy profile.

About the policy profile

Policy profile is a named collection of settings of a policy that is activated on a client device (computer or mobile device) when the device satisfies specified activation rules. Activation of a profile modifies the policy settings that were active on the device before the profile was activated. Those settings take values that have been specified in the profile.

Policy profiles are necessary for devices within a single administration group to run under different policy settings. For example, a situation may occur when policy settings have to be modified for some devices in an administration group. In this case, you can configure policy profiles for such a policy, which allows you to edit policy settings for selected devices in the administration group. For example, the policy prohibits running any GPS navigation software on all devices in the Users administration group. GPS navigation software is necessary only on a single device in the Users administration group—the device owned by the user employed as a courier. You can tag that device as simply "Courier" and reconfigure the policy profile so that it allows GPS navigation software to run only on the device tagged as "Courier", while preserving all the remaining policy settings. In this case, if a device tagged as "Courier" appears in the Users administration group, it will be allowed to run GPS navigation software. Running GPS navigation software will still be prohibited on other devices in the Users administration group unless they are tagged as "Courier", too.

Profiles are only supported by the following policies:

• Policies of Kaspersky Endpoint Security 10 Service Pack 1 for Windows or later
• Policies of Kaspersky Endpoint Security 10 Service Pack 1 for Mac
• Policies of the Kaspersky Mobile Device Management plug-in ranging from version 10 Service Pack 1 to version 10 Service Pack 3 Maintenance Release 1
• Policies of the Kaspersky Device Management for iOS plug-in
• Policies of Kaspersky Security for Virtualization 5.1 Light Agent for Windows
• Policies of Kaspersky Security for Virtualization 5.1 Light Agent for Linux

Policy profiles simplify the management of the client devices that the policies apply to:

• The policy profile settings may differ from the policy settings.
• You do not have to maintain and manually apply several instances of a single policy that differ only by a few settings.
• You do not have to allocate a separate policy for out-of-office users.
• You can export and import policy profiles, as well as create new policy profiles based on existing ones.
• A single policy can have multiple active policy profiles. Only profiles that meet the activation rules effective on the device will be applied to that device.
• Profiles are subject to the policy hierarchy. An inherited policy includes all profiles of the higher-level policy.

Priorities of profiles

Profiles that have been created for a policy are sorted in descending order of priority. For example, if profile X is higher in the list of profiles than profile Y, then X has a higher priority than the latter. Multiple profiles can be simultaneously applied to a single device. If values of a setting vary in different profiles, the value from the highest-priority profile will be applied on the device.

Profile activation rules

A policy profile is activated on a client device when an activation rule is triggered. Activation rules are a set of conditions that, when met, start the policy profile on a device. An activation rule can contain the following conditions:

• Network Agent on a client device connects to the Administration Server that has a specified set of connection settings, such as Administration Server address, port number, and so forth.
• The client device is offline.
• The client device has been assigned specified tags.
• The client device is explicitly (the device is immediately located in the specified unit) or implicitly (the device is located in a unit that is in the specified unit at any nesting level) located in a specific unit of Active Directory, the device or its owner is located in a security group of Active Directory.
• The client device belongs to a specified owner, or the owner of the device is included in an internal security group of Kaspersky Security Center.
• The owner of the client device has been assigned a specified role.

Policies in the hierarchy of administration groups

If you are creating a policy in a low-level administration group, this new policy inherits all profiles of the active policy from the higher-level group. Profiles with identical names are merged. Policy profiles for the higher-level group have the higher priority. For example, in administration group A, policy P(A) has profiles X1, X2, and X3 (in descending order of priority). In administration group B, which is a subgroup of group A, policy P(B) has been created with profiles X2, X4, X5. Then policy P(B) will be modified with policy P(A) so that the list of profiles in policy P(B) will appear as follows: X1, X2, X3, X4, X5 (in descending order of priority). The priority of profile X2 will depend on the initial state of X2 of policy P(B) and X2 of policy P(A). After the policy P(B) is created, the policy P(A) is no longer displayed in subgroup B.

The active policy is recalculated every time you run Network Agent, enable and disable offline mode, or edit the list of tags assigned to the client device. For example, the RAM size has been increased on the device, which, in turn, has activated the policy profile that is applied on devices with large RAM size.

Properties and restrictions of policy profiles

Profiles have the following properties:

• Profiles of an inactive policy have no impact on client devices.
• If a policy is set to the Out-of-office policy status, profiles of the policy will also be applied when a device is disconnected from the corporate network.
• Profiles do not support static analysis of access to executable files.
• A policy profile cannot contain any settings of event notifications.
• If UDP port 15000 is used for connecting a device to Administration Server, the corresponding policy profile is activated within one minute after you assign a tag to the device.
• You can use rules for Network Agent connection to the Administration Server, when you create policy profile activation rules.

