About policy profiles

Sometimes it may be necessary to create several instances of a single policy for different administration groups; you might also want to modify the settings of those policies centrally. These instances might differ by only one or two settings. For example, all the accountants in an enterprise work under the same policy—but senior accountants are allowed to use flash drives, while junior accountants are not. In this case, applying policies to devices only through the hierarchy of administration groups can be inconvenient.

To help you avoid creating several instances of a single policy, Kaspersky Security Center allows you to create policy profiles. Policy profiles are necessary if you want devices within a single administration group to run under different policy settings.

A policy profile is a named subset of policy settings. This subset is distributed on target devices together with the policy, supplementing it under a specific condition called the profile activation condition. Profiles only contain settings that differ from the "basic" policy, which is active on the managed device. Activation of a profile modifies the settings of the "basic" policy that were initially active on the device. The modified settings take values that have been specified in the profile.

Following is a scenario where policy profiles are useful:

Scenario

Modification of policy settings for some devices in a single administration group. You can configure policy profiles for such a policy, which allows you to edit policy settings for selected devices in the administration group. For example, the policy bars any GPS navigation software on all devices in the Users administration group. GPS navigation software is necessary only on a single device in the Users administration group—the device owned by a courier. Because of the policy profile support, you do not have to create a separate group for couriers or create a policy for this group. Instead, you can tag that device as "Courier" or assign a "Courier" role to its owner. Then you create a policy profile allowing GPS navigation software to run only on the "Courier" device or on the device whose owner has the "Courier" role. All the other policy settings are preserved. If a "Courier" device, or a user device whose owner has the "Courier" role, appears in the Users administration group, it will be allowed to run GPS navigation software. Running GPS navigation software will still be prohibited on other devices in the Users administration group unless they, too, are tagged as "Courier" or belong to a user that has been assigned the "Courier" role.

You can create profiles only for Kaspersky Endpoint Security for Windows policies.

Advantages of policy profiles

Policy profiles simplify management of the devices that the policies apply to:

Properties and restrictions of policy profiles

Profiles have the following properties:

Page top