This section explains how to create policies and change their settings, including Enforcement Levels.

Each computer running an Carbon Black App Control Agent is assigned to an Carbon Black App Control policy. A policy creates a common file control definition for all of its computers. Each policy consists of a group of settings and an overall Enforcement Level.

Enforcement Level defines how strictly actions defined by the policy settings are controlled, especially for control of file writing and execution. The choices are:

  • High (Block Unapproved)
  • Medium (Prompt Unapproved)
  • Low (Monitor Unapproved)
  • None (Visibility)
  • None (Disabled)

High, Medium, and Low Enforcement are available only if you have the full App Control license with both Visibility and Control features. Sites whose licenses are all for Visibility Only operation are limited to Visibility and Agent Disabled modes with no enforcement.

In Visibility mode, you can still choose settings that would block activity if you were operating another Enforcement Level, but these settings do not enforce the block or ban.

Policy settings specify the types of files or operations that Carbon Black App Control Agents will control as well as other choices such as how policies are assigned and whether agents on computers in the policy upgrade automatically.

Rules defined on other pages can be applied to specific policies. The details page for each policy includes a tabbed panel showing which rules are applied to that policy.

If you choose, you can restrict the ability of console users to perform certain functions so that it only applies to computers in certain policies. For example, you might want to allow one group of administrators to create rules for your sales team but not for the senior management. If you assigned the computers for your sales team to one policy, you can define a user role that grants permission to create and modify rules only for that policy. See Managing Console Login Accounts for more information on creating console user accounts and defining user roles for those accounts.

Note: UNIFIED MANAGEMENT: If you are using Unified Management to manage multiple Carbon Black App Control Servers, you can apply rules to specific policies on specific computers. See Unified Management of Multiple Servers for information on management of unified rules by policy.