Policy Management

Key Terms Cabinet – The highest-level container in a folder tree. A policy cannot be assigned to a cabinet. Folder – Organizational structure within a cabinet Policy – A group of defined settings assigned to endpoints Policy Object – A single setting group within a policy View – Filter used to display/control machines based on specific criteria (OS, IP range, applications installed, etc.)

Key Terms (continued) Compliance – Determines whether settings applied to an endpoint are equal to the settings defined within the applied policies Manual Override – Changing a setting within a module directly where that setting is defined within an assigned policy Combining Policy Objects – When defined in more than one policy, these objects are all added to the endpoint Conflicting Policy Objects – When defined in more than one policy, rules dictate which setting “wins”

Policy Management: Systems Management Tool Policy Management: Systems Management Tool

The Systems Management tab provides a setup wizard which enables admins to quickly configure and apply machine management policies for a specific organization. Once configured, these polices are assigned to each machine managed on behalf of that organization. Machine Groups inherit settings of their parent organization. Therefore, to configure all clients within a single organization to use the same settings, you need only define the settings at the highest level for that organization. Customize settings for machine groups within an organization by completing the wizard for the individual group(s).

Systems Management Tool

If you choose to enable Workstation Patch and Update Management, you must define a credential and password

Systems Management Tool Click Finish to commit the changes

Systems Management Tool Once the wizard completes, the content will be downloaded (if not already present) from Kaseya to the VSA. Installs pre-defined content. To differentiate Content Pack Views from ones created by VSA admins, all Kaseya-provided View content has a prefix of “zz[SYS]”:

Systems Management Tool Managed Monitor Set content is visible within the System cabinet on the Monitor > Monitor Sets page:

Systems Management Tool Managed Agent Procedure content is visible within the System cabinet on the Agent Procedure > Schedule/Create page:

Systems Management Tool Managed Policy content is visible within the System cabinet on the Policy Management > Policies page:

Systems Management Tool Content within the System cabinet should not be edited To customize System content, copy the policy, monitor set, or agent procedure to a Private or Shared folder Apply policy based from customized System content to an individual machine or group to take precedence over the System content

Policy Management: Creating Policies Policy Management: Creating Policies

Creating and Managing Policies Create a manageable folder structure – by function or by client/org Create Views specific to policy – Specific machine types (i.e., by OS, by application, server v. workstation, etc.) – Any changes to Views may impact endpoints – ensure Views are edited accurately – Creating Policy-specific Views can help minimize accidental changes to Views in use by Policy Example: ExchangeServer Policy-ExchangeServer Policy Mgmt > Policies > Add Policy Select and configure desired policy objects Select View to define which endpoint should receive the policy

Creating and Managing Policies Save v. Save and Apply Save: Saves the changes to the policy. Policies are in a pending state. No changes are applied to endpoints. – A policy that is saved but NOT applied will appear with a yellow scroll icon on the Policies page: – A policy that has no View associated will appear with a red scroll icon on the Organization/Machine Group page: Save and Apply: Saves changes to the policy and applies the changes to the endpoints – Apply Now: Apply the changes to all affected endpoints immediately. Can cause some performance issues, depending on overall workload of server. – Allow scheduler to apply: Changes will be applied at next deployment interval

Policy Management: Policy Precedence Policy Management: Policy Precedence

Policy Precedence – Who Wins? Multiple policies can be assigned to a single endpoint Some policy objects will be combined and some will conflict Rules determine which policy will “win” when there is a conflict

Policy Precedence - Combine Which policy objects combine? – Monitor Sets – Agent Procedures – Event Log Alerts – Distribute Files When more than one policy is applied to a machine, and each policy defines the above objects, the endpoint will receive ALL of the defined combinable objects

Policy Precedence Combine Example PolicyA defines two Agent Procedures: PolicyB defines different Procedures: PolicyA and PolicyB are assigned to the same endpoint, workstation1

Policy Precedence Combine Example (continued) When the policies are applied to workstation1, all four Procedures are assigned: Note: If the same procedure is scheduled in both policies, each with different schedules, policy precedent rules will determine which procedure schedule will be applied to the endpoint – For combinable objects, Policy Mgmt will use the same logic as the module. If the module allows the same object to be assigned multiple times to the same endpoint, all settings will be passed to the endpoint. If the module allows only ONE setting per machine for the selected object, policy precedent rules will be followed.

