Managing policies in the Web Console

A policy is a set of Kaspersky Embedded Systems Security operation settings applied to an

Multiple policies with different values of the settings can be configured for a single application. However, there can be only one active policy at a time for an application within an administration group. When you create a new policy, all other policies within an administration group become inactive. You can change the policy status later.

Policies have a hierarchy, similarly to administration groups. By default, a child policy inherits the settings from the parent policy. A child policy is a policy of a nested hierarchy level, that is, a policy for nested administration groups and secondary Administration Servers. You can enable inheritance of the settings from the parent policy.

You can locally modify the values of the settings specified by the policy for individual devices within the administration group, if modification of these settings is not prohibited by the policy.

Each policy setting has a "lock" attribute that indicates whether child policy settings and local application settings can be modified. The "lock" status of a setting within a policy determines whether or not an application setting on a client device can be edited:

• When a setting is "locked" (), you cannot edit the setting locally. The setting value specified by the policy is used for all client devices within the administration group.
• When a setting is "unlocked" (), you can edit the setting locally. For all client devices in the administration group, the settings specified locally are used. The settings specified in the policy are not applied.

After the policy is applied for the first time, the application settings change in accordance with the policy settings.

You can perform the following operations with the policies:

• Create a policy.
• Edit policy settings.

  If the user account which is used to access the Administration Server does not have permissions to edit the settings of certain functional scopes, the settings of these functional scopes are not available for editing.

• Delete a policy.
• Change a policy status.
• Copy and move a policy.
• Export and import a policy.
• Compare policy versions in the Revision history section of the policy properties window.

You can also create policy profiles. A policy profile may contain settings that differ from the "base" policy settings and apply to client devices when the configured conditions (activation rules) are met. Using policy profiles allows you to flexibly configure operation settings for different devices. You can create and configure profiles in the Policy profiles section of the policy properties.

For general information on working with policies and policy profiles, refer to Kaspersky Security Center documentation.

Creating a policy

To create a policy:

1. In the main window of the Web Console, select Devices → Policies and policy profiles.

   The list of policies opens.

2. Select the administration group containing client devices to which the policy should be applied. To do so, click the link in the Current path field in the upper part of the window and select an administration group in the window that opens.

   The list displays only the policies configured for the selected administration group.

3. Click Add.

   The Policy Wizard starts.

4. Select Kaspersky Embedded Systems Security 3.3 for Linux and click Next.
5. Decide whether you want to participate in Kaspersky Security Network. Carefully read the Kaspersky Security Network Statement and do one of the following:
   • If you agree with all the terms and conditions of the Statement and want the application to use Kaspersky Security Network, select I confirm that I have fully read, understand, and accept the terms and conditions of Kaspersky Security Network Statement.
   • If you do not want to use Kaspersky Security Network, select I do not accept the terms and conditions of the Kaspersky Security Network Statement and confirm your decision in the window that opens.

   Refusal to use Kaspersky Security Network does not interrupt the policy creation process. You can enable, disable, or change the Kaspersky Security Network mode for the managed devices in the policy settings at any time.

6. Click Next.

   The General tab of the new policy settings window opens.

7. On the General tab, you can configure the following policy settings:
   • Policy name.
   • Policy status:
     • Active. The policy that is currently applied to the device.

     If this option is selected, this policy becomes active on the device upon the next device synchronization with the Administration Server. This option is selected by default.

     • Inactive. The policy that is not currently applied to the device.

     If this option is selected, the policy becomes inactive but remains in the Policies folder. You can activate the inactive policy later.

     • Out-of-office. Policy that becomes active when the device leaves the corporate network.

     If this option is selected, the policy becomes active when the device leaves the organization network.

   • Policy settings inheritance:
     • Inherit settings from parent policy. If this option is enabled, the policy settings values are inherited from the upper-level group policy and, therefore, are locked. The check toggle button is switched on by default.
     • Enforce settings inheritance for child policies If this option is enabled, the settings values of the child policies are locked. The toggle button is switched off by default.

   For general information about the policy settings, refer to Kaspersky Security Center documentation.

8. On the Application settings tab you can modify the policy settings.
9. Click Save.

The created policy will be displayed in the list of policies. You can change the policy settings later. For general information about managing policies, refer to Kaspersky Security Center documentation.

Editing policy settings

To edit policy settings:

1. In the main window of the Web Console, select Devices → Policies and policy profiles.

   The list of policies opens.

2. Select the administration group to which the policy is applied. To do so, click the link in the Current path field in the upper part of the window and select an administration group in the window that opens.

   The list displays only the policies configured for the selected administration group.

3. Select the policy for which you want to modify the settings, and click the link with the policy name to open the policy properties window.
4. Edit the policy settings.
5. Click Save.

The policy is saved with the updated settings.

Changing policy status

To change the policy status:

1. In the main window of the Web Console, select the Devices → Policies and profiles tab.

   The list of policies opens.

2. In the list, select the policy for which you want to modify the status, and click the link with the policy name to open the policy properties window.
3. On the General tab, in the Policy status section, select the required status:
   • Active. The policy that is currently applied to the device.

   If this option is selected, this policy becomes active on the device upon the next device synchronization with the Administration Server. This option is selected by default.

   • Inactive. The policy that is not currently applied to the device.

   If this option is selected, the policy becomes inactive but remains in the Policies folder. You can activate the inactive policy later.

   • Out-of-office. Policy that becomes active when the device leaves the corporate network.

   If this option is selected, the policy becomes active when the device leaves the organization network.

4. Click Save.

The policy status is changed.

Actions with policies

To copy, move, export, or import a policy:

1. In the main window of the Web Console, select the Devices → Policies and profiles tab.

   The list of policies opens.

2. In the list of policies, check the box next to the name of the required policy and click the action button above the list of policies.

Deleting a policy

To delete a policy:

1. In the main window of the Web Console, select the Devices → Policies and profiles tab.

   The list of policies opens.

2. In the list of policies, select a check box next to the policy that you want to delete.

   You can select several policies to delete them simultaneously.

3. Click the Delete button above the list of policies.
4. Confirm the deletion.