The Default policy is for computers that report to the Carbon Black App Control Server but cannot be associated with any other policy.
Causes for this include:
- AD mapping is enabled, the default AD mapping rule (the last rule on the list) maps policies to Default Policy, and an agent does not match any other rule.
- An old installer associated with a deleted policy might be used for the initial Carbon Black App Control Agent installation on a computer.
- The last agent in a policy disconnects from the Carbon Black App Control Server and then is deleted from the Computers table on the console; because the policy now has no computers, a console operator decides to delete it. The agent later reconnects to the App Control Server.
In any of these cases, the computer is automatically moved into the Default Policy. Carbon Black recommends that you set the Enforcement Level for the Default policy to the appropriate protection level for your site. If you set the Default Policy to Visibility Mode, which tracks but does not block file executions, any computers that appear in the Default Policy should be moved as soon as possible to a policy with the settings and Enforcement Level protection you want.
- If you do not have any full Suite licenses (Visibility and Control), your only Enforcement Level choices for the Default policy are Visibility and Disabled.
- Because the Default Policy is reserved by the system, you cannot delete it.
The procedure for restoring computers from the Default policy is essentially the same as that for moving computers to another policy, with additional filtering instructions.
Move a Computer in the Default Policy to Another Policy
Use this procedure to move a computer in the Default policy to another policy.