System Tree and Tags

Question 1

What is the System Tree?

Answer 1

A hierarchical structure that organizes the systems in your network into groups and subgroups

Question 2

What are the ways to add systems to your System Tree?

Answer 2

• Manually add systems to an existing group
• Import systems from a text file
• Synchronize with your AD

Question 3

What are the methods to organize your System Tree?

Answer 3

• Manual organization from the console(drag and drop)
• Automatic synchronization with your Active Directory or NT domain server
• Criteria-based sorting, used criteria applied to systems manually or automatically

Question 4

What does the System Tree control?

Answer 4

• How policies for different products are inherited
• How your client tasks are inherited
• What groups your systems go into

Question 5

If you are creating your system tree for the first time, what are the primary options available for organizing your systems dynamically?

Answer 5

• Using AD Synchronization

- Dynamically sorting systems

Question 6

What are some of the different criteria that may influence the way your System Tree is structured?

Answer 6

• Administrator access (Access requirements of users who must manage the systems)
• Topological borders (NT domains or AD containers)
• Geographic borders(configuring policies differently for remote regions that use slower WAN or VPN connections)
• Political borders (Who accesses and manages the segments of the system tree affects how it’s structured)
• Functional borders (certain roles of the network may require special policies, such as a business group that runs specific software that requires special security policies)
• Subnets and IP addresses ranges
• Operating Systems/Software

Question 7

What are the purposes of grouping systems?

Answer 7

• Allows you to put systems with similar characteristics in the same place
• Administrators or users can create and use them with the appropriate permissions
• Allows for the management of policies and client tasks for similar systems in one place, rather than having to manage them on each individual system

Question 8

What is in the default system tree structure on a fresh install?>

Answer 8

• My Organization - The root of the system tree, can’t be renamed or deleted
• My Group - default group added during the Getting Started initial software installation
• Lost and Found - Catch all subgroup for any systems that have not been or could not be added to other groups in your system tree.

Question 9

What are the characteristics of the top level lost and found group?

Answer 9

• Can’t be deleted
• can’t be renamed
• sorting criteria can’t be changed
• always appears last(doesn’t adhere to alphabetization)
• User must be granted permissions to the lost and found group to see its contents

Question 10

What happens when a system is placed in the top level lost and found group?

Answer 10

It is placed in a subgroup of the lost and found group named for its domain. If no such group exists, one is created

Question 11

How does inheritance work in the system tree?

Answer 11

Child groups in the system tree inherit the policies/client task assignments that are set at their parent groups.

Inheritance can be broken by applying a new policy at any location of the system tree

Inheritance can also be locked at any level to prevent systems below it from breaking inheritance for whatever reason

Question 12

What are the factors that you should use to determine how to structure your system tree?

Answer 12

Policy Assignment - Do you have many custom product policies to assign to group based on chassis or function? Do certain business units require their own custom product policy?

Network Topology - Do you have sensitive WANs in your organization that a content update might easily saturate?(if you only have major locations, this isn’t a concern for your environment)

Client task assignment - When you create a client task, such as an on-demand scan, do you need to do it a group level, like a business unit, or system type, like a web server

Content distribution - do you have an agent policy that specifies that certain groups must get their content from a specific repository

Operational controls - Do you need specific rights delegated to your ePO administrators that allow them to administer specific locations in the tree

Queries - Do you need many options when filtering your queries to return results from a specific group in the system tree

Question 13

What should you do prior to creating your system tree?

Answer 13

Create a few sample System Tree models and look at the pros and cons of each design to determine the most advantageous model for your environment

Question 14

What are a few of the most commonly used System Tree designs?

Answer 14

Geographic Location -> Chassis - > Function
Network Location -> Chassis -> Function
Geographic Location -> Business Unit -> Function

Question 15

What are some of the possible building blocks for groups in your system tree?

Answer 15

Geographic Location
Network Location
Business Unit
Subbusiness unit
Function of the system (web, SQL, app server)
Chassis (server, workstation, laptop)

Question 16

What can synchronizing with your Active Directory structure contribute to your System Tree?

Answer 16

You can:
-Import both the AD subcontainers and the systems within them into your System Tree, and maintain them by performing regular synchronizations

• Import systems from the AD container and its subcontainers as a flat list, ignoring the structure of the AD
• Control what to do with potential duplicate systems
• Tag newly imported or updated systems
• Use the system description, which is imported from AD with the systems

Question 17

What steps should you take to integrate your AD systems structure with your system tree?

Answer 17

1. Configure the synchronizations settings on each group that is a mapping point in the System Tree. At the same location, configure whether to:
   - Deploy agents to discovered systems
   - Delete systems from the System Tree when they are deleted from Active Directory
   - Allow or disallow duplicate entries of systems that exist elsewhere in the System Tree
2. Use the Synchronize Now action to import Active Directory systems (and possibly structure) into the System Tree according to the synchronization settings
3. Use an NT Domain/Active Directory synchronization server task to regularly synchronize the systems (and possibly the Active Directory structure) with the System Tree according to the synchronization settings

Question 18

What are the two types of Active Directory synchronization?

