Assigning Computers to a Policy

Every computer running a Carbon Black App Control Agent is assigned a security policy.

There are three standard ways a computer can be assigned its policy:

By Agent installer – Every policy you create generates a policy-specific Carbon Black App Control Agent installer for each supported platform, so when you install the agent on a computer, it is assigned a policy. When the agent contacts the Carbon Black App Control Server after agent installation, the computer is added to table of computers in the console. If you have not set up AD-based policy assignment, the agent remains in the policy embedded in its installer unless you manually reassign it. You do not have to (nor should you) reinstall Carbon Black App Control Agent to make a policy change for a computer. You normally only need to install the agent once per computer.
Automatically, by Active Directory (AD) group mapping – You can set up the Carbon Black App Control Server to run a script that assigns new and, if configured, existing computers to security policies according to the AD group information of the computer (or the user logged in on it). A computer's initial policy is defined by the agent installer. If that initial policy is configured to allow automatic policy assignment, this AD-based policy assignment takes precedence. Policy assignment by AD mapping is described later in this section.
Manually – You can move any computer to a policy other than the one assigned by the installer or the AD-mapping facility. This might be useful if you discover that a particular computer used the wrong installer, or that its security policy should differ from other computers in the AD group used to map its policy. Manual assignment also might be used for a temporary situation that requires more or less restriction for a computer or its user. If you change a computer's policy manually, you can later restore it to its original policy (or to automatic assignment). Manual policy assignment is described in Moving Computers to Another Policy.

You can move computers from manual to automatic policy assignment and vice-versa.

Note:

In certain cases, policy may be changed for reasons other than those listed above. For example:

If you delete the policy an agent belongs to while the computer is offline, the agent moves to the Default policy group. See Restoring Computers from the Default Policy for more detail.
There is an Event Rule action that can move computers to a different policy when a specified event occurs. See Creating and Editing Event Rules for more details.

If you are not using AD-based policy assignment, see "Downloading Agent Installers" in the VMware Carbon Black App Control Agent Installation Guide for instructions on choosing a policy-specific installer.