This topic describes how to use timed policy overrides to move offline computers into the Local Approval policy.

You might need to install new applications on a selected computer under High Enforcement Level protection. You can do this by temporarily relaxing protection and giving the computer permission to execute any files that are not banned; that is, you move the computer into the predefined Local Approval policy for as long as it takes to complete software installation.

Because disconnected computers cannot be controlled directly from the Carbon Black App Control Server, you need a way to instruct the agent to make the transition to another Enforcement Level. You can generate a special code that can be entered on a agent-managed computer to switch its Enforcement Level for a specified amount of time. The code is specific to one agent, and it can be used only oe time. You can generate codes to switch a computer into any Enforcement Level except None (Disabled), although this feature is primarily intended for temporary transitions to Local Approval mode.

After the specified time for the override has elapsed, the computer is automatically restored to its original policy. If you temporarily moved it into Local Approval, it continues to be able to run all files that were installed while it was in Local Approval. Files run or installed while the computer was in the Local Approval policy are locally approved on the computer (unless globally banned or banned for that computer’s policy), but continue to have a global state of unapproved.

While especially convenient for disconnected computers, a timed policy override can also be used for a connected computer. However, the override procedures disconnects the agent during the override. The override is maintained until the designated time period expires, even if the agent or computer is restarted during this period.

You can specify a duration of up to 500 minutes for the Enforcement Level change. If you specify 0 (zero) minutes, the override never expires (and the computer remains disconnected) until you reset it with another override.

To change the duration or Enforcement Level of an override, you can create and apply a new override key. For example, ito end an override sooner than the original time period, you can specify a new override that is one minute long.

Caution: If you use a Temporary Policy Override Code to switch a computer’s Enforcement Level to Low or None (Visibility Only), when the agent transitions back to its original Enforcement Level, it might locally approve unapproved files discovered on that computer while in the more relaxed Enforcement Level. This aspect affects files with Local State Details of Unapproved, and depends on whether Locally approve unapproved files on transition from Visibility or Low Enforcement Level to Medium or High is selected in the Advanced Settings for the policy to which that computer is assigned. Carbon Black App Control recommends that unless you are certain that this automatic local approval setting is off, you only use the Enforcement Level override feature for temporary transitions to Local Approval, Medium, or High Enforcement.

Computers do not need to be disconnected from Carbon Black App Control Server before an override is initiated. If the agent is connected to the Carbon Black App Control Server, the override procedure automatically disconnects it and then reconnects it after the override period is over. Machine reboots or agent restarts do not cancel the timed override.

When the override is set, the agent is disconnected from the server (if connected) and has the new Enforcement Level specified by the key. If the override code specified Local Approval, you can begin installing new software on this system and it will be locally approved (unless already banned or approved).

When the configured override period expires, the following actions happen:

  • The Enforcement Level returns to its previous setting.
  • If the computer was connected when the override code was applied, it is reconnected to its Carbon Black App Control Server.
  • When it is reconnected, the agent reports events associated with the Enforcement Level change to the server.

If the computer is off or rebooting when the override expires, these actions occur when it is running again.