Policy Precedence - Conflict Remaining Policy Objects conflict When a conflict exists, the winning object is determined based on precedence. The more closely the policy is assigned to the machine level, the more precedence the policy has. Possible layers are: Global, Org, Parent Group, Child Group (including nested child groups), Machine

Policy Precedence - Conflict A policy assigned at the Global will apply to all endpoints A policy applied at the org level will apply to all endpoints within the org. Any conflicting Global objects will be overwritten with the settings in policies applied at the Org level A policy applied at the Parent Group level will apply to all endpoints in the group. Any conflicting objects applied at the Global or Org level will be overwritten with settings in the policies applied at the Group level Child-group policies will overwrite any conflicts from global, org, or parent group policies Policies assigned directly to an endpoint will win over conflicting settings at the higher levels.

Handling Conflicts Credential Global Agent Menu Log History LAN Cache Org Credential GroupMachineEffective Settings Agent Menu Patch Reboot Action Working Directory Patch Reboot Action File Source Remote Control X X X X

Policies Assignment Rules Multiple policies can be assigned to any organization or machine group or machine. A machine with multiple policies assigned to it has conflicting policies when both specify the same policy type. – Multiple policies are not in conflict if different policy types are specified. – The following policy types combine with each other so that no conflicts occur. Event log alerts, distribute files, monitor sets, and agent procedures. Policies are assigned by organization/machine group using the Organizations/Machine Groups page.Organizations/Machine Groups – Policies assigned to a lower level in an organization hierarchy have precedence over policies assigned to a higher level in the same organization hierarchy. – Unless a lower level policy conflicts with it, policies assigned to a level apply to all lower levels. – When multiple policies are assigned to the same organization or machine group, the assigned policies have precedence in the order listed. Policies can be assigned by machine using the Machines page.Machines – Policies assigned by machine have precedence over all policies assigned to that machine by organization/machine group. – Policies assigned by machine have precedence in the order listed. All policy assignments can be overridden by changing agent settings manually throughout the VSA. – Manual changes have precedence over all policies assignments. A policy can be associated with a view definition in the Policies page.Policies – When machine is assigned to a policy by organization or by machine group an associated view filters the machines associated with a policy. If a machine is not a member of the view definition, then the policy will not be propagated to that machine. – When a machine is assigned to a policy by machine, then the view associated with a policy is ignored and the policy will be propagated to that machine. – Associating a policy with a view does not, by itself, assign a policy to any machine. The order of precedence for views depends on the policies they are associated with.

Assigning Policies by Org/Group aarentals Drag folder from Policy list… …to an organization Assign policies to organizations or groups by dragging individual policies or folders to the org When assigning folders, all policies within the folder will be assigned

“Higher” v. “Lower” precedence Order the policies/folders based on the precedence you want applied. The higher in the list, the higher the precedence. Precedence determines which policy “wins” when a conflict is present aarentals If a policy in the Global Policies folder conflicts with a policy in the Windows Workstation… Folder, precedence rules dictate the settings in the Global Policies folder will “win” because it appears higher in the assignment list.

“Higher” v. “Lower” precedence Ordering Policies Drag/Drop assigned items to re-order the list. The lower in the list, the lesser the precedence With the reordering, all policies within Windows Workstation… folder will take precedence over polices in the Global Policies folder

Applying Policies to Machines Policy > Machines allows you to assign a policy to an endpoint directly When a policy is assigned directly to an endpoint, View settings are ignored Precedence rules apply Policies assigned directly to endpoint will take precedence over policies applied at the group, org, or global level Machine-assigned policies can be ordered to determine precedence

Policies are listed in order of precedence. The higher in the list, the higher the precedence. Use this field to filter by policy name Or select the policy from the cabinet/folder tree

Matrix Detail What exactly is applied? Hover over policy icon to reveal the matrix detail

Matrix Detail Policy Object Status

Matrix Detail Machine Effective Policy Settings Policy Name Actual Configuration Setting Policy Object name, enabled on the Policies page

Unassigning Policies Change View settings Remove from Org/Machine Group Remove from endpoint Disable Systems Management Tool Unassigning policies does not remove the setting from the endpoint. It only disables the centralized management of settings by policy To remove the settings from the endpoint, visit the individual Module pages and manually clear settings.

Policy Management: Settings Policy Management: Settings

Policy Management > Settings Deployment Interval: Frequency to apply policy settings to endpoints after changes/edits to policies – Changes to endpoints based on VIEW membership occurs via a backend process that runs once per hour Compliance Check: Frequency of verification of settings assigned to endpoints as compared to settings defined by applied policies. Manual overrides are detected during compliance checks.

