| Field |
Description |
|---|---|
| Policy name |
Name of the policy. Choose a name that indicates the security level, function, or other common factor for computers or users you want to use this policy. If you change the Policy Name, the new name will be reflected immediately in the console, but the name of the agent installer (the policyname.msi file) requires approximately one minute to update. Keep this in mind if you intend to download agents immediately after a policy name change. |
| Description |
Optional information about the policy. This can be any text you choose to enter. |
| Mode |
The mode in which the Carbon Black App Control Server interacts with the computers in this policy:
If you have not purchased Control licenses, Visibility is the only mode choice other than Disabled. You might use Visibility when security features could interfere with operational functions for computers. For example, you might it for a computer on which you plan to configure a Trusted Directory for files you will allow to be installed on all computers. |
| Mode (cont.) |
File inventory for computers in Disabled mode will not be kept up to date on the server. Some operations are monitored (but not reported to the server) to avoid gaps in file and process information if the agent is later activated. |
| Connected Enforcement Level |
The protection level for computers in this policy while they are connected to the network (menu only appears in Control mode):
At High, Medium or Low Enforcement Levels, determination of which files are blocked also depends on the Advanced Settings within each policy. Visibility and Disabled, for which the Enforcement Level is None, are set from the Mode line. |
| Disconnected Enforcement Level |
The protection level for computers in this policy while they are out of communication with the Carbon Black App Control Server. If the Connected Enforcement Level is Low (or None) the Disconnected Enforcement Level is identical to the Online, and cannot be modified directly. If the Connected Enforcement Level is High or Medium, you can choose an Disconnected Enforcement Level of High or Medium, and it may differ from the Connected Enforcement Level. |
| Initial Settings |
Existing policy that you would like to use as a template for the new policy. Although not visible when you create a policy, the Device and Advanced Settings (only) of the chosen policy are transferred to the new policy. See Template Policy for more information. |
| Automatic Policy Assignment for New Computers |
When this box is checked, if AD-based policy assignment is enabled and configured, new computers that used the installer for this policy get their policy according to the AD-mapping rules, regardless of the policy embedded in the installation package used to install their agent. When not checked, the install package determines the policy and AD mappings have no effect. See Assigning Policy by Active Directory Mapping for more details. |
| Set automatic policy for existing computers |
This checkbox appears only if the Automatic policy assignment for new computers box is checked. When checked, if any computers were manually (non-automatically) assigned to the current policy, they are changed to automatic policy assignment. |
| Set manual policy for existing computers |
This checkbox only appears if the Automatic policy assignment for new computers box is checked. When checked, if any computers were automatically assigned to the policy, they are changed to have this policy manually assigned. |
| Options: Allow Upgrades |
If the Carbon Black App Control Server is configured for Automatic App Control Agent upgrades, checking this box causes computers in the policy to be notified of and scheduled for Carbon Black App Control Agent upgrades. Computers moved into this policy (either manually or by Active Directory mapping) also will be upgraded. See Advanced Configuration Options and the upgrade sections of VMware Carbon Black App Control Installation Guide for more information. For use only during App Control Server upgrades. |
| Options: Track File Changes |
When checked (the default) file changes (files added, deleted, or changed) on a computer are tracked and added to the database for this Carbon Black App Control Server. You might deselect this option to remediate performance issues, perhaps while waiting to upgrade from SQL Express to a full version of SQL Server, or in a special policy for computers whose file activity you don’t want to track. IMPORTANT : If you turn off this feature, the App Control Server deletes the file inventory information for the agents in this policy after one day. The Files on Computers table, Find Files, and Baseline Drift reports will not provide accurate information about these computers. Also, if you turn this feature on after it has been off, this forces re-synchronization of the affected agents to update the file database, and this can have a performance impact. |
| Load Agent in Safe Mode |
Loads the Carbon Black App Control Agent in Safe Mode on computers in this policy if the computer is booted in Safe Mode. In this case, the agent performs all enforcement activities, even with the system in Safe Mode. Full protection requires the agent kernel, which loads at boot time, and the agent itself, which runs as a service after boot time. Since the agent can interfere with Safe Mode recovery operations, use this option only if you have other means of recovery (other than Safe Mode). If you have questions about enabling the agent to run in Safe Mode, contact Carbon Black Support. |
| Suppress Logo in Notifier |
When Carbon Black App Control rule enforcement causes a notifier to be displayed on an agent system in this policy, do not show a logo, even if the rule’s notifier definition includes a logo. |
| Total/Connected Computers |
|
