If you are currently using group-based policy and are interested in moving to the advanced policy framework, you are at the right place. In this article, we will help you import your existing group-based policy sets into advanced policy, making sure your migration is seamless and easy.
Things to note:
The advanced policy framework starts at a global level by defining policy sets and device categories for your entire asset demography across all clients. Think of this as you defining policies based on the different contracts you have in place. Next, policy association happens at a client level, where you decide which policy sets apply for which assets within a client.
For more information on how the advanced policy works, check out this guide.
Import your policy sets
1. Navigate to Settings > Policy Management. Scroll down to find the Advanced Policy section. Click on the Explore button.
2. Under Policy Sets, you will see a list of root policy sets created by SuperOps. These are default policy sets that have been created by the system, one for each of the six default categories.
3. Click on one of the root policy sets or a child policy set to get started.
4. Hit the Import button at the top right.
5. Using the drop down, select the group-based policy set that you would like to import into the root policy set. The drop down will show all the policy sets that currently exist under the group-based policy framework.
6. Review the list of policies configured under this policy set. You can choose to select/remove policies based on what you would like to import. If you want to retain the policy set as is, go ahead and hit Add.
7. If you would like to import all the policies under this policy set, hit Select all and Add.
8. You can import multiple policy sets from group-based into one policy set under advanced policy one by one by repeating the steps above.
Note: It is only possible to import the policy sets you have under the group-based policy. Your asset groups and policy associations cannot be imported. The idea behind restricting is to ensure you make the best use of the advanced policy’s flexibility and reduce the number of asset groups and overrides.
Create custom device categories
By default, you will see six device categories for endpoints and one device category each for each network device type. Besides the default ones, you can create custom device categories to create an asset demography similar to what you have under the group-based framework.
1. Click on Device Category and hit +Category to create a new custom category.
2. Enter the name of the category and then hit Save.
3. Create custom device categories in this way for all your asset groups.
Note: Default device categories will be automatically associated with root policy sets, since these are defined by the system. For your custom categories, association will not happen automatically.
Associate policy sets
1. Click on Association and select the client for whom you want to configure the policy associations.
2. Policy association is split into two sections - Default Association and Custom Association.
3. You will see that the 6 default categories are already in place, automatically associated with the root policy sets you just defined (by importing your group-based policy sets). You can edit the default associations here if you want to map any of the default categories to any child policy set(s).
4. Under Custom Association, hit +Associate Category.
5. You will see all the custom device categories on the left. Hit +Choose Policy and select the policy set from the dropdown.
6. You can associate policy sets to all your categories at one go here. Once done, click Add.
Map your clients' assets to the policy associations
1. To change the device category of an asset:
Go to Assets and scroll down to Asset Groups. Go to the asset group of your choice and select the assets to which you want to assign a device category. You also have the option to select all the assets and change their device category.
Once selected, click on Change Device Category and select the category of your choice from the drop down.
Note: For the asset group "Windows Workstation Base Asset Group", the Choose Device Category dropdown will show you all device categories (default & custom) under the Windows OS. Similarly, if you work with a Mac or Linux asset group, the dropdown list will be restricted to the corresponding OS.
You can also change the device category for assets from the client page. Here's how:
Go to Clients > Select your client > Go to the Assets tab > Monitored Assets. Click Columns and select Device Category to include it in the view.
2. Select the assets for which you want to edit the device category, then click Change Device Category. Choose the device category from the dropdown, then hit Move once done.
2. Review the asset list and ensure everything is associated with the right device category and policy set.
3. Similarly, follow the steps to associate policies and add assets for all your clients.
4. Use the Policy tab to review your policy associations. You can edit an association right here when needed.
Review and publish your associations
Until this step, all the configurations you have made so far are yet to apply, meaning your group-based policies are still in place. To move your assets to the advanced policy, you will have to publish the changes for each client.
1. Once you have reviewed your policy associations and are satisfied with your policy configuration for a client, turn on the Publish to advanced policy toggle.
2. Hitting publish will move the client to the advanced policy and your existing group-based policy associations will be removed.
Note: We recommend doing this for just one client first, so that you get an idea of what the migration entails. This way, you can plan the migration for the rest of your clients.
3. If you don’t want to move a particular client to the advanced policy yet, you may choose to leave this client unpublished and publish it at a later stage.
4. You can also unpublish a client that you had previously published if required, however, note that the associations in the group-based policy will have already been removed.
5. Publish all your clients when you are ready. Once done, hit Finish. This will deprecate group-based policy and completely move both published and unpublished clients to the advanced policy.
Note: Migrating to the advanced policy is an irreversible change, please proceed only when you are absolutely sure you are ready to migrate.
You’re now all set to manage your clients with a more efficient and automated approach to policy management.
How to delete a policy set
If you have created a policy set by mistake, or no longer need it and want it gone, you can delete the policy set.
1. Go to Policy Set, and scroll down to the custom policy set that you want to delete.
Note: Default policy sets cannot be deleted.
2. Hover at the right end of the policy set and you will see a delete button.
3. If the policy set is in use, meaning it applies to at least one asset, you will need to assign an alternate policy set for the affected assets. Once an alternate policy is assigned, you can proceed to delete the policy set that you no longer require.
How to delete a device category
1. Go to Device Category, and scroll down to the custom device category that you want to delete.
Note: Default policy sets cannot be deleted.
2. Hover at the right end of the device category and you will see a delete button.
3. Assets associated to the custom device category that you are about to delete will be moved to the default device category (based on the OS). You will have to reassign the device category if required, later.
What's new with the advanced policy
If you are used to working with the group-based or hierarchical policy, there are a few behavioural changes that you need to be aware of before you switch to advanced policy.
Patch Management
Patch approval and rejection will happen at a policy set level based on the approval configuration matrix that you set. For manual patching, you will have to specify the policy set of the assets for which you are attempting to approve/reject/install a patch.
Note: The new patch behavior will be visible only after you finish migration to the advanced policy completely (after hitting the Finish button).
Agent Deployment
Any scripts you run to install the agent on your devices in bulk can now be done at a device category level. Specify the device category for which you want to install the agent with the dropdown and the script will change accordingly.
Best practices
1. In advanced policy, create child policy sets first based on how your asset groups are currently organized in group-based policy. Start importing your group-based policy sets into the child policy sets. This way, you can map the policies you want to import easily. The root policy set will automatically inherit all the policies configured under its child policy sets in the disabled state. For example, if you define an alert in a child policy, it will be inherited by the root but will be disabled by default.
2. In group-based policy, try and condense your policy sets into a handful of new policy sets. Think of this as you creating a new policy set that will apply to a particular device category, say Windows workstations. In this policy set, include all the individual policies that are in use for the different windows workstation asset groups you have. You can then import this policy set into advanced policy where it will act as the root policy for the windows workstation device category.