Transcript Bothell Report out

Policy Management
Key Terms
• Cabinet – The highest-level container in a folder tree. A
policy cannot be assigned to a cabinet.
• Folder – Organizational structure within a cabinet
• Policy – A group of defined settings assigned to endpoints
• Policy Object – A single setting group within a policy
• View – Filter used to display/control machines based on
specific criteria (OS, IP range, applications installed, etc.)
Key Terms (continued)
• Compliance – Determines whether settings
applied to an endpoint are equal to the
settings defined within the applied policies
• Manual Override – Changing a setting within
a module directly where that setting is
defined within an assigned policy
• Combining Policy Objects – When defined in
more than one policy, these objects are all
added to the endpoint
• Conflicting Policy Objects – When defined in
more than one policy, rules dictate which
setting “wins”
Policy Management:
Systems Management Tool
Systems Management Tool
• The Systems Management tab provides a setup
wizard which enables admins to quickly configure
and apply machine management policies for a
specific organization. Once configured, these
polices are assigned to each machine managed
on behalf of that organization.
• Machine Groups inherit settings of their parent
organization. Therefore, to configure all clients
within a single organization to use the same
settings, you need only define the settings at the
highest level for that organization.
• Customize settings for machine groups within an
organization by completing the wizard for the
individual group(s).
Systems Management Tool
Systems Management Tool
Systems Management Tool
Systems Management Tool
Systems Management Tool
Systems Management Tool
If you choose to enable
Workstation Patch and Update
Management, you must define a
credential and password
Systems Management Tool
Click Finish to
commit the changes
Systems Management Tool
• Once the wizard completes, the content will be downloaded
(if not already present) from Kaseya to the VSA.
• Installs pre-defined content. To differentiate Content Pack
Views from ones created by VSA admins, all Kaseya-provided
View content has a prefix of “zz[SYS]”:
Systems Management Tool
• Managed Monitor Set content is
visible within the System cabinet on
the Monitor > Monitor Sets page:
Systems Management Tool
• Managed Agent Procedure content is visible
within the System cabinet on the Agent
Procedure > Schedule/Create page:
Systems Management Tool
• Managed Policy content is visible within the
System cabinet on the Policy Management >
Policies page:
Systems Management Tool
• Content within the System cabinet
should not be edited
• To customize System content, copy the
policy, monitor set, or agent
procedure to a Private or Shared
folder
• Apply policy based from customized
System content to an individual
machine or group to take precedence
over the System content
Policy Management:
Creating Policies
Creating and Managing Policies
• Create a manageable folder structure – by function or by
client/org
• Create Views specific to policy
– Specific machine types (i.e., by OS, by application, server v.
workstation, etc.)
– Any changes to Views may impact endpoints – ensure Views
are edited accurately
– Creating Policy-specific Views can help minimize accidental
changes to Views in use by Policy
• Example:
ExchangeServer
Policy-ExchangeServer
• Policy Mgmt > Policies > Add Policy
• Select and configure desired policy objects
• Select View to define which endpoint should receive the
policy
Creating and Managing Policies
Save v. Save and Apply
• Save: Saves the changes to the policy. Policies are
in a pending state. No changes are applied to
endpoints.
– A policy that is saved but NOT applied will appear with
a yellow scroll icon on the Policies page:
– A policy that has no View associated will appear with a
red scroll icon on the Organization/Machine Group
page:
• Save and Apply: Saves changes to the policy and
applies the changes to the endpoints
– Apply Now: Apply the changes to all affected
endpoints immediately. Can cause some performance
issues, depending on overall workload of server.
– Allow scheduler to apply: Changes will be applied at
next deployment interval
Policy Management:
Policy Precedence
Policy Precedence – Who Wins?
• Multiple policies can be assigned to a
single endpoint
• Some policy objects will be combined
and some will conflict
• Rules determine which policy will
“win” when there is a conflict
Policy Precedence - Combine
Which policy objects combine?
– Monitor Sets
– Agent Procedures
– Event Log Alerts
– Distribute Files
When more than one policy is applied to
a machine, and each policy defines the
above objects, the endpoint will receive
ALL of the defined combinable objects
Policy Precedence
Combine Example
PolicyA defines two Agent Procedures:
PolicyB defines different Procedures:
PolicyA and PolicyB are assigned to the
same endpoint, workstation1
Policy Precedence
Combine Example (continued)
• When the policies are applied to workstation1, all four
Procedures are assigned:
• Note: If the same procedure is scheduled in both policies,
each with different schedules, policy precedent rules will
determine which procedure schedule will be applied to the
endpoint
– For combinable objects, Policy Mgmt will use the same logic as
the module. If the module allows the same object to be
assigned multiple times to the same endpoint, all settings will be
passed to the endpoint. If the module allows only ONE setting
per machine for the selected object, policy precedent rules will
be followed.
Policy Precedence - Conflict
• Remaining Policy Objects conflict
• When a conflict exists, the winning
object is determined based on
precedence. The more closely the
policy is assigned to the machine level,
the more precedence the policy has.
