Assigning Endpoints to a Policy

Every endpoint running a Carbon Black App Control agent is assigned a security policy. There are three standard ways an endpoint can be assigned its policy.

By Agent installer – Every policy you create generates a policy-specific Carbon Black App Control agent installer for each supported platform, so when you install the agent on an endpoint, it is assigned a policy. When the agent contacts the Carbon Black App Control server after agent installation, the endpoint is added to table of computers (endpoints) in the console. If you have not set up AD-based policy assignment, the agent remains in the policy embedded in its installer unless you manually reassign it.

You do not have to (nor should you) reinstall a Carbon Black App Control agent to make a policy change for an endpoint. You normally need to install the agent only one time per endpoint.
Automatically, by Active Directory (AD) group mapping – You can set up the Carbon Black App Control server to run a script that assigns new and, if configured, existing endpoints to security policies according to the AD group information of the endpoint (or the user logged in to it). An endpoint's initial policy is defined by the agent installer. If that initial policy is configured to allow automatic policy assignment, this AD-based policy assignment takes precedence. Policy assignment by AD mapping is described in Assigning Policy by Active Directory Mapping.
Manually – You can move any endpoint to a policy other than the one assigned by the installer or the AD-mapping facility. This might be useful if you discover that a particular endpoint used the wrong installer, or that its security policy should differ from other endpoints in the AD group that was used to map its policy. Manual assignment might also be used for a temporary situation that requires more or less restriction for an endpoint or its user. If you manually change an endpoint's policy, you can later restore its original policy (or to automatic assignment). Manual policy assignment is described in "Moving Computers to Another Policy" in the Carbon Black App Control User Guide.

You can move endpoints from manual to automatic policy assignment and vice versa.

Note:

In certain cases, policy can be changed for reasons other than those listed above. For example:

If you delete the policy an agent belongs to while the endpoint is offline, the agent moves to the Default policy group. See "Restoring Computers from the Default Policy" in the Carbon Black App Control User Guide for more details.
There is an Event Rule action that can move endpoints to a different policy when a specified event occurs. See "Creating and Editing Event Rules" in the Carbon Black App Control User Guide for more details.

If you are not using AD-based policy assignment, you can skip the AD-mapping topics and go directly to Downloading Agent Installers for instructions on choosing a policy-specific installer.