Enforcing Policies

Question 1

What is a policy?

Answer 1

A collection of settings for your managed point products that you create and configure, and then enforce

Question 2

What are the two default policies that are always included in every category?

Answer 2

McAfee Default and My Default

Question 3

When do managed systems receive policy changes (updates or different assignments) from ePO?

Answer 3

During Agent to Server communications

Question 4

What are the times that policy enforcement can happen?

Answer 4

-Instantly
EX: The on access scan policy occurs when you start any application

-At ASC or PEI
EX: Product Deployment policy runs to confirm that the installed software versions on the managed systems match the versions on the Master Repository. If a new version is available, it is downloaded to all systems

-At configured Client Task intervals
EX: On-demand scan policy, by default, runs every day at midnight to scan all your managed systems for threats

Question 5

How are policies assigned to systems?

Answer 5

Either by:

Inheritance - When a system or group of systems takes its policy settings from its parent group

or

Assignment - When an administrator assigns a policy to a system or group of systems. You can define a policy once for a specific need, then apply it to multiple locations

Question 6

Is there a way to prevent the inheritance of policies from being broken on the systems/groups that are intended to inherit them?

Answer 6

Yes, you can lock inheritance at any level of the system tree

Question 7

How does ownership affect policies?

Answer 7

• The user that creates a policy is the assigned owner of that policy (if an admin creates it, it is simply owned by “administrators”)
• You must have the correct permissions to edit a policy you don’t own
• If you assign a policy you don’t own, and the owner modifies the policy, all systems that were assigned the policy receive the modifications

Question 8

What are the two different types of policy assignment rules?

Answer 8

User-based policies - Policies that are assigned with a user or group of users as the criteria. (Can also include system-based criteria)

System-based policies - Policies assigned based on specific locations in the system tree or based on tag applications (or both)

Question 9

What is a policy assignment rule?

Answer 9

A way to assign policies at a granular level without having to break inheritance.

An example of this would be if you had systems that were spread out into different locations throughout the system tree, and you wanted them to all have a certain policy, but you don’t want to compromise their current location in the system tree by creating a new group. You could utilize a system based PAR by assigning a specific tag to all of these systems and then creating the rule based on the assignment criteria of the aformentioned tag

Question 10

What is a multi-slot policy?

Answer 10

A way to send more than 1 policy of a particular policy type to the client system.

Example: Assigning more than one Firewall rules policy, which will be merged and enforced on the client system

Question 11

How do User-based policy assignment rules work?

Answer 11

You create user specific policy assignments that are enforced at the target system when a user logs on

Question 12

T/F: You can make User-Based policy assignments immediately after installing ePO?

Answer 12

False, you must first register and configured an LDAP server for use with your ePO server

Question 13

Describe a way to automate the creation of SuperAgents by utilizing the Tag and PAR features

Answer 13

Create an ‘isSuperAgent’ tag with a tag criteria based on the system attributes that you want your SuperAgents to possess.

Run the Tag Criteria so that it will be assigned to the applicable systems

Create a PAR at the My Organization level and then use the ‘isSuperAgent’ tag as the assignment criteria

Question 14

T/F: If you create a PAR with a tag as a criteria, all systems that have been assigned that tag will receive the policy assignment immediately post creation of the rule

Answer 14

False, the systems will not receive the policy until they’ve checked into ePO

Question 15

T/F: You can create policies for a product prior to deploying it

Answer 15

True

Question 16

What locations can you manage Policy Enforcement Status from?

Answer 16

• Assigned Policies tab of the System Tree

- Policy Catalog Page

Question 17

What happens if policy enforcement is turned off?

Answer 17

Systems in the specified group don’t receive
updated site lists during an agent-server communication. As a result, managed systems in the group might not function as expected.

For example, you might configure managed systems to communicate with Agent Handler A. If policy
enforcement is turned off, the managed systems do not receive the new site list with this information and the
systems report to a different Agent Handler listed in an expired site list.

Question 18

Why is it a good idea to leave a comment when you make a revision/change to a policy?

Answer 18

It provides a record of your changes

Question 19

Where can you access the various iterations/versions of each specific policy you’ve created?

Answer 19

The best place to see this is from the Policy History section, but Policy History entries also appear in the Server Task Log Details and Audit Log Details

Question 20

What actions can you take on past instances of policies found in the Policy History section?

Answer 20

• You can revert to past instances of policies

- You can compare two versions of a policy

Question 21

What is the easiest way to compare two policies?

Answer 21

The ‘Policy Comparision’ Page allows you to compare two policies of the same type.

Question 22

What is the layout of the Policy Comparison Page?

Answer 22

You choose the Product, the Policy Category, and then which 2 policies you want to compare

At the top, it shows the number of settings that are identical, and the number of settings that are the same

Below, each individual setting are placed next to each other, so you can see what they are set to for each policy

Question 23

Is there a way to only see the differences between two policies?

Answer 23

Yes, click the “Show only differences button” in the top of the policy comparison page

Question 24

Can you change the ownership of a policy?

Answer 24

Yes, go to the policy catalog and click on the owner of the policy you want to modify in the policy details pane

Question 25

If you are moving or sharing a policy from an ePO server, what needs to be taken into consideration regarding the destination server?

Answer 25

The destination server cannot be a later version than the source server

Question 26

How do you share policies between servers?

Answer 26

First, you must register the desired destination server on the source server and enable the policy sharing field during the configuration process

Then, you should go to the policy catalog and find the policy you wish to share and click ‘share’ in the actions column

Question 27

How can you ensure that any changes you make to shared policies are pushed to sharing enabled McAfee ePO servers?

Answer 27

By using a server task to automate the “Share Policies” action on a scheduled basis

Question 28

T/F: You can use queries to see information regarding Applied Policies and Policy Assignment Broken Inheritance

Answer 28

True