Policies and policy profiles

In Kaspersky Security Center Cloud Console, you can create policies for Kaspersky applications. This section describes policies and policy profiles, and provides instructions for creating and modifying them.

About policies

A policy is a set of Kaspersky application settings that are applied to an administration group and its subgroups. You can install several Kaspersky applications on the devices of an administration group. Kaspersky Security Center Cloud Console provides a single policy for each Kaspersky application in an administration group. A policy has one of the following statuses (see the table below):

The status of the policy

Policies function according to the following rules:

• Multiple policies with different values can be configured for a single application.
• Only one policy can be active for the current application.
• You can activate an inactive policy when a specific event occurs. For example, you can enforce stricter anti-virus protection settings during virus outbreaks.
• A policy can have child policies.

Generally, you can use policies as preparations for emergency situations, such as a virus attack. For example, if there is an attack via flash drives, you can activate a policy that blocks access to flash drives. In this case, the current active policy automatically becomes inactive.

In order to prevent maintaining multiple policies, for example, when different occasions assume changing of several settings only, you may use policy profiles.

A policy profile is a named subset of policy settings values that replaces the settings values of a policy. A policy profile affects the effective settings formation on a managed device. Effective settings are a set of policy settings, policy profile settings, and local application settings that are currently applied for the device.

Policy profiles function according to the following rules:

• A policy profile takes an effect when a specific activation condition occurs.
• Policy profiles contain values of settings that differ from the policy settings.
• Activation of a policy profile changes the effective settings of the managed device.
• A policy can include a maximum of 100 policy profiles.

You cannot create an Administration Server policy.

About lock and locked settings

Each policy setting has a lock button icon (). The table below shows lock button statuses:

Lock button statuses

We highly recommend that you close locks for the policy settings that you want to apply on the managed devices. The unlocked policy settings can be reassigned by Kaspersky application settings on a managed device.

You can use a lock button for performing the following actions:

• Locking settings for an administration subgroup policy
• Locking settings of a Kaspersky application on a managed device

Thus, a locked setting is used for implementing effective settings on a managed device.

A process of effective settings implementation includes the following actions:

• Managed device applies settings values of Kaspersky application.
• Managed device applies locked settings values of a policy.

A policy and managed Kaspersky application contain the same set of settings. When you configure policy settings, the Kaspersky application settings change values on a managed device. You cannot adjust locked settings on a managed device (see the figure below):

Locks and Kaspersky application settings

Inheritance of policies and policy profiles

This section provides information about the hierarchy and inheritance of policies and policy profiles.

Hierarchy of policies

If different devices need different settings, you can organize devices into administration groups.

You can specify a policy for a single administration group. Policy settings can be inherited. Inheritance means receiving policy settings values in subgroups (child groups) from a policy of a higher-level (parent) administration group.

Hereinafter, a policy for a parent group is also referred to as a parent policy. A policy for a subgroup (child group) is also referred to as a child policy.

By default, at least one managed devices group exists on Administration Server. If you want to create custom groups, they are created as subgroups (child groups) within the managed devices group.

Policies of the same application act on each other, according to a hierarchy of administration groups. Locked settings from a policy of a higher-level (parent) administration group will reassign policy settings values of a subgroup (see the figure below).

Hierarchy of policies

Policy profiles in a hierarchy of policies

Policy profiles have the following priority assignment conditions:

• A profile's position in a policy profile list indicates its priority. You can change a policy profile priority. The highest position in a list indicates the highest priority (see the figure below).

  

  Priority definition of a policy profile

• Activation conditions of policy profiles do not depend on each other. Several policy profiles can be activated simultaneously. If several policy profiles affect the same setting, the device takes the setting value from the policy profile with the highest priority (see the figure below).

  

  Managed device configuration fulfills activation conditions of several policy profiles

Policy profiles in a hierarchy of inheritance

Policy profiles from different hierarchy level policies comply with the following conditions:

• A lower-level policy inherits policy profiles from a higher-level policy. A policy profile inherited from a higher-level policy obtains higher priority than the original policy profile's level.
• You cannot change a priority of an inherited policy profile (see the figure below).

