After the AD-based Policy interface is enabled, a new tab, Mappings, is visible on the Policies page. Clicking on this tab opens the Active Directory Policy Mappings page. This is where you create rules to map computers with specified AD data to certain policies

Before you begin setting up mapping rules, make sure you have created all of the policies to which you want computers mapped.

You can create mapping rules that test for matching AD data including organizational units, domains, security groups, computer names, and user names. Keep the following in mind when creating mapping rules:

  • Although you can choose to match AD Security Group data for either users or computers, computer-based rules are recommended. With multiple users on a computer, sometimes simultaneously logged on, AD Mapping rules based on users could lead to unexpected results.
  • Carbon Black App Control does not support policy mapping for AD object names that contain double quotes. Object names with double quotes cannot be handled properly by the directory object browser you use to create a mapping rule.
  • Try to create as few rules as possible and test for groups rather than individual objects.

The following table shows the rule parameters you provide for a mapping rule.

Table 1. AD Mapping Rule Parameters
Parameter Description
Computer Object to Test The object that will be tested to see whether it matches the rule. The choices are Computer, User, and User or Computer.
Relationship

The relationship being evaluated between the Directory Object specified in the rule and the AD data from the computer being assigned a policy. The choices are:

  • is member of group
  • is in OU or domain
  • is
  • is not in any domain
Directory Object

The object in AD that the data from the tested object must match. Clicking the right end of this field opens an browser from which you can search for an object in your AD environment.

The choices for the Directory object field change depending upon which Relationship you choose. If you choose “is not in any domain,” no Directory object is necessary.

Policy to Apply The policy to apply to a computer if its tested object matches the rule. The dropdown menu shows all available policies.
Note: For policies created before implementation of Active Directory policy mapping, "Automatic policy assignment" is off by default. If you implement AD policy mapping and set up new mapping rules that apply to a pre-existing policy, you will need to change the setting on the policy itself for automatic mapping to take place. See "Creating Policies" in the VMware Carbon Black App Control User Guide for more information about automatic assignment choices.

The result of providing these parameters is a rule that can be read like a sentence. The following is how you might set up one rule.

Table 2. Example AD Mapping Rule
Parameter Example (value in bold)
Computer Object to Test If a Computer
Relationship is in OU or domain
Directory Object …matching OU = Marketing,DC=hq,DC=xyzcorp,DC=local
Policy to Apply … assign that computer to the Standard Protection policy.