The advanced policy framework starts at a global level by defining policy sets and device categories for your entire asset demography across all clients. Think of this as you defining policies based on the different contracts you have in place. Next, policy association happens at a client level, where you decide which policy sets apply for which assets within a client.
For more information on how the advanced policy works, check out this guide.
Create your policy sets
1. Navigate to Settings > Policy Management.
2. Under Policy Sets, you will see a list of root policy sets created by SuperOps. These are default policy sets that have been created by the system, one for each of the six default categories.
3. Start by defining your root policy sets. Click on the root you want to work with to open the policy page and define your alerts, patches, software, remote desktop, Antivirus, and other settings that you want to apply for your assets.
4. The root policy set is your starting point, you can create child policy sets under each root and further children under each child policy set as required. All policies that you define at the root will be automatically inherited by any child policy set under it. Policies that have been inherited will have an "Inherited" label.
5. To create a child policy set, click on the +Child Policy Set button. Then, proceed to define your policy settings.
6. Child policy sets will inherit all policies from its parent policy set. If you would like to customize some of the settings, you can override the policies.
Create custom device categories
A device category is a "folder" to which you can assign assets. By default, you will see six device categories for endpoints and one device category each for each network device type. Besides the default ones, you can create custom device categories. Here's how:
1. Click on Device Category and hit +Category.
2. Enter the name of the category and then hit Save. You can create any number of device categories you need in this fashion.
Note: Default device categories will be automatically associated with root policy sets, since these are defined by the system. For your custom categories, association will not happen automatically.
Associate policy sets
1. Click on Association and select the client for whom you want to configure the policy associations.
2. Policy association is split into two sections - Default Association and Custom Association.
3. You will see that the 6 default categories are already in place, automatically associated with the root policy sets you just defined. You can edit the default associations here if you want to map any of the default categories to any child policy set(s).
4. Under Custom Association, hit +Associate Category.
5. You will see all the custom device categories on the left. Hit +Choose Policy and select the policy set from the dropdown.
6. You can associate policy sets to all your categories at one go here. Once done, click Add.
Map your clients' assets to the policy associations
When you onboard a new asset for a client, the asset will be automatically assigned to a default device category based on its OS and platform. For example, if you onboard a Windows PC, SuperOps will automatically assign it to the "Windows Workstation" device category. However, if the PC belongs to a VIP and if it needs to follow a separate VIP policy, you will have to manually assign the asset to a custom category (which you will need to create) such as "VIP Workstations".
1. Start by assigning the right device category to your clients' assets. You can map assets to a device category in two different ways:
a. Manage device categories globally, across clients (Asset Views)
Click Modules > Assets. Scroll down to find a list view called Device Category. Here, you will find all the default and custom device categories listed.
Click on the device category view you want to work with. For instance, all Windows laptops of a newly onboarded client would have automatically gone into the Windows Workstation category. From here, select the devices that you want to map to a different category (VIP for instance). You can select multiple devices at once.
Once selected, click on Change device category and select the category of choice from the dropdown. Once done, you're all set.
OR
b. Manage device categories per client (Client Management)
Go to Clients > Select your client > Go to the Assets tab > Monitored Assets. Click Columns and select Device Category to include it in the view.
Select the assets for which you want to edit the device category, then click Change Device Category. Choose the device category from the dropdown, then hit Move once done.
2. Review the asset list and ensure everything is associated with the right device category and policy set.
3. Similarly, follow the steps to associate policies and add assets for all your clients.
4. Use the Policy tab to review your policy associations. You can edit an association right here when needed.
Asset-level policy exceptions
The advanced policy framework follows a one device, one policy rule, which eliminates the possibility of an asset being mapped to more than one policy set at time. Policy sets can only be mapped to device categories, not to individual devices.
But, what if you need an exception in the policy for a particular asset?
You can do so by creating a new policy set and a corresponding new device category to handle such assets.
The easiest way to do this is by going to an asset's details page. Click on the Policies tab.
You will see a Customize this policy option on the left hand side.
With this button, you can duplicate the current policy set and retain all the policy settings in it. Once duplicated, you can customize policies as needed for your exception device(s).
Next, name your new policy set and create a new device category for your exception devices.
This will create your new policy set and map it to the new device category as well. You can then customize your policy settings.
Hit Save once done, and the exception asset (DESKTOP-E4C9RQS in this case) will be automatically mapped to this new device category and its corresponding policy set.
If you have any other devices that need exceptions, you can go ahead and assign it directly to the new device category you just created.
Always remember to keep exceptions at a minimum, and try and think through your specific client, and asset-specific needs while defining your policy sets.
How to delete a policy set
If you have created a policy set by mistake, or no longer need it and want it gone, you can delete the policy set.
1. Go to Policy Set, and scroll down to the custom policy set that you want to delete.
Note: Default policy sets cannot be deleted.
2. Hover at the right end of the policy set and you will see a delete button.
3. If the policy set is in use, meaning it applies to at least one asset, you will need to assign an alternate policy set for the affected assets. Once an alternate policy is assigned, you can proceed to delete the policy set that you no longer require.
How to delete a device category
1. Go to Device Category, and scroll down to the custom device category that you want to delete.
Note: Default policy sets cannot be deleted.
2. Hover at the right end of the device category and you will see a delete button.
3. Assets associated to the custom device category that you are about to delete will be moved to the default device category (based on the OS). You will have to reassign the device category if required, later.