  

  Inheritance of policy profiles

Policy profiles with the same name

If there are two policies with the same names in different hierarchy levels, these policies function according to the following rules:

• Locked settings and the profile activation condition of a higher-level policy profile changes the settings and profile activation condition of a lower-level policy profile (see the figure below).

  

  Child profile inherits settings values from a parent policy profile

• Unlocked settings and the profile activation condition of a higher-level policy profile do not change the settings and profile activation condition of a lower-level policy profile.

How settings are implemented on a managed device

Implementation of effective settings on a managed device can be described as follows:

• The values of all settings that have not been locked are taken from the policy.
• Then they are overwritten with the values of managed application settings.
• And then the locked settings values from the effective policy are applied. Locked settings values change the values of unlocked effective settings.

Managing policies

This section describes managing policies and provides information about viewing the list of policies, creating a policy, modifying a policy, copying a policy, moving a policy, forced synchronization, viewing the policy distribution status chart, and deleting a policy.

Viewing the list of policies

You can view lists of policies created for the Administration Server or for any administration group.

To view a list of policies:

1. In the main menu, go to Assets (Devices) → Hierarchy of groups.
2. In the administration group structure, select the administration group for which you want to view the list of policies.

The list of policies appears in tabular format. If there are no policies, the table is empty. You can show or hide the columns of the table, change their order, view only lines that contain a value that you specify, or use search.

Creating a policy

You can create policies; you can also modify and delete existing policies.

You cannot create an Administration Server policy.

To create a policy:

1. In the main menu, go to Assets (Devices) → Policies & profiles.
2. Click Add.

   The Select application window opens.

3. Select the application for which you want to create a policy.
4. Click Next.

   The new policy settings window opens with the General tab selected.

5. If you want, change the default name, default status, and default inheritance settings of the policy.
6. Click the Application settings tab.

   Or, you can click Save and exit. The policy will appear in the list of policies, and you can edit its settings later.

7. On the Application settings tab, in the left pane select the category that you want and in the results pane on the right, edit the settings of the policy. You can edit policy settings in each category (section).

   The application settings depend on the application for which you create a policy. For details, refer to the following:

   • Administration Server configuration
   • Network Agent policy settings
   • Kaspersky Endpoint Security for Windows documentation

   For details about settings of other security applications, refer to the documentation for the corresponding application.

   When editing the settings, you can click Cancel to cancel the last operation.

8. Click Save to save the policy.

The policy will appear in the list of policies.

Modifying a policy

To modify a policy:

1. In the main menu, go to Assets (Devices) → Policies & profiles.
2. Click the policy that you want to modify.

   The policy settings window opens.

3. Specify the general settings and settings of the application for which you create a policy. For details, refer to the following:
   • Administration Server configuration
   • Network Agent policy settings
   • Kaspersky Endpoint Security for Windows documentation

   For details about settings of other security applications, refer to the documentation for that application.

4. Click Save.

The changes made to the policy will be saved in the policy properties, and will appear in the Revision history section.

General policy settings

Expand all | Collapse all

General

On the General tab, you can modify the policy status and specify the inheritance of policy settings:

• In the Policy status block, you can select one of the policy modes:
  • Active
  • Out-of-office

    If this option is selected, the policy becomes active when the device leaves the corporate network.

  • Inactive

    If this option is selected, the policy becomes inactive, but it is still stored in the Policies folder. If required, the policy can be activated.

• In the Settings inheritance settings group, you can configure the policy inheritance:
  • Inherit settings from parent policy

    If this option is enabled, the policy setting values are inherited from the upper-level group policy and, therefore, are locked.

    By default, this option is enabled.

