https://community.cisco.com/t5/endpoint-security/policy-and-group-change-in-amp-for-endpoints/m-p/3338858#M4635 <P>David,</P> <P>&nbsp;</P> <P>Does this mean that changing a computer from one policy to another occurs when a heartbeat happens? If so, is there any way to force a computer to change to the new policy?</P> <P>&nbsp;</P> <P>Thanks,<BR />Garrett</P> Tue, 27 Feb 2018 15:50:19 GMT Garrett_N 2018-02-27T15:50:19Z https://community.cisco.com/t5/endpoint-security/policy-and-group-change-in-amp-for-endpoints/m-p/3309225#M4632 <P>I deployed AMP for endpoint to a test machine following Cisco's <A title="AMP for Endpoints Deployment Strategy" href="https://docs.amp.cisco.com/en/A4E/AMP%20for%20Endpoints%20Deployment%20Strategy.pdf" target="_self">Deployment Strategy guide for AMP for endpoint</A>.</P> <P>&nbsp;</P> <P>This guide recomends creating an Audit Only, Protect, Triage, Server and Domain Controller policy and the same for groups. It also recomends all the workstations to initially belong to the "Audit Only" group (with the Audit Only policy) and then move them to the Protect group (with Protect policy) after making sure you root out any false positive.&nbsp;</P> <P>&nbsp;</P> <P>At this point, I downloaded the connector from the "Audit Only Group" with the "Audit Only" policy and installed it in my VM.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="connector down.png" style="width: 481px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/6101i387AA1FE97445BFF/image-size/large?v=v2&amp;px=999" role="button" title="connector down.png" alt="connector down.png" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CiscoAMP Connector.png" style="width: 297px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/6102i00A616B05A39FB29/image-size/large?v=v2&amp;px=999" role="button" title="CiscoAMP Connector.png" alt="CiscoAMP Connector.png" /></span></P> <P>&nbsp;</P> <P>Now, I went ahead and moved the computer from the "Audit Only Group" to the "Protect Group" but the Protect Policy is not reflected in the console nor in the connector. </P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PGroup.png" style="width: 939px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/6103i5C61B85341E1ACA1/image-size/large?v=v2&amp;px=999" role="button" title="PGroup.png" alt="PGroup.png" /></span></P> <P>&nbsp;</P> <P><STRONG>- How do I properly move this Computer from the "Audit Only" to the "Protect" policy?</STRONG></P> <P><EM>Doing a "Sync Policy" at the connector only updates any changes done to the "Audit Only" policy. </EM></P> <P><EM>Rebooting the machine and/or restarting the services don't update the policy.</EM></P> Sat, 09 Mar 2019 01:46:00 GMT https://community.cisco.com/t5/endpoint-security/policy-and-group-change-in-amp-for-endpoints/m-p/3309225#M4632 Andres Villarroel 2019-03-09T01:46:00Z https://community.cisco.com/t5/endpoint-security/policy-and-group-change-in-amp-for-endpoints/m-p/3309989#M4633 <P>It looks like ~24h after the changes. The client and the console updated automatically.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ProConsole.png" style="width: 941px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/6167i542731DD9754C0E1/image-size/large?v=v2&amp;px=999" role="button" title="ProConsole.png" alt="ProConsole.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ProPolicy.png" style="width: 295px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/6168i03B0AB79C7CC369C/image-size/large?v=v2&amp;px=999" role="button" title="ProPolicy.png" alt="ProPolicy.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Checking at the console events, the agent fecthed the policies on 01/10 and 01/11 but only the one from today (01/11) made the change.&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Events.png" style="width: 647px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/6171i84EB488078415B92/image-size/large?v=v2&amp;px=999" role="button" title="Events.png" alt="Events.png" /></span></P> Thu, 11 Jan 2018 19:33:32 GMT https://community.cisco.com/t5/endpoint-security/policy-and-group-change-in-amp-for-endpoints/m-p/3309989#M4633 Andres Villarroel 2018-01-11T19:33:32Z https://community.cisco.com/t5/endpoint-security/policy-and-group-change-in-amp-for-endpoints/m-p/3314383#M4634 <P>Hi</P> <P>&nbsp;</P> <P>every agent checks periodically based on a heartbeat interval against cloud.</P> <P>This time is specified per policy, as you see it in the screenshot.</P> <P>Regards</P> <P>David</P> Fri, 19 Jan 2018 10:53:26 GMT https://community.cisco.com/t5/endpoint-security/policy-and-group-change-in-amp-for-endpoints/m-p/3314383#M4634 David Janulik 2018-01-19T10:53:26Z https://community.cisco.com/t5/endpoint-security/policy-and-group-change-in-amp-for-endpoints/m-p/3338858#M4635 <P>David,</P> <P>&nbsp;</P> <P>Does this mean that changing a computer from one policy to another occurs when a heartbeat happens? If so, is there any way to force a computer to change to the new policy?</P> <P>&nbsp;</P> <P>Thanks,<BR />Garrett</P> Tue, 27 Feb 2018 15:50:19 GMT https://community.cisco.com/t5/endpoint-security/policy-and-group-change-in-amp-for-endpoints/m-p/3338858#M4635 Garrett_N 2018-02-27T15:50:19Z https://community.cisco.com/t5/endpoint-security/policy-and-group-change-in-amp-for-endpoints/m-p/3340203#M4636 <P>Hello&nbsp;Garrett</P> <P>&nbsp;</P> <P>If you make any kind of changes in the policy including changing the connectors from one group to another , it will take effect only after the heartbeat interval . You can set the heartbeat interval starting from 15 minutes.&nbsp;</P> <P>&nbsp;</P> <P>Regards</P> <P>Jetsy&nbsp;</P> Thu, 01 Mar 2018 07:14:46 GMT https://community.cisco.com/t5/endpoint-security/policy-and-group-change-in-amp-for-endpoints/m-p/3340203#M4636 Jetsy Mathew 2018-03-01T07:14:46Z