Table 1. Policy Definitions: Main Panel

Field

Description

Policy name

Name of the policy.

Choose a name that indicates the security level, function, or other common factor for computers or users you want to use this policy.

If you change the Policy Name, the new name will be reflected immediately in the console, but the name of the agent installer (the policyname.msi file) requires approximately one minute to update. Keep this in mind if you intend to download agents immediately after a policy name change.

Description

Optional information about the policy. This can be any text you choose to enter.

Mode

The mode in which the Carbon Black App Control Server interacts with the computers in this policy:

Visibility
specifies file-tracking only. The Carbon Black App Control Server tracks file activity and events, but file execution and writing is not effected by policy settings or file bans. Enforcement Level menus do not appear in Visibility mode.

If you have not purchased Control licenses, Visibility is the only mode choice other than Disabled.

You might use Visibility when security features could interfere with operational functions for computers. For example, you might it for a computer on which you plan to configure a Trusted Directory for files you will allow to be installed on all computers.

Mode (cont.)

Control
activates the Enforcement Level menus, from which you can choose the level of control over execution of Unapproved and Banned files.
Disabled
specifies pass-through mode; the agent neither blocks file activity nor reports it to the server. Executables run as if the agent were not installed. Use this setting for uninstalling the agent.

File inventory for computers in Disabled mode will not be kept up to date on the server. Some operations are monitored (but not reported to the server) to avoid gaps in file and process information if the agent is later activated.

Connected Enforcement Level

The protection level for computers in this policy while they are connected to the network (menu only appears in Control mode):

High (Block Unapproved)
is the highest protection level you can set —no Unapproved or Banned files in categories tracked by Carbon Black App Control are allowed to run. Blocked file executions are recorded in the event log.
Medium (Prompt Unapproved)
blocks Unapproved executables on agent computers but displays a dialog box that gives users the option to permit or block the file execution. Users cannot permit execution of explicitly Banned files.
Low (Monitor Unapproved)
permits Unapproved executables to run but tracks them. Files allowed to run include running non-executables (such as dlls, com objects and loadable resources), unapproved scripts, and unapproved executables. Events are recorded for the first instance of a permitted file execution and for all blocked executions.

At High, Medium or Low Enforcement Levels, determination of which files are blocked also depends on the Advanced Settings within each policy.

Visibility and Disabled, for which the Enforcement Level is None, are set from the Mode line.

Disconnected Enforcement Level

The protection level for computers in this policy while they are out of communication with the Carbon Black App Control Server. If the Connected Enforcement Level is Low (or None) the Disconnected Enforcement Level is identical to the Online, and cannot be modified directly. If the Connected Enforcement Level is High or Medium, you can choose an Disconnected Enforcement Level of High or Medium, and it may differ from the Connected Enforcement Level.

Initial Settings

Existing policy that you would like to use as a template for the new policy. Although not visible when you create a policy, the Device and Advanced Settings (only) of the chosen policy are transferred to the new policy. See Template Policy for more information.

Automatic Policy Assignment for New Computers

When this box is checked, if AD-based policy assignment is enabled and configured, new computers that used the installer for this policy get their policy according to the AD-mapping rules, regardless of the policy embedded in the installation package used to install their agent. When not checked, the install package determines the policy and AD mappings have no effect. See Assigning Policy by Active Directory Mapping for more details.

Set automatic policy for existing computers

This checkbox appears only if the Automatic policy assignment for new computers box is checked. When checked, if any computers were manually (non-automatically) assigned to the current policy, they are changed to automatic policy assignment.

Set manual policy for existing computers

This checkbox only appears if the Automatic policy assignment for new computers box is checked. When checked, if any computers were automatically assigned to the policy, they are changed to have this policy manually assigned.

Options: Allow Upgrades

If the Carbon Black App Control Server is configured for Automatic App Control Agent upgrades, checking this box causes computers in the policy to be notified of and scheduled for Carbon Black App Control Agent upgrades. Computers moved into this policy (either manually or by Active Directory mapping) also will be upgraded. See Advanced Configuration Options and the upgrade sections of VMware Carbon Black App Control Installation Guide for more information. For use only during App Control Server upgrades.

Options: Track File Changes

When checked (the default) file changes (files added, deleted, or changed) on a computer are tracked and added to the database for this Carbon Black App Control Server.

You might deselect this option to remediate performance issues, perhaps while waiting to upgrade from SQL Express to a full version of SQL Server, or in a special policy for computers whose file activity you don’t want to track.

IMPORTANT : If you turn off this feature, the App Control Server deletes the file inventory information for the agents in this policy after one day. The Files on Computers table, Find Files, and Baseline Drift reports will not provide accurate information about these computers. Also, if you turn this feature on after it has been off, this forces re-synchronization of the affected agents to update the file database, and this can have a performance impact.

Load Agent in Safe Mode

Loads the Carbon Black App Control Agent in Safe Mode on computers in this policy if the computer is booted in Safe Mode. In this case, the agent performs all enforcement activities, even with the system in Safe Mode. Full protection requires the agent kernel, which loads at boot time, and the agent itself, which runs as a service after boot time.

Since the agent can interfere with Safe Mode recovery operations, use this option only if you have other means of recovery (other than Safe Mode). If you have questions about enabling the agent to run in Safe Mode, contact Carbon Black Support.

Suppress Logo in Notifier

When Carbon Black App Control rule enforcement causes a notifier to be displayed on an agent system in this policy, do not show a logo, even if the rule’s notifier definition includes a logo.

Total/Connected Computers

Total Computers
The total number of computers managed by this policy on the Carbon Black App Control Server. Computers by platform is shown in parentheses.
Connected Computers
The number of computers managed by this policy currently connected to the Carbon Black App Control Server. Computers by platform is shown in parentheses.