Creating a policy profile

Profile creation is available only for the policies of the following applications:

• Kaspersky Endpoint Security 10 Service Pack 1 for Windows and later versions
• Kaspersky Endpoint Security 10 Service Pack 1 for Mac
• Kaspersky Mobile Device Management plug-in versions 10 Service Pack 1 to 10 Service Pack 3 Maintenance Release 1
• Kaspersky Device Management for iOS plug-in
• Kaspersky Security for Virtualization 5.1 Light Agent for Windows and Linux

To create a policy profile:

1. In the console tree, select the administration group for whose policy you have to create a policy profile.
2. In the workspace of the administration group, select the Policies tab.
3. Select a policy and switch to the policy properties window using the context menu.
4. Open the Policy profiles section in the policy properties window and click the Add button.

   The New Policy Profile Wizard starts.

5. In the Policy profile name window of the Wizard, specify the following:
   1. Name of the policy profile

      The profile name cannot include more than 100 characters.

   2. Policy profile status (Enabled or Disabled)

      We recommend that you create and enable inactive policy profiles only after you are completely finished with the settings and conditions of policy profile activation.

6. Select the After closing the New Policy Profile Wizard, proceed to configuring the policy profile activation rule check box to start the New Policy Profile Activation Rule Wizard. Follow the Wizard steps.
7. Edit the policy profile settings in the policy profile properties window, in the way you require.
8. Save the changes by clicking OK.

   The profile is saved. The profile will be activated on devices that meet the activation rules.

You can create multiple profiles for a single policy. Profiles that have been created for a policy are displayed in the policy properties, in the Policy profiles section. You can modify a policy profile and change the profile priority, as well as remove the profile.

Modifying a policy profile

Editing the settings of a policy profile

The capability to edit a policy profile is only available for policies of Kaspersky Endpoint Security for Windows.

To modify a policy profile:

1. In the console tree, select the administration group for which the policy profile has to be modified.
2. In the workspace of the group, select the Policies tab.
3. Select a policy and switch to the policy properties window using the context menu.
4. Open the Policy profiles section in the policy properties.

   This section contains a list of profiles that have been created for the policy. Profiles are displayed in the list in accordance with their priorities.

5. Select a policy profile and click the Properties button.
6. Configure the profile in the properties window:
   • If necessary, in the General section, change the profile name and enable or disable the profile using the Enable profile check box.
   • In the Activation rules section, edit the profile activation rules.
   • Edit the policy settings in the corresponding sections.
7. Click OK.

The modified settings will take effect either after the device is synchronized with the Administration Server (if the policy profile is active), or after an activation rule is triggered (if the policy profile is inactive).

Changing the priority of a policy profile

The priorities of policy profiles define the activation order of profiles on a client device. Priorities are used if identical activation rules are set for different policy profiles.

For example, two policy profiles have been created: Profile 1 and Profile 2 that differ by the respective values of a single setting (Value 1 and Value 2). The priority of Profile 1 is higher than that of Profile 2. Moreover, there are also profiles with priorities that are lower than that of Profile 2. The activation rules for those profiles are identical.

When an activation rule is triggered, Profile 1 will be activated. The setting on the device will take Value 1. If you remove Profile 1, then Profile 2 will have the highest priority, so the setting will take Value 2.

On the list of policy profiles, profiles are displayed in accordance with their respective priorities. The profile with the highest priority is ranked first. You can change the priority of a profile by using the up arrow and the down arrow buttons.

Deleting a policy profile

To delete a policy profile:

1. In the console tree, select the administration group whose policy profile you want to delete.
2. In the workspace of the administration group, select the Policies tab.
3. Select a policy and switch to the policy properties window using the context menu.
4. Open the Policy profiles section in the properties of the policy of Kaspersky Endpoint Security.
5. Select the policy profile that you want to delete and click the Delete button.

The policy profile will be deleted. The active status will pass either to another policy profile whose activation rules are triggered on the device, or to the policy.

Creating a policy profile activation rule

Expand all | Collapse all

To create a policy profile activation rule:

1. In the console tree, select the administration group for which you have to create a policy profile activation rule.
2. In the workspace of the group, select the Policies tab.
3. Select a policy and switch to the policy properties window using the context menu.
4. Select the Policy profiles section in the policy properties window.
5. Select the policy profile for which you need to create an activation rule, and click the Properties button.

   The policy profile properties window opens.

   If the list of policy profiles is empty, you can create a policy profile.

6. Select the Activation rules section, and click the Add button.

   The New Policy Profile Activation Rule Wizard starts.

7. In the Policy profile activation rules window, select the check boxes next to the conditions that must affect activation of the policy profile that you are creating:
   • General rules for policy profile activation

     Select this check box to set up policy profile activation rules on the device depending on the status of the device offline mode, rule for connection to Administration Server, and tags assigned to the device.

   • Rules for Active Directory usage

     Select this check box to set up rules for policy profile activation on the device depending on the presence of the device in an Active Directory organizational unit (OU), or on membership of the device (or its owner) in an Active Directory security group.

   • Rules for a specific device owner

     Select this check box to set up rules for policy profile activation on the device depending on the device owner.