Policy Management: New Features in 6.3 Policy Management: New Features in 6.3

Organization Credentials Audit > Manage Credentials Define a credential for all machines within the selected organization Created by Systems Management tool (if Patch function enabled) or can be manually defined by an admin Policy can leverage this credential Allows admin to use single policy with Agent Credential object defined for multiple organizations/clients

Using Organization Credentials Enable the policy object Credential Check “Use organization defaults” The credential defined in Audit > Manage Credentials will be used This policy can be shared by multiple orgs At this time, Policy is the only function that leverages the org credential

New 6.3 Policy Functions Support for add-on modules such as KAM, KAV, KES, KDPM LAN Cache assignment – LAN Cache must be created on host machine via Agent > LAN Cache – LAN Cache Assignment is separate from File Source. LAN Cache can be used as the patch file source, but assigning only the LAN cache policy object will NOT configure the Patch File Source object. Remote Control Session Terminate messages

New 6.3 Policy Functions Agent Procedure schedule can be edited “Exclude Time” is no longer enabled by default in scheduler Patch schedules will combine if one policy defines Scan schedule and second policy defines Update schedule Effective Machine Policy Settings Audit and Patch schedules can be set to “None” to prevent schedule settings from two policies from merging

New Policy Object Functions Merging Schedules PolicyA defines Scan schedule: PolicyB defines Update schedule: If both policies are applied to a single endpoint, the endpoint will combine these two functions

New Policy Object Functions Merging Schedules To prevent this combining, set the blank schedule to “None”: When PolicyA and PolicyB are assigned to the endpoint, the Scan schedule will be left undefined (provided the policy defined above is the “winning” policy).

Additional New Features Sharing Policy Content Cabinet contents can be shared with variable rights Right Click on Folder Then click “Share” Admin

Additional New Features Sharing Policy Content When share permissions are granted on a folder, all contents of the folder inherit the permissions of the parent folder Permissions can only be granted at folder levels Contents of the System Cabinets are visible to Master admins only (for SaaS customers, the equivalent is “System” role)

Additional New Features Access Rights Action buttons Save, Save and Apply, Delete, Edit, etc. and Policy Objects Agent Menu, Agent Procedures, Alerts, etc. can be controlled via Role Access Rights (System > Roles > Access Rights)

Policy Management: Troubleshooting Policy Management: Troubleshooting

Effective Machine Policy Settings Leverage Effective Machine Policy Settings function to: – Determine which specific setting is causing an out of compliance notification – Which policy is “winning” for individual settings – Quickly determine all settings applied to a machine via Policy Management

Troubleshooting Policies Attempt to determine if the issue is with Policy Management or with the individual Module – If function is not working via Policy, test configuring the same setting via the individual module – If configuring the setting via the module is not successful, troubleshoot the module first – If opening a ticket with Kaseya Support, attempting to determine whether the issue exists in the module can assist in proper routing of ticket and speed resolution Example Issue: Agent Procedure assigned via Policy does not run. Troubleshooting: Attempt to assign/run the procedure on the endpoint via the Agent Procedure (AP) module. If fails in AP, issue likely lies with AP module. If succeeds in AP but fails when assigned via Policy, issue may lie with policy.

Troubleshooting Policies: Policies not applying Patience – policies can take time to apply. Many functions are not immediate. All functions should complete within a few hours (often less) of a change, but few will complete immediately – Exception: Apply policy and choose “Apply Now” will begin the application of policy settings to machines, but time to complete will vary Check Policy Mgmt > Settings > Deployment Interval – If Manual, policies will not automatically deploy – If configured other than manual but deployments are not occurring, change setting > Save, then restore to desired setting > Save Check Policy Mgmt > Dashboard to view pending events (changes not yet applied)

Best Practices Multiple layered policies are easier to manage and share across orgs than a few policies with multiple, broad objects configured COPY from System Cabinet and modify within the Private cabinet – Assign System content, then use customized policy with higher precedence to override unnecessary content settings Use manual overrides for exceptions on individual machines for short-term testing Create unique policies applied directly to endpoint to manage exceptions for longer-term Create views specific to policy

When will changes occur? ActionInterval Deployment IntervalConfigurable - Defined on Policy > Settings page Compliance IntervalConfigurable - Defined on Policy > Settings page New AgentTriggers application of policies based on Deployment Interval defined Assignment based on View changes Backend process runs once per hour Defined Schedules (Agent Procedures, Patch/Audit schedules, etc.) Runs at the first interval after the policy is applied to the endpoint. Will not run immediately upon policy assignment to the endpoint. Past schedules will not run.

Policy Hotfixes At times, hotfixes are necessary to resolve bugs Often, a hotfix to Policy Management may require that the policies be reprocessed after the hotfix is applied to the VSA – Reprocess policies via Policy Management > Machines > Reprocess Policies

Thank you Slides and recorded presentation will be available for download at ms.aspx ms.aspx Chat-based Q&A session will continue for a few minutes. Please continue post questions in the Q&A window.