  • Force inheritance of settings in child policies

    If this option is enabled, after policy changes are applied, the following actions will be performed:

    • The values of the policy settings will be propagated to the policies of administration subgroups, that is, to the child policies.
    • In the Settings inheritance block of the General section in the properties window of each child policy, the Inherit settings from parent policy option will be automatically enabled.

    If this option is enabled, the child policies settings are locked.

    By default, this option is disabled.

Event configuration

The Event configuration tab enables you to configure event logging and event notification. Events are distributed by importance level on the following tabs:

• Critical

  The Critical section is not displayed in the Network Agent policy properties.

• Functional failure
• Warning
• Info

In each section, the list shows the types of events and the default event storage term on the Administration Server (in days). Clicking an event type lets you specify the following settings:

• Event registration

  You can specify how many days to store the event and select where to store the event:

  • Store in the Administration Server database for (days)
  • Store in the OS event log on device
• Event notifications

  You can select if you want to be notified about the event by email.

  By default, the notification settings specified on the Administration Server properties tab (such as recipient address) are used. If you want, you can change these settings on the Email tab.

Also, the Event configuration tab displays a notification when new event types are added (for example, in a new version of the product) and enables you to apply the new settings by clicking the Save or Save and close button.

Revision history

The Revision history tab enables you to view the list of the policy revisions and roll back changes made to the policy, if necessary.

Enabling and disabling a policy inheritance option

To enable or disable the inheritance option in a policy:

1. Open the required policy.
2. Open the General tab.
3. Enable or disable policy inheritance:
   • If you enable Inherit settings from parent policy in a child policy and an administrator locks some settings in the parent policy, then you cannot change these settings in the child policy.
   • If you disable Inherit settings from parent policy in a child policy, then you can change all of the settings in the child policy, even if some settings are locked in the parent policy.
   • If you enable Force inheritance of settings in child policies in the parent group, this enables the Inherit settings from parent policy option for each child policy. In this case, you cannot disable this option for any child policy. All of the settings that are locked in the parent policy are forcibly inherited in the child groups, and you cannot change these settings in the child groups.
4. Click the Save button to save changes or click the Cancel button to reject changes.

By default, the Inherit settings from parent policy option is enabled for a new policy.

If a policy has profiles, all of the child policies inherit these profiles.

Copying a policy

You can copy policies from one administration group to another.

To copy a policy to another administration group:

1. In the main menu, go to Assets (Devices) → Policies & profiles.
2. Select the check box next to the policy (or policies) that you want to copy.
3. Click the Copy button.

   On the right side of the screen, the tree of the administration groups appears.

4. In the tree, select the target group, that is, the group to which you want to copy the policy (or policies).
5. Click the Copy button at the bottom of the screen.
6. Click OK to confirm the operation.

The policy (policies) will be copied to the target group with all its profiles. The status of each copied policy in the target group will be Inactive. You can change the status to Active at any time.

If a policy with the name identical to that of the newly moved policy already exists in the target group, the name of the newly moved policy is expanded with the (<next sequence number>) index, for example: (1).

Moving a policy

You can move policies from one administration group to another. For example, you want to delete a group, but you want to use its policies for another group. In this case, you may want move the policy from the old group to the new one before deleting the old group.

To move a policy to another administration group:

1. In the main menu, go to Assets (Devices) → Policies & profiles.
2. Select the check box next to the policy (or policies) that you want to move.
3. Click the Move button.

   On the right side of the screen, the tree of the administration groups appears.

4. In the tree, select the target group, that is, the group to which you want to move the policy (or policies).
5. Click the Move button at the bottom of the screen.
6. Click OK to confirm the operation.

If a policy is not inherited from the source group, it is moved to the target group with all its profiles. The status of the policy in the target group is Inactive. You can change the status to Active at any time.

If a policy is inherited from the source group, it remains in the source group. It is copied to the target group with all its profiles. The status of the policy in the target group is Inactive. You can change the status to Active at any time.

If a policy with the name identical to that of the newly moved policy already exists in the target group, the name of the newly moved policy is expanded with the (<next sequence number>) index, for example: (1).