   • Rules for hardware specifications

     Select this check box to set up rules for policy profile activation on the device depending on the memory volume and the number of logical processors.

   The number of additional windows of the Wizard depends on the settings that you select at this step. You can modify policy profile activation rules later.

8. In the General conditions window, specify the following settings:
   • In the Device is offline field, in the drop-down list specify the condition for device presence on the network:
     • Yes

       The device is in an external network, which means that the Administration Server is not available.

     • No

       The device is on the network, so the Administration Server is available.

     • No value is selected

       The criterion will not be applied.

   • In the The device is in the specified network location box, use the drop-down lists to set up the policy profile activation if the Administration Server connection rule is executed / not executed on this device:
     • Executed / Not executed

       Condition of policy profile activation (whether the rule is executed or not).

     • Rule name

       Network location description of the device for connection to the Administration Server, whose conditions must be met (or must not be met) for activation of the policy profile.

       A network location description of devices for connection to an Administration Server can be created or configured in a Network Agent switching rule.

   The General conditions window is displayed if the General rules for policy profile activation check box is selected.

9. In the Conditions using tags window, specify the following settings:
   • Tag list

     In the list of tags, specify the rule for device inclusion in the policy profile by selecting the check boxes next to the relevant tags.

     You can add new tags to the list by entering them in the field over the list and clicking the Add button.

     The policy profile includes devices with descriptions containing all the selected tags. If check boxes are cleared, the criterion is not applied. By default, these check boxes are cleared.

   • Apply to devices without the specified tags

     Enable this option if you have to invert your selection of tags.

     If this option is enabled, the policy profile includes devices with descriptions that contain none of the selected tags. If this option is disabled, the criterion is not applied.

     By default, this option is disabled.

   The Conditions using tags window is displayed if the General rules for policy profile activation check box is selected.

10. In the Conditions using Active Directory window, specify the following settings:
    • Device owner's membership in Active Directory security group

      If this option is enabled, the policy profile is activated on the device whose owner is a member of the specified security group. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

    • Device membership in Active Directory security group

      If this option is enabled, the policy profile is activated on the device. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

    • Device allocation in Active Directory organizational unit

      If this option is enabled, the policy profile is activated on the device which is included in the specified Active Directory organizational unit (OU). If this option is disabled, the profile activation criterion is not applied.

      By default, this option is disabled.

    The Conditions using Active Directory window is displayed if the Rules for Active Directory usage check box is selected.

11. In the Conditions using the device owner window, specify the following settings:
    • Device owner

      Enable this option to configure and enable the rule for profile activation on the device according to its owner. In the drop-down list under the check box, you can select a criterion for the profile activation:

      • The device belongs to the specified owner ("=" sign).
      • The device does not belong to the specified owner ("#" sign).

        If this option is enabled, the profile is activated on the device in accordance with the criterion configured. You can specify the device owner when the option is enabled. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

    • The device owner is included in an internal security group

      Enable this option to configure and enable the rule of profile activation on the device by the owner's membership in an internal security group of Kaspersky Security Center. In the drop-down list under the check box, you can select a criterion for the profile activation:

      • The device owner is a member of the specified security group ("=" sign).
      • The device owner is not a member of the specified security group ("#" sign).

        If this option is enabled, the profile is activated on the device in accordance with the criterion configured. You can specify a security group of Kaspersky Security Center. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

    • Activate policy profile by specific role of device owner

      Select this option to configure and enable the rule of profile activation on the device depending on the owner's role. Add the role manually from the list of existing roles.

      If this option is enabled, the profile is activated on the device in accordance with the criterion configured.

    The Conditions using the device owner window opens if the Rules for a specific device owner check box is selected.

12. In the Conditions using equipment specifications window, specify the following settings:
    • RAM size, in MB

      Enable this option to configure and enable the rule of profile activation on the device by the RAM volume available on that device. In the drop-down list under the check box, you can select a criterion for the profile activation:

      • The device RAM size is less than the specified value ("<" sign).
      • The device RAM size is greater than the specified value (">" sign).

      If this option is enabled, the profile is activated on the device in accordance with the criterion configured. You can specify the RAM volume on the device. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

    • Number of logical processors

      Enable this option to configure and enable the rule of profile activation on the device by the number of logical processors on that device. In the drop-down list under the check box, you can select a criterion for the profile activation:

      • The number of logical processors on the device is less than or equal to the specified value ("<" sign).
      • The number of logical processors on the device is greater than or equal to the specified value (">" sign).

      If this option is enabled, the profile is activated on the device in accordance with the criterion configured. You can specify the number of logical processors on the device. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

    The Conditions using equipment specifications window is displayed if the Rules for hardware specifications check box is selected.

13. In the Name of policy profile activation rule window, in the Rule name field, specify a name for the rule.

The profile will be saved. The profile will be activated on the device when activation rules are triggered.

Policy profile activation rules created for the profile are displayed in the policy profile properties in the Activation rules section. You can modify or remove any policy profile activation rule.

Multiple activation rules can be triggered simultaneously.