• Possible layers are: Global, Org,
Parent Group, Child Group (including
nested child groups), Machine
Policy Precedence - Conflict
• A policy assigned at the Global will apply to all
endpoints
• A policy applied at the org level will apply to all
endpoints within the org. Any conflicting Global objects
will be overwritten with the settings in policies applied
at the Org level
• A policy applied at the Parent Group level will apply to
all endpoints in the group. Any conflicting objects
applied at the Global or Org level will be overwritten
with settings in the policies applied at the Group level
• Child-group policies will overwrite any conflicts from
global, org, or parent group policies
• Policies assigned directly to an endpoint will win over
conflicting settings at the higher levels.
Handling Conflicts
Global
Credential
Org
X
Agent Menu
Log History
Working
Directory
X
Group
Machine
Credential
X
Agent Menu
Working
Directory
File Source
LAN Cache
X
Patch
Reboot Action
Patch
Reboot Action
Remote Control
Effective Settings
Policies Assignment Rules
•
•
Multiple policies can be assigned to any organization or machine group or machine.
A machine with multiple policies assigned to it has conflicting policies when both specify
the same policy type.
–
–
•
Policies are assigned by organization/machine group using the Organizations/Machine
Groups page.
–
–
–
•
Multiple policies are not in conflict if different policy types are specified.
The following policy types combine with each other so that no conflicts occur.
• Event log alerts, distribute files, monitor sets, and agent procedures.
Policies assigned to a lower level in an organization hierarchy have precedence over policies assigned to a higher
level in the same organization hierarchy.
Unless a lower level policy conflicts with it, policies assigned to a level apply to all lower levels.
When multiple policies are assigned to the same organization or machine group, the assigned policies have
precedence in the order listed.
Policies can be assigned by machine using the Machines page.
–
–
Policies assigned by machine have precedence over all policies assigned to that machine by organization/machine
group.
Policies assigned by machine have precedence in the order listed.
•
All policy assignments can be overridden by changing agent settings manually throughout the
VSA.
•
A policy can be associated with a view definition in the Policies page.
–
–
–
–
•
Manual changes have precedence over all policies assignments.
When machine is assigned to a policy by organization or by machine group an associated view filters the machines
associated with a policy. If a machine is not a member of the view definition, then the policy will not be propagated
to that machine.
When a machine is assigned to a policy by machine, then the view associated with a policy is ignored and the policy
will be propagated to that machine.
Associating a policy with a view does not, by itself, assign a policy to any machine.
The order of precedence for views depends on the policies they are associated with.
Assigning Policies by Org/Group
• Assign policies to organizations or groups by
dragging individual policies or folders to the org
aarentals
…to an
Drag
folder from
Policy list…
organization
• When assigning folders, all policies within the
folder will be assigned
“Higher” v. “Lower” precedence
• Order the policies/folders based on the
precedence you want applied. The higher in
the list, the higher the precedence.
Precedence determines which policy “wins”
when a conflict is present
aarentals
If a policy in the Global Policies
folder conflicts with a policy in
the Windows Workstation…
Folder, precedence rules
dictate the settings in the
Global Policies folder will “win”
because it appears higher in
the assignment list.
“Higher” v. “Lower” precedence
Ordering Policies
• Drag/Drop assigned items to re-order
the list. The lower in the list, the
With the reordering, all
lesser the precedence
policies within Windows
Workstation… folder will take
precedence over polices in the
Global Policies folder
Applying Policies to Machines
• Policy > Machines allows you to assign a
policy to an endpoint directly
• When a policy is assigned directly to an
endpoint, View settings are ignored
• Precedence rules apply
• Policies assigned directly to endpoint will
take precedence over policies applied at
the group, org, or global level
• Machine-assigned policies can be
ordered to determine precedence
Use this field to filter by
policy name
Or select the policy from
the cabinet/folder tree
Policies are listed in order
of precedence. The higher
in the list, the higher the
precedence.
Matrix Detail
What exactly is applied?
Hover over policy icon to
reveal the matrix detail
Matrix Detail
Policy Object Status
Matrix Detail
Machine Effective Policy Settings
Policy Object name, enabled
Policy Name
on the Policies page
Setting
Actual Configuration
Unassigning Policies
•
•
•
•
•
Change View settings
Remove from Org/Machine Group
Remove from endpoint
Disable Systems Management Tool
Unassigning policies does not remove the
setting from the endpoint. It only
disables the centralized management of
settings by policy
• To remove the settings from the
endpoint, visit the individual Module
pages and manually clear settings.
Policy Management:
Settings
Policy Management > Settings
• Deployment Interval: Frequency to apply
policy settings to endpoints after
changes/edits to policies
– Changes to endpoints based on VIEW
membership occurs via a backend process
that runs once per hour
• Compliance Check: Frequency of
verification of settings assigned to
endpoints as compared to settings
defined by applied policies. Manual
overrides are detected during
compliance checks.