Exporting a policy

Kaspersky Security Center Cloud Console allows you to save a policy, its settings, and the policy profiles to a KLP file. You can use this KLP file to import the saved policy both to Kaspersky Security Center Windows and Kaspersky Security Center Linux.

To export a policy:

1. In the main menu, go to Assets (Devices) → Policies & profiles.
2. Select the check box next to the policy that you want to export.

   You cannot export multiple policies at the same time. If you select more than one policy, the Export button will be disabled.

3. Click the Export button.
4. In the opened Save as window, specify the policy file name and path. Click the Save button.

   The Save as window is displayed only if you use Google Chrome, Microsoft Edge, or Opera. If you use another browser, the policy file is automatically saved in the Downloads folder.

Importing a policy

Kaspersky Security Center Cloud Console allows you to import a policy from a KLP file. The KLP file contains the exported policy, its settings, and the policy profiles.

To import a policy:

1. In the main menu, go to Assets (Devices) → Policies & profiles.
2. Click the Import button.
3. Click the Browse button to choose a policy file that you want to import.
4. In the opened window, specify the path to the KLP policy file, and then click the Open button. Note that you can select only one policy file.

   The policy processing starts.

5. After the policy is processed successfully, select the administration group to which you want to apply the policy.
6. Click the Complete button to finish the policy import.

The notification with the import results appears. If the policy is imported successfully, you can click the Details link to view the policy properties.

After a successful import, the policy is displayed in the policy list. The settings and profiles of the policy are also imported. Regardless of the policy status that was selected during the export, the imported policy is inactive. You can change the policy status in the policy properties.

If the newly imported policy has a name identical to that of an existing policy, the name of the imported policy is expanded with the (<next sequence number>) index, for example: (1), (2).

Viewing the policy distribution status chart

In Kaspersky Security Center Cloud Console, you can view the status of policy application on each device in a policy distribution status chart.

To view the policy distribution status on each device:

1. In the main menu, go to Assets (Devices) → Policies & profiles.
2. Select check box next to the name of the policy for which you want to view the distribution status on devices.
3. In the menu that appears, click the Distribution link.

   The <Policy name> distribution results window opens.

4. In the <Policy name> distribution results window that opens, the Status description (if available) of the policy is displayed.

You can change number of results displayed in the list with policy distribution. The maximum number of devices is 100,000.

To change the number of devices displayed in the list with policy distribution results:

1. In the main menu, go to your account settings, and then select Interface options.
2. In the Maximum number of devices displayed in policy distribution results, enter the number of devices (up to 100,000).

   By default, the number is 5000.

3. Click Save.

The settings are saved and applied.

Activating a policy automatically at the Virus outbreak event

To make a policy perform automatic activation at a Virus outbreak event:

1. In the main menu, click the settings icon () next to the name of the required Administration Server.

   The Administration Server properties window opens, with the General tab selected.

2. Select the Virus outbreak section.
3. In the right pane, click the Configure policies to activate when a virus outbreak event occurs link.

   The Policy activation window opens.

4. In the section relating to the component that detects a virus outbreak—Anti-Virus for workstations and file servers, Anti-Virus for mail servers, or Anti-Virus for perimeter defense—select the option button next to the entry you want, and then click Add.

   A window opens with the Managed devices administration group.

5. Click the chevron icon () next to Managed devices.

   A hierarchy of administration groups and their policies is displayed.

6. In the hierarchy of administration groups and their policies, click the name of a policy or policies that are activated when a virus outbreak is detected.

   To select all policies in the list or in a group, select the check box next to the required name.

7. Click the Save button.

   The window with the hierarchy of administration groups and their policies is closed.

The selected policies are added to the list of policies that are activated when a virus outbreak is detected. The selected policies are activated at the virus outbreak, independent whether they are active or inactive.

If a policy has been activated on the Virus outbreak event, you can return to the previous policy only by using the manual mode.