Answer 18

Systems only

Systems and structure

Question 19

What options can you configure with your Active Directory synchronization?

Answer 19

• Whether to automatically deploy agents to systems new to ePO (might not want to configure on initial synchronization if you are importing many systems and have limited bandwidth)
• Whether to delete systems from ePO (and remove their agents) when they are deleted from Active Directory
• Prevent adding systems to the group if they exist elsewhere in the System Tree, ensuring that you don’t have duplicate systems if you manually move or sort the system to another location
• Exclude certain Active Directory containers from the synchronization, ignoring them during synchronization

Question 20

T/F: Like Active Directory Synchronization, NT domain synchronization syncs System Descriptions as well as System Names

Answer 20

False, NT domain synchronization only syncs the system names, the system description is not synchronized

Question 21

T/F: Systems must match all criteria of a group’s sorting criteria to be placed into the group

Answer 21

False, they need to only match one Criterion

Question 22

How does criteria based sorting in the system tree function?

Answer 22

Define either IP address information or Tags as sorting criteria for Subgroups. Systems must match at least one criterion of a group in order to be sorted into it

Question 23

Where can you enable or disable System Tree Sorting?

Answer 23

You can configure System Tree Sorting both on individual systems and in the System Tree Sorting server setting.

The Server Setting controls the automated STS process, giving you the option to disable it, allow it to happen once (on the next ASC), or make it happen on every future ASC. So, if it is enabled, then ePO will attempt to dynamically sort each system(assuming they have System Tree Sorting enabled on an individual basis)

The System Tree Sorting on each individual system controls whether or not each individual system can be dynamically sorted. This applies to both the manual “Sort Now” feature, and the automated sorting that’s configured in the server setting

Question 24

What is the purpose of configuring the group sorting order?

Answer 24

When multiple subgroups have matching criteria, the sorting order can control which group the system is matched against first, providing granular control over where your systems end up

Question 25

How should a text file that you intend to use to populate your system tree be formatted?

Answer 25

• Each system goes on its own line
• If a name doesn’t have a backslash following it, it is considered to be a system. If it does, it is a group

Ex:
GroupA\system1
GroupA\system2
GroupA\GroupB\system3
GroupC\GroupD

Question 26

What is an example of a utility you could use to generate a text file with a complete list of systems in a large network?

Answer 26

NETDOM.EXE

Question 27

Scenario: There are 5 top level groups, 4 with established sorting criteria, and one without. The group without has 4 subgroups that all have some sort of sorting criteria.

A System is to be dynamically sorted. It doesn’t match the sorting criteria of any of the top level groups. But, it matches the criteria of one of the subgroups of the top level group with no criteria.

Where does it end up?

Answer 27

In the sub group of the group with no criteria that the system matches

Question 28

What is the workflow for the Transfer Systems feature

Answer 28

1. Export security keys from old server
2. Import the security keys in the new server
3. Register the new ePO server to the old server
4. Transfer your current systems to the new ePO server
5. Confirm that you can view the systems in the new server’s System Tree
6. Confirm that the systems no longer appear in the old server’s system tree

Question 29

If you are importing a large container into your system tree, it’s a good idea to configure automatic deployment of the McAfee Agent to the new systems?

Answer 29

No because this could degrade network performance. Import the container, then deploy the McAfee Agent to groups of systems at a time, rather than all at once

Question 30

If you do decide to utilize NT Domain/AD sync to populate your system tree, how can you ensure that your System Tree will reflect the changes that occur within your NT Domain/AD?

Answer 30

Configure a recurring NT Domain/AD sync server task to keep your System Tree current with any changes to your AD containers

Question 31

What is the purpose of tags?

Answer 31

Tags serve as identifiers for systems

Question 32

What can you do with tags in ePO?

Answer 32

Tags can:
-act as the sorting criteria for System Tree groups

• act as a selection criteria for Client Tasks Assignments
• act as an assignment criteria for Policy Assignment Rules
• act as a filter attribute for Queries
• used as a criteria to select systems in a Server Task

Question 33

What does excluding a tag from a system do?

Answer 33

Makes it so that a system cannot have a specific tag applied by a tag criteria evaluation (Note: Does not prevent manual tagging)

Question 34

What is a tag criteria?

Answer 34

A set of attributes that are matched against systems in the environment. Systems that possess these attributes will have the tag dynamically applied to them whenever a run tag criteria action is taken.

Question 35

What does the ‘resetting manually tagged and excluded systems’ option do?

Answer 35

Removes the tag from systems that don’t match the criteria, and applies the tag to systems that match the criteria but were excluded from receiving the tag