Device moving rules

We recommend that you automate the allocation of devices to administration groups through device moving rules. A device moving rule consists of three main parts: a name, an execution condition (logical expression with the device attributes), and a target administration group. A rule moves a device to the target administration group if the device attributes meet the rule execution condition.

All device moving rules have priorities. The Administration Server checks the device attributes as to whether they meet the execution condition of each rule, in ascending order of priority. If the device attributes meet the execution condition of a rule, the device is moved to the target group, so the rule processing is complete for this device. If the device attributes meet the conditions of multiple rules, the device is moved to the target group of the rule with the highest priority (that is, has the highest rank in the list of rules).

Device moving rules can be created implicitly. For example, in the properties of an installation package or a remote installation task, you can specify the administration group to which the device must be moved after Network Agent is installed on it. Also, device moving rules can be created explicitly by the administrator of Open Single Management Platform, in the Assets (Devices) → Moving rules section.

By default, a device moving rule is intended for one-time initial allocation of devices to administration groups. The rule moves devices from the unassigned devices group only once. If a device once was moved by this rule, the rule will never move it again, even if you return the device to the unassigned devices group manually. This is the recommended way of applying moving rules.

You can move devices that have already been allocated to some of the administration groups. To do this, in the properties of a rule, clear the Move only devices that do not belong to an administration group check box.

Applying moving rules to devices that have already been allocated to some of the administration groups, significantly increases the load on the Administration Server.

The Move only devices that do not belong to an administration group check box is locked in the properties of automatically created moving rules. Such rules are created when you add the Install application remotely task or create a stand-alone installation package.

You can create a moving rule that would affect a single device repeatedly.

We strongly recommend that you avoid moving a single device from one group to another repeatedly (for example, in order to apply a special policy to that device, run a special group task, or update the device through a specific distribution point).

Such scenarios are not supported, because they increase the load on Administration Server and network traffic to an extreme degree. These scenarios also conflict with the operating principles of Open Single Management Platform (particularly in the area of access rights, events, and reports). Another solution must be found, for example, through the use of policy profiles, tasks for device selections, assignment of Network Agents according to the standard scenario.

Creating device moving rules

Expand all | Collapse all

You can set up device moving rules, that is, rules that automatically allocate devices to administration groups.

To create a moving rule:

1. In the main menu, go to Assets (Devices) → Moving rules.
2. Click Add.
3. In the window that opens, specify the following information on the General tab:
   • Rule name

     Enter a name for the new rule.

     If you are copying a rule, the new rule gets the same name as the source rule, but an index in () format is added to the name, for example: (1).

   • Administration group

     Select the administration group into which the devices are to be moved automatically.

   • Active rule

     If this option is enabled, the rule is enabled and starts working after it is saved.

     If this option is disabled, the rule is created, but not enabled. It will not work until you enable this option.

   • Move only devices that do not belong to an administration group

     If this option is enabled, only unassigned devices will be moved to the selected group.

     If this option is disabled, devices that already belong to other administration groups, as well as unassigned devices, will be moved to the selected group.

   • Apply rule

     You can select one of the following options:

     • Run once for each device

       The rule is applied once for each device that matches your criteria.

     • Run once for each device, then at every Network Agent reinstallation

       The rule is applied once for each device that matches your criteria, then only when Network Agent is reinstalled on these devices.

     • Apply rule continuously

       The rule is applied according to the schedule which the Administration Server sets up automatically (usually every several hours).

4. On the Rule conditions tab, specify at least one criterion by which the devices are moved to an administration group.
5. Click Save.

The moving rule is created. It is displayed in the list of moving rules.

The higher the position is on the list, the higher the priority of the rule. To increase or decrease the priority of a moving rule, move the rule up or down in the list, respectively, by using the mouse.

If the Apply rule continuously option is selected, the moving rule is applied regardless of the priority settings. Such rules are applied according to the schedule that the Administration Server sets up automatically.