Forced synchronization

Although Kaspersky Security Center Cloud Console automatically synchronizes the status, settings, tasks, and policies for managed devices, in some cases you need to know for certain, at a given moment, whether synchronization has already been performed for a specified device.

Synchronizing a single device

To force synchronization between the Administration Server and a managed device:

1. In the main menu, go to Assets (Devices) → Managed devices.
2. Click the name of the device that you want to synchronize with the Administration Server.

   A property window opens with the General section selected.

3. Click the Force synchronization button.

The application synchronizes the selected device with the Administration Server.

Synchronizing multiple devices

To force synchronization between the Administration Server and multiple managed devices:

1. Open the device list of an administration group or a device selection:
   • In the main menu, go to Assets (Devices) → Managed devices → Groups, and then select the administration group that contains devices to synchronize.
   • Run a device selection to view the device list.
2. Select the check boxes next to the devices that you want to synchronize with the Administration Server.
3. Click the Force synchronization button.

   The application synchronizes the selected devices with the Administration Server.

4. In the device list, check that the time of last connection to the Administration Server has changed, for the selected devices, to the current time. If the time has not changed, update the page content by clicking the Refresh button.

The selected devices are synchronized with the Administration Server.

Viewing the time of a policy delivery

After changing a policy for a Kaspersky application on the Administration Server, you can check whether the changed policy has been delivered to a specific managed device. A policy can be delivered during a regular synchronization or a forced synchronization.

To view the date and time that an application policy was delivered to a managed device:

1. In the main menu, go to Assets (Devices) → Managed devices.
2. Click the name of the device that you want to synchronize with the Administration Server.

   A property window opens with the General section selected.

3. Click the Applications tab.
4. Select the application for which you want to view the policy synchronization date.

The application policy window opens with the General section selected and the policy delivery date and time displayed.

Deleting a policy

You can delete a policy if you do not need it anymore. You can delete only a policy that is not inherited in the specified administration group. If a policy is inherited, you can only delete it in the upper-level group for which it was created.

To delete a policy:

1. In the main menu, go to Assets (Devices) → Policies & profiles.
2. Select the check box next to the policy that you want to delete, and click Delete.

   The Delete button becomes unavailable (dimmed) if you select an inherited policy.

3. Click OK to confirm the operation.

The policy is deleted together with all its profiles.

Managing policy profiles

This section describes managing policy profiles and provides information about viewing the profiles of a policy, changing a policy profile priority, creating a policy profile, modifying a policy profile, copying a policy profile, creating a policy profile activation rule, and deleting a policy profile.

Viewing the profiles of a policy

To view profiles of a policy:

1. In the main menu, go to Assets (Devices) → Policies & profiles.
2. Click the name of the policy whose profiles you want to view.

   The policy properties window opens with the General tab selected.

3. Open the Policy profiles tab.

The list of policy profiles appears in tabular format. If the policy does not have profiles, an empty table appears.

Changing a policy profile priority

To change a policy profile priority:

1. Proceed to the list of profiles of a policy that you want.

   The list of policy profiles appears.

2. On the Policy profiles tab, select the check box next to the policy profile for which you want to change priority.
3. Set a new position of the policy profile in the list by clicking Prioritize or Deprioritize.

   The higher a policy profile is located in the list, the higher its priority.

4. Click the Save button.

Priority of the selected policy profile is changed and applied.

Creating a policy profile

To create a policy profile:

1. Proceed to the list of profiles of the policy that you want.

   The list of policy profiles appears. If the policy does not have profiles, an empty table appears.

2. Click Add.
3. If you want, change the default name and default inheritance settings of the profile.
4. Select the Application settings tab.

   Alternatively, you can click Save and exit. The profile that you have created appears in the list of policy profiles, and you can edit its settings later.

5. On the Application settings tab, in the left pane, select the category that you want and in the results pane on the right, edit the settings for the profile. You can edit policy profile settings in each category (section).

   When editing the settings, you can click Cancel to cancel the last operation.

