This topic describes how to use timed policy overrides to move offline computers into the Local Approval policy.
You might need to install new applications on a selected computer under High Enforcement Level protection. You can do this by temporarily relaxing protection and giving the computer permission to execute any files that are not banned; that is, you move the computer into the predefined Local Approval policy for as long as it takes to complete software installation.
Because disconnected computers cannot be controlled directly from the Carbon Black App Control Server, you need a way to instruct the agent to make the transition to another Enforcement Level. You can generate a special code that can be entered on a agent-managed computer to switch its Enforcement Level for a specified amount of time. The code is specific to one agent, and it can be used only oe time. You can generate codes to switch a computer into any Enforcement Level except None (Disabled), although this feature is primarily intended for temporary transitions to Local Approval mode.
After the specified time for the override has elapsed, the computer is automatically restored to its original policy. If you temporarily moved it into Local Approval, it continues to be able to run all files that were installed while it was in Local Approval. Files run or installed while the computer was in the Local Approval policy are locally approved on the computer (unless globally banned or banned for that computer’s policy), but continue to have a global state of unapproved.
While especially convenient for disconnected computers, a timed policy override can also be used for a connected computer. However, the override procedures disconnects the agent during the override. The override is maintained until the designated time period expires, even if the agent or computer is restarted during this period.
You can specify a duration of up to 500 minutes for the Enforcement Level change. If you specify 0 (zero) minutes, the override never expires (and the computer remains disconnected) until you reset it with another override.
To change the duration or Enforcement Level of an override, you can create and apply a new override key. For example, ito end an override sooner than the original time period, you can specify a new override that is one minute long.
Computers do not need to be disconnected from Carbon Black App Control Server before an override is initiated. If the agent is connected to the Carbon Black App Control Server, the override procedure automatically disconnects it and then reconnects it after the override period is over. Machine reboots or agent restarts do not cancel the timed override.
When the override is set, the agent is disconnected from the server (if connected) and has the new Enforcement Level specified by the key. If the override code specified Local Approval, you can begin installing new software on this system and it will be locally approved (unless already banned or approved).
When the configured override period expires, the following actions happen:
- The Enforcement Level returns to its previous setting.
- If the computer was connected when the override code was applied, it is reconnected to its Carbon Black App Control Server.
- When it is reconnected, the agent reports events associated with the Enforcement Level change to the server.
If the computer is off or rebooting when the override expires, these actions occur when it is running again.