Understanding Policy Scopes
The GRS Global Policies are assigned to a Policy Scope Object. The scope defines the recipient endpoints that will inherit the policies.
The Goverlan Reach Server includes the root scope object: All Users & Devices, which defines your entire network. To fine tune Global Policy distribution, you must create a hierarchy of policy scopes.
Here are some examples of hierarchies that can be configured:
For instance, you can design a policy scope hierarchy by hardware type:
Or choose a geographical mapping:
Or for IT Service Providers, by active clients:
It is best to first configure the default set of policies at the root level, then build a sub-hierarchy of scopes to answer exceptions.
Creating a Policy Sub-Scope
To create a Policy Sub-Scope object, place the mouse cursor over the parent scope object, and click on the Add Filter button, specify a relevant name for the scope and press [ENTER]:
- To rename a Policy Scope Object, simply double-click on its name.
- To delete a Policy Scope Object, click twice on the cross on the left of the name.
Policy Scope Object Filters
Once a Policy Scope Object is created, configure the endpoint selection criteria to be associated with it. To do so, place the mouse cursor over it and click on the […] button on its right:
A Policy filter definition is a set of AND/OR statements based on one or more of the following machine attributes:
|Local Active Directory OU||Any machine with an AD account that belongs to the specified Active Directory OU (local network only)|
|Local Active Directory Group||Any machine with an AD account that belongs to the specified Active Directory Group (local network only)|
|Goverlan REACH Site||Any Reach node endpoint registered under the specified Reach Site name|
|IP Range||Any machine with an IP address that belongs to the specified IP range|
|OS Type||Any machine with an Operating System with the specified attributes|
|Individual Objects||Any machine that belongs to the list of specified individual machine sets|
Use the Policy Filter Definition window to configure the filters of the selected Policy Scope Object. Filters can have one or more conditions that are grouped with AND / OR operators.
Policy Scope Objects that have a filter configured will display the […] indicator.
How are Policies Assigned to Endpoints?
When an endpoint queries the Goverlan Reach Server policies, the endpoint’s information is passed through the entire policy scope hierarchy tree. If the endpoint’s characteristics match the Policy Scope’s filter, only then does it inherit the policies.
Let’s consider the following configuration:
Following the configured policy assignments, all machines get the All Users & Devices policies, however, if the machine belongs to the Legal Department, it inherits from that node’s policies, as well as the Servers node’s policy if it is a server, etc. In other words, a machine node will receive all policies throughout the hierarchy that applies to it.
Order of Precedence
Policies configured on lower scope objects take precedence over policies configured higher up. Consequently, if the same policy is configured multiple times within a branch, then the policy of the lowest nodes is applied to the recipient.
Precedence can also be used to un-enforce a policy for a subset of machines within a branch. Simply apply a DO NOT ENFORCE policy configuration on a sub-scope object.