6. Click Save to save the profile.

The profile will appear in the list of policy profiles.

Modifying a policy profile

The capability to edit a policy profile is only available for policies of Kaspersky Endpoint Security for Windows.

To modify a policy profile:

1. Proceed to the list of profiles of a policy that you want.

   The list of policy profiles appears.

2. On the Policy profiles tab, click the policy profile that you want to modify.

   The policy profile properties window opens.

3. Configure the profile in the properties window:
   • If necessary, on the General tab, change the profile name and enable or disable the profile.
   • Edit the profile activation rules.
   • Edit the application settings.

   For details about settings of security applications, please see the documentation of the corresponding application.

4. Click Save.

The modified settings will take effect either after the device is synchronized with the Administration Server (if the policy profile is active), or after an activation rule is triggered (if the policy profile is inactive).

Copying a policy profile

You can copy a policy profile to the current policy or to another, for example, if you want to have identical profiles for different policies. You can also use copying if you want to have two or more profiles that differ in only a small number of settings.

To copy a policy profile:

1. Proceed to the list of profiles of a policy that you want.

   The list of policy profiles appears. If the policy does not have profiles, an empty table appears.

2. On the Policy profiles tab, select the policy profile that you want to copy.
3. Click Copy.
4. In the window that opens, select the policy to which you want to copy the profile.

   You can copy a policy profile to the same policy or to a policy that you specify.

5. Click Copy.

The policy profile is copied to the policy that you selected. The newly copied profile gets the lowest priority. If you copy the profile to the same policy, the name of the newly copied profile will be expanded with the () index, for example: (1), (2).

Later, you can change the settings of the profile, including its name and its priority; the original policy profile will not be changed in this case.

Creating a policy profile activation rule

Expand all | Collapse all

To create a policy profile activation rule:

1. Proceed to the list of profiles of a policy that you want.

   The list of policy profiles appears.

2. On the Policy profiles tab, click the policy profile for which you need to create an activation rule.

   If the list of policy profiles is empty, you can create a policy profile.

3. On the Activation rules tab, click the Add button.

   The window with policy profile activation rules opens.

4. Specify a name for the rule.
5. Select the check boxes next to the conditions that must affect activation of the policy profile that you are creating:
   • General rules for policy profile activation

     Select this check box to set up policy profile activation rules on the device depending on the status of the device offline mode, rule for connection to Administration Server, and tags assigned to the device.

     For this option, specify at the next step:

     • Device status

       Defines the condition for device presence on the network:

       • Online—The device is on the network, and so the Administration Server is available.
       • Offline—The device is on an external network, which means that the Administration Server is not available.
       • N/A—The criterion will not be applied.
     • Rule for Administration Server connection is active on this device

       Choose the condition of policy profile activation (whether the rule is executed or not) and select the rule name.

       The rule defines the network location of the device for connection to the Administration Server, whose conditions must be met (or must not be met) for activation of the policy profile.

       A network location description of devices for connection to an Administration Server can be created or configured in a Network Agent switching rule.

   • Rules for specific device owner

     For this option, specify at the next step:

     • Device owner

       Enable this option to configure and enable the rule for profile activation on the device according to its owner. In the drop-down list under the check box, you can select a criterion for the profile activation:

       • The device belongs to the specified owner ("=" sign).
       • The device does not belong to the specified owner ("≠" sign).

         Note that the user list is filtered and displays device owners who are internal users.

         If this option is enabled, the profile is activated on the device in accordance with the criterion configured. You can specify the device owner when the option is enabled. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

     • Device owner is included in an internal security group

       Enable this option to configure and enable the rule of profile activation on the device by the owner's membership in an internal security group of Kaspersky Security Center Cloud Console. In the drop-down list under the check box, you can select a criterion for the profile activation:

       • The device owner is a member of the specified security group ("=" sign).
       • The device owner is not a member of the specified security group ("≠" sign).

         Note that the user list is filtered and displays device owners who are internal users.