If the device attributes meet the conditions of multiple rules, the device is moved to the target group of the rule with the highest priority (that is, has the highest rank in the list of rules).

Copying device moving rules

Expand all | Collapse all

You can copy moving rules, for example, if you want to have several identical rules for different target administration groups.

To copy an existing a moving rule:

1. Do one of the following:
   • In the main menu, go to Assets (Devices) → Moving rules.
   • In the main menu, go to Discovery & deployment → Deployment & assignment → Moving rules.

   The list of moving rules is displayed.

2. Select the check box next to the rule you want to copy.
3. Click Copy.
4. In the window that opens, change the following information on the General tab—or make no changes if you only want to copy the rule without changing its settings:
   • Rule name

     Enter a name for the new rule.

     If you are copying a rule, the new rule gets the same name as the source rule, but an index in () format is added to the name, for example: (1).

   • Administration group

     Select the administration group into which the devices are to be moved automatically.

   • Active rule

     If this option is enabled, the rule is enabled and starts working after it is saved.

     If this option is disabled, the rule is created, but not enabled. It will not work until you enable this option.

   • Move only devices that do not belong to an administration group

     If this option is enabled, only unassigned devices will be moved to the selected group.

     If this option is disabled, devices that already belong to other administration groups, as well as unassigned devices, will be moved to the selected group.

   • Apply rule

     You can select one of the following options:

     • Run once for each device

       The rule is applied once for each device that matches your criteria.

     • Run once for each device, then at every Network Agent reinstallation

       The rule is applied once for each device that matches your criteria, then only when Network Agent is reinstalled on these devices.

     • Apply rule continuously

       The rule is applied according to the schedule which the Administration Server sets up automatically (usually every several hours).

5. On the Rule conditions tab, specify at least one criterion for the devices that you want to be moved automatically.
6. Click Save.

The new moving rule is created. It is displayed in the list of moving rules.

Conditions for a device moving rule

Expand all | Collapse all

When you create or copy a rule to move client devices to administration groups, on the Rule conditions tab you set conditions for moving the devices. To determine which devices to move, you can use the following criteria:

• Tags assigned to client devices.
• Network parameters. For example, you can move devices with IP addresses from a specified range.
• Managed applications installed on client devices, for instance, Network Agent or Administration Server.
• Virtual machines, which are the client devices.

Below, you can find the description on how to specify this information in a device moving rule.

If you specify several conditions in the rule, the AND logical operator works and all the conditions apply at the same time. If you do not select any options or keep some fields blank, such conditions do not apply.

Tags tab

On this tab, you can configure a device moving rule based on device tags that were previously added to the descriptions of client devices. To do this, select the required tags. Also, you can enable the following options:

• Apply to devices without the specified tags

  If this option is enabled, all devices with the specified tags are excluded from a device moving rule. If this option is disabled, the device moving rule applies to devices with all the selected tags.

  By default, this option is disabled.

• Apply if at least one specified tag matches

  If this option is enabled, a device moving rule applies to client devices with at least one of the selected tags. If this option is disabled, the device moving rule applies to devices with all the selected tags.

  By default, this option is disabled.

Network tab

On this tab, you can specify the network data of devices that a device moving rule considers:

• DNS name of the device

  DNS domain name of the client device that you want to move. Fill this field if your network includes a DNS server.

  If case sensitive collation is set for the database that you use for Open Single Management Platform, keep case when you specify a device DNS name. Otherwise, the device moving rule will not work.

• DNS domain

  A device moving rule applies to all devices included in the specified main DNS suffix. Fill this field if your network includes a DNS server.

• IP range

  If this option is enabled, you can enter the initial and final IP addresses of the IP range in which the relevant devices must be included.

  By default, this option is disabled.

• IP address for connection to Administration Server

  If this option is enabled, you can set the IP addresses by which client devices are connected to Administration Server. To do this, specify the IP range that includes all necessary IP addresses.

  By default, this option is disabled.

