You can create rules that map each computer to a certain policy based on its Active Directory (AD) data.
AD-based policy assignment happens when an agent first contacts the Carbon Black App Control Server, and is checked again each time the server and agent re-establish contact or the logged-in user on the agent computer changes (see Computer Registration and AD Mapping for more on when mapping can change).
To make use of AD-based policy assignment, you must:
- Install the App Control Server in an AD Domain – Install the Carbon Black App Control Server on a computer that is a member of an Active Directory domain. By default, the Carbon Black App Control Server must be in the same AD forest as the computers and users you want to map. If you require cross-forest integration, contact your Carbon Black Support representative.
- Enable the AD Mapping Interface – You enable the AD-based policy mapping interface in the Active Directory / LDAP integration panel on the General tab of the System Configuration page.
- Create AD-mappable Target Policies – Create the security policies to which you want computers assigned by AD Mapping, and make sure these policies allow automatic policy assignment.
- Create Mappings – On the Mappings tab of the Policies page, create AD Policy Mapping rules that use AD data to assign computers to different security policies
- Install or Move Agents to AD-mappable Policies – For new agent installations, make sure the policy for the agent installation packages allows automatic policy assignment. For mapping to be successful, both the current policy of an agent and the policy to which will be mapped must have automatic policy assignment enabled. For existing agents, if necessary, you can change a policy from manual to automatic after installation or move the agent to an AD-mappable policy.
Note:
PLATFORM NOTE: The
Carbon Black App Control Server will do AD-mapping for any computer configured through your Active Directory server, including non-Windows platforms.