         If this option is enabled, the profile is activated on the device in accordance with the criterion configured. You can specify a security group of Kaspersky Security Center Cloud Console. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

   • Rules for hardware specifications

     Select this check box to set up rules for policy profile activation on the device depending on the memory volume and the number of logical processors.

     For this option, specify at the next step:

     • RAM size, in MB

       Enable this option to configure and enable the rule of profile activation on the device by the RAM volume available on that device. In the drop-down list under the check box, you can select a criterion for the profile activation:

       • The device RAM size is less than the specified value ("<" sign).
       • The device RAM size is greater than the specified value (">" sign).

       If this option is enabled, the profile is activated on the device in accordance with the criterion configured. You can specify the RAM volume on the device. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

     • Number of logical processors

       Enable this option to configure and enable the rule of profile activation on the device by the number of logical processors on that device. In the drop-down list under the check box, you can select a criterion for the profile activation:

       • The number of logical processors on the device is less than or equal to the specified value ("<" sign).
       • The number of logical processors on the device is greater than or equal to the specified value (">" sign).

       If this option is enabled, the profile is activated on the device in accordance with the criterion configured. You can specify the number of logical processors on the device. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

   • Rules for role assignment

     For this option, specify at the next step:

     Activate policy profile by specific role of device owner

     Select this option to configure and enable the rule of profile activation on the device depending on the owner's role. Add the role manually from the list of existing roles.

     If this option is enabled, the profile is activated on the device in accordance with the criterion configured.

   • Rules for tag usage

     Select this check box to set up rules for policy profile activation on the device depending on the tags assigned to the device. You can activate the policy profile to the devices that either have the selected tags or do not have them.

     For this option, specify at the next step:

     • Tag

       In the list of tags, specify the rule for device inclusion in the policy profile by selecting the check boxes next to the relevant tags.

       You can add new tags to the list by entering them in the field over the list and clicking the Add button.

       The policy profile includes devices with descriptions containing all the selected tags. If check boxes are cleared, the criterion is not applied. By default, these check boxes are cleared.

     • Apply to devices without the specified tags

       Enable this option if you have to invert your selection of tags.

       If this option is enabled, the policy profile includes devices with descriptions that contain none of the selected tags. If this option is disabled, the criterion is not applied.

       By default, this option is disabled.

   • Rules for Active Directory usage

     Select this check box to set up rules for policy profile activation on the device depending on the presence of the device in an Active Directory organizational unit (OU), or on membership of the device (or its owner) in an Active Directory security group.

     For this option, specify at the next step:

     • Device owner's membership in an Active Directory security group

       If this option is enabled, the policy profile is activated on the device whose owner is a member of the specified security group. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

     • Device membership in Active Directory security group

       If this option is enabled, the policy profile is activated on the device. If this option is disabled, the profile activation criterion is not applied. By default, this option is disabled.

     • Device allocation in Active Directory organizational unit

       If this option is enabled, the policy profile is activated on the device which is included in the specified Active Directory organizational unit (OU). If this option is disabled, the profile activation criterion is not applied.

       By default, this option is disabled.

   The number of additional pages of the wizard depends on the settings that you select at the first step. You can modify policy profile activation rules later.

6. Check the list of the configured parameters. If the list is correct, click Create.

The profile will be saved. The profile will be activated on the device when activation rules are triggered.

Policy profile activation rules created for the profile are displayed in the policy profile properties on the Activation rules tab. You can modify or remove any policy profile activation rule.

Multiple activation rules can be triggered simultaneously.

Deleting a policy profile

To delete a policy profile:

1. Proceed to the list of profiles of a policy that you want.

   The list of policy profiles appears.

2. On the Policy profiles tab, select the check box next to the policy profile that you want to delete, and click Delete.
3. In the window that opens, click Delete again.

The policy profile is deleted. If the policy is inherited by a lower-level group, the profile remains in that group, but becomes the policy profile of that group. This is done to eliminate significant change in settings of the managed applications installed on the devices of lower-level groups.