The advanced policy framework starts at a global level by defining policy sets and device categories for your entire asset demography. Think of this as you defining policies based on the different needs of your employee groups (Eg: C-Suite employees, team leads, interns, etc. Or, think of needs at a department level: GTM, Engineering, Marketing, etc).
Let's how you can make the most of this powerful policy framework below.
Create your policy sets
1. Navigate to Settings > Policy Management.
2. Under Policy Sets, you will see a list of root policy sets created by SuperOps. These are default policy sets that have been created by the system, one for each of the six default categories.
3. Start by defining your root policy sets. Click on the root you want to work with to open the policy page and define your alerts, patches, software, remote desktop, Antivirus, and other settings that you want to apply for your assets.
4. The root policy set is your starting point, you can create child policy sets under each root and further children under each child policy set as required. All policies that you define at the root will be automatically inherited by any child policy set under it. Policies that have been inherited will have an "Inherited" label.
5. To create a child policy set, click on the +Child Policy Set button. Then, proceed to define your policy settings.
6. Child policy sets will inherit all policies from its parent policy set. If you would like to customize some of the settings, you can override the policies.
Create custom device categories
A device category is a "folder" to which you can assign assets. By default, you will see six device categories for endpoints and one device category each for each network device type. Besides the default ones, you can create custom device categories. Here's how:
1. Click on Device Category and hit +Category.
2. Enter the name of the category and then hit Save. You can create any number of device categories you need in this fashion.
Note: Default device categories will be automatically associated with root policy sets, since these are defined by the system. For your custom categories, association will not happen automatically.
Associate policy sets
1. Click on Association.
2. Policy association is split into two sections - Default Association and Custom Association.
3. You will see that the 6 default categories are already in place, automatically associated with the root policy sets you just defined. You can edit the default associations here if you want to map any of the default categories to any child policy set(s).
4. Under Custom Association, hit +Associate Category.
5. You will see all the custom device categories on the left. Hit +Choose Policy and select the policy set from the dropdown.
6. You can associate policy sets to all your categories at one go here. Once done, click Add.
Map your assets to the policy associations
When you onboard a new user device, the device will be automatically assigned to a default device category based on its OS and platform. For example, if you onboard a Windows PC, SuperOps will automatically assign it to the "Windows Workstation" device category. However, if the PC belongs to a VIP and if it needs to follow a separate VIP policy, you will have to manually assign the asset to a custom category (which you will need to create) such as "VIP Workstations".
1. Start by assigning the right device category to your assets:
Click Modules > Assets. Scroll down to find a list view called Device Category. Here, you will find all the default and custom device categories listed.
Click on the device category view you want to work with. For instance, a Windows laptop of a new user would have automatically gone into the Windows Workstation category. From here, select the devices that you want to map to a different category (VIP for instance). You can select multiple devices at once.
Once selected, click on Change device category and select the category of choice from the dropdown. Once done, you're all set.
Asset-level policy exceptions
The advanced policy framework follows a one device, one policy rule, which eliminates the possibility of an asset being mapped to more than one policy set at time. Policy sets can only be mapped to device categories, not to individual devices.
But, what if you need an exception in the policy for a particular asset?
You can do so by creating a new policy set and a corresponding new device category to handle such assets.
The easiest way to do this is by going to an asset's details page. Click on the Policies tab.
You will see a Customize this policy option on the left hand side.
With this button, you can duplicate the current policy set and retain all the policy settings in it. Once duplicated, you can customize policies as needed for your exception device(s).
Next, name your new policy set and create a new device category for your exception devices.
This will create your new policy set and map it to the new device category as well. You can then customize your policy settings.
Hit Save once done, and the exception asset (DESKTOP-E4C9RQS in this case) will be automatically mapped to this new device category and its corresponding policy set.
If you have any other devices that need exceptions, you can go ahead and assign it directly to the new device category you just created.
Always remember to keep exceptions at a minimum, and try and think through your specific user, and asset-specific needs while defining your policy sets.
How to delete a policy set
If you have created a policy set by mistake, or no longer need it and want it gone, you can delete the policy set.
1. Go to Policy Set, and scroll down to the custom policy set that you want to delete.
Note: Default policy sets cannot be deleted.
2. Hover at the right end of the policy set and you will see a delete button.
3. If the policy set is in use, meaning it applies to at least one asset, you will need to assign an alternate policy set for the affected assets. Once an alternate policy is assigned, you can proceed to delete the policy set that you no longer require.
How to delete a device category
1. Go to Device Category, and scroll down to the custom device category that you want to delete.
Note: Default policy sets cannot be deleted.
2. Hover at the right end of the device category and you will see a delete button.
3. Assets associated to the custom device category that you are about to delete will be moved to the default device category (based on the OS). You will have to reassign the device category if required, later.