Policy Management:
New Features in 6.3
Organization Credentials
• Audit > Manage Credentials
• Define a credential for all machines
within the selected organization
• Created by Systems Management tool (if
Patch function enabled) or can be
manually defined by an admin
• Policy can leverage this credential
• Allows admin to use single policy with
Agent Credential object defined for
multiple organizations/clients
Using Organization Credentials
• Enable the policy object Credential
• Check “Use organization defaults”
• The credential defined in Audit > Manage
Credentials will be used
• This policy can be shared by multiple orgs
• At this time, Policy is the only function that
leverages the org credential
New 6.3 Policy Functions
• Support for add-on modules such as
KAM, KAV, KES, KDPM
• LAN Cache assignment
– LAN Cache must be created on host machine
via Agent > LAN Cache
– LAN Cache Assignment is separate from File
Source. LAN Cache can be used as the patch
file source, but assigning only the LAN cache
policy object will NOT configure the Patch
File Source object.
• Remote Control Session Terminate
messages
New 6.3 Policy Functions
• Agent Procedure schedule can be edited
• “Exclude Time” is no longer enabled by
default in scheduler
• Patch schedules will combine if one
policy defines Scan schedule and second
policy defines Update schedule
• Effective Machine Policy Settings
• Audit and Patch schedules can be set to
“None” to prevent schedule settings
from two policies from merging
New Policy Object Functions
Merging Schedules
• PolicyA defines Scan schedule:
• PolicyB defines Update schedule:
• If both policies are applied to a single
endpoint, the endpoint will combine
these two functions
New Policy Object Functions
Merging Schedules
• To prevent this combining, set the
blank schedule to “None”:
• When PolicyA and PolicyB are
assigned to the endpoint, the Scan
schedule will be left undefined
(provided the policy defined above is
the “winning” policy).
Additional New Features
Sharing Policy Content
• Cabinet contents can be shared with
variable rights
Right Click on Folder
Then click “Share”
Admin
Additional New Features
Sharing Policy Content
• When share permissions are granted
on a folder, all contents of the folder
inherit the permissions of the parent
folder
• Permissions can only be granted at
folder levels
• Contents of the System Cabinets are
visible to Master admins only (for SaaS
customers, the equivalent is “System”
role)
Additional New Features
Access Rights
Action buttons
•
Save, Save and Apply, Delete, Edit, etc.
and Policy Objects
•
Agent Menu, Agent Procedures, Alerts, etc.
can be controlled via Role Access Rights (System > Roles > Access Rights)
Policy Management:
Troubleshooting
Effective Machine Policy Settings
• Leverage Effective Machine Policy
Settings function to:
– Determine which specific setting is
causing an out of compliance notification
– Which policy is “winning” for individual
settings
– Quickly determine all settings applied to
a machine via Policy Management
Troubleshooting Policies
• Attempt to determine if the issue is with Policy
Management or with the individual Module
– If function is not working via Policy, test configuring
the same setting via the individual module
– If configuring the setting via the module is not
successful, troubleshoot the module first
– If opening a ticket with Kaseya Support, attempting
to determine whether the issue exists in the module
can assist in proper routing of ticket and speed
resolution
• Example Issue: Agent Procedure assigned via Policy does
not run.
• Troubleshooting: Attempt to assign/run the procedure
on the endpoint via the Agent Procedure (AP) module. If
fails in AP, issue likely lies with AP module. If succeeds in
AP but fails when assigned via Policy, issue may lie with
policy.
Troubleshooting Policies:
Policies not applying
• Patience – policies can take time to apply. Many
functions are not immediate. All functions
should complete within a few hours (often less)
of a change, but few will complete immediately
– Exception: Apply policy and choose “Apply Now”
will begin the application of policy settings to
machines, but time to complete will vary
• Check Policy Mgmt > Settings > Deployment
Interval
– If Manual, policies will not automatically deploy
– If configured other than manual but deployments
are not occurring, change setting > Save, then
restore to desired setting > Save
• Check Policy Mgmt > Dashboard to view pending
events (changes not yet applied)
Best Practices
• Multiple layered policies are easier to manage
and share across orgs than a few policies with
multiple, broad objects configured
• COPY from System Cabinet and modify within the
Private cabinet
– Assign System content, then use customized policy
with higher precedence to override unnecessary
content settings
• Use manual overrides for exceptions on
individual machines for short-term testing
• Create unique policies applied directly to
endpoint to manage exceptions for longer-term
• Create views specific to policy
When will changes occur?
Action
Interval
Deployment Interval
Configurable - Defined on Policy > Settings page
Compliance Interval
Configurable - Defined on Policy > Settings page
New Agent
Triggers application of policies based on
Deployment Interval defined
Assignment based on
View changes
Backend process runs once per hour
Defined Schedules
(Agent Procedures,
Patch/Audit
schedules, etc.)
Runs at the first interval after the policy is
applied to the endpoint. Will not run
immediately upon policy assignment to the
endpoint. Past schedules will not run.
Policy Hotfixes
• At times, hotfixes are necessary to
resolve bugs
• Often, a hotfix to Policy Management
may require that the policies be
reprocessed after the hotfix is applied
to the VSA
– Reprocess policies via Policy
Management > Machines > Reprocess
Policies
Thank you
• Slides and recorded presentation will
be available for download at
http://www.kaseya.com/forms/techja
ms.aspx
• Chat-based Q&A session will continue
for a few minutes. Please continue
post questions in the Q&A window.