cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
437
Views
0
Helpful
2
Replies

Secure Endpoint guidelines for Parent>child>policy simplifications

tonypearce1
Level 3
Level 3

I'm trying to find information resources that can provide some insight as to how others have overcome the challenge with managing servers and their applied policy, when it comes to necessary exclusions and policy options. 

Presently I am using 1 policy = 1 group. Each server is a member of the group with the policy attached. Essentially, I am assigning policies directly to servers by way of the group.
This sort of negates any usefulness of the Groups and is messy and difficult to manage especially as more and more servers get Secure Endpoint deployed onto them and differing policies and exclusions are required.

In an ideal situation it would suit us to be able to group all of the eg Windows servers and apply them to a parent group where all of the base Windows policy settings are applied. And then any Windows Application servers can be assigned to the Child group where only those application rules are present within the child policy. And then the server obtains a combined resultant set of policy based on the Parent and additional Child settings. Secure Endpoint does NOT work this way and so this is not possible.

I’ve searched the support forum and found some info which describes organising the groups based on geographic location as one idea. Another idea is to just use one group as per the comments. However, this wont overcome our challenge, this must be a secure deployment and having one group and consequently one OS policy will mean we must apply all of the exclusions to one policy and therefore, systems will obtain a policy which has unnecessary and risk exclusion rules.

Can anyone offer any further insight as to how to tackle this? I have an customer that is a bit unhappy with this product because of these challenges which are not present with the incumbent solution, even though the incumbent is a much-less-capable product in terms of “endpoint protection”, so any information that could help is most appreciated.

2 Replies 2

Your ideal is great. It doesn't exist.

Child groups get their own policy...the whole thing. You can duplicate a policy, but that only helps initially.

It's been an issue since release. I've had discussions with Product Management multiple times over the years. They know...

mski7861
Level 1
Level 1

I agree, your idea would make total sense, but.....

We have multiple groups and policies as well and yes, it gets messy.  As Ken pointed out, we make copies of polices and modify them to address a specific application's exclusion needs.  Our groups look something like this:

Parent - Servers:  Base policy

         Child 1 - SQL Servers:  SQL policy

         Child 2 - Active Directory: AD Policy

         Child 3 - App Server 1: App1 Policy

        Child 4 - App Server 2: App 2 Policy