• Connection profile changed

  Select one of the following values:

  • Yes. A device moving rule only applies to client devices with a changed connection profile.
  • No. The device moving rule only applies to the client devices whose connection profile has not changed.
  • No value is selected. The condition does not apply.
• Managed by a different Administration Server

  Select one of the following values:

  • Yes. A device moving rule only applies to client devices managed by other Administration Servers. These Servers are different from the Server on which you configure the device moving rule.
  • No. The device moving rule only applies to client devices managed by the current Administration Server.
  • No value is selected. The condition does not apply.

Applications tab

On this tab, you can configure a device moving rule based on the managed applications and operating systems installed on client devices:

• Network Agent is installed

  Select one of the following values:

  • Yes. A device moving rule only applies to client devices with Network Agent installed.
  • No. The device moving rule only applies to client devices on which Network Agent is not installed.
  • No value is selected. The condition does not apply.
• Applications

  Specify what managed applications should be installed on client devices, so a device moving rule applies to these devices. For example, you can select Kaspersky Security Center 15 Network Agent or Kaspersky Security Center 15 Administration Server.

  If you do not select any managed application, the condition does not apply.

• Operating system version

  You can cull client devices based on the operating system version. For this purpose, specify operating systems that should be installed on the client devices. As a result, a device moving rule applies to the client devices with the selected operating systems.

  If you do not enable this option, the condition does not apply. By default, the option is disabled.

• Operating system bit size

  You can cull client devices by the operating system bit sizes. In the Operating system bit size field, you can select one of the following values:

  • Unknown
  • x86
  • AMD64
  • IA64

  To check the operating system bit size of the client devices:

  1. In the main menu, go to the Assets (Devices) → Managed devices section.
  2. Click the Columns settings button () on the right.
  3. Select the Operating system bit size option, and then click the Save button.

     After that, the operating system bit size is displayed for every managed device.

• Operating system service pack version

  In this field, you can specify the package version of the operating system (in the X.Y format), which will determine how the moving rule is applied to the device. By default, no version value is specified.

• User certificate

  Select one of the following values:

  • Installed. A device moving rule only applies to mobile devices with a mobile certificate.
  • Not installed. The device moving rule only applies to mobile devices without a mobile certificate.
  • No value is selected. The condition does not apply.
• Operating system build

  This setting is applicable to Windows operating systems only.

  You can specify whether the selected operating system must have an equal, earlier, or later build number. You can also configure a device moving rule for all build numbers except the specified one.

• Operating system release number

  This setting is applicable to Windows operating systems only.

  You can specify whether the selected operating system must have an equal, earlier, or later release number. You can also configure a device moving rule for all release numbers except the specified one.

Virtual machines tab

On this tab, you can configure a device moving rule according to whether client devices are virtual machines or part of a virtual desktop infrastructure (VDI):

• This is a virtual machine

  In the drop-down list, you can select one of the following:

  • N/A. The condition does not apply.
  • No. Move devices that are not virtual machines.
  • Yes. Move devices that are virtual machines.

• Virtual machine type
• Part of Virtual Desktop Infrastructure

  In the drop-down list, you can select one of the following:

  • N/A. The condition does not apply.
  • No. Move devices that are not part of VDI.
  • Yes. Move devices that are part of VDI.

Domain controller tab

On this tab, you can specify that it is necessary to move devices included in the domain organizational unit. You can also move devices from all child organizational units of the specified domain organizational unit:

• Device is included in the following organizational unit

  If this option is enabled, a device moving rule applies to devices from the domain controller organizational unit specified in the list under the option.

  By default, this option is disabled.

• Include child organizational units

  If this option is enabled, the selection includes devices from all child organizational units of the specified domain controller organizational unit.

  By default, this option is disabled.

• Move devices from child units to corresponding subgroups
• Create subgroups corresponding to containers of newly detected devices
• Delete subgroups that are not present in the domain
• Device is included in the following domain security group

  If this option is enabled, a device moving rule applies to devices from the domain security group specified in the list under the option.

  By default, this option is disabled.