This section provides a scenario for a device-centric approach to the centralized configuration of Kaspersky Lab applications installed on managed devices. When you complete this scenario, the applications will be configured on all of the managed devices in accordance with the application policies and policy profiles that you define.
Before you start, make sure that you have successfully installed Kaspersky Security Center 11 Administration Server and Kaspersky Security Center 11 Web Console. If you installed Kaspersky Security Center 11 Web Console, you might also want to consider user-centric security management as an alternative or additional option to the device-centric approach.
The scenario of device-centric management of Kaspersky Lab applications consists of the following steps:
Configure settings for Kaspersky Lab applications installed on the managed devices by creating a policy for each application. The set of policies will be propagated to the client devices.
When you configure the protection of your network in Quick Start Wizard, Kaspersky Security Center creates the default policy for Kaspersky Endpoint Security for Windows. If you completed the configuration process by using this Wizard, you do not have to create a new policy for this application. Proceed to the manual setup of Kaspersky Endpoint Security policy.
If you have a hierarchical structure of several Administration Servers and/or administration groups, the slave Administration Servers and child administration groups inherit the policies from the master Administration Server by default. You can force the inheritance by the child groups and slave Administration Servers to prohibit any modifications of the settings configured in the upstream policy. If you want only part of the settings to be forcibly inherited, you can lock them in the upstream policy. The rest unlocked settings will be available for modification in the downstream policies. The created hierarchy of policies will allow you to effectively manage devices in the administration groups.
If you want devices within a single administration group to run under different policy settings, create policy profiles for those devices. A policy profile is a named subset of policy settings. This subset is distributed on target devices together with the policy, supplementing it under a specific condition called the profile activation condition. Profiles only contain settings that differ from the "basic" policy, which is active on the managed device.
By using profile activation conditions, you can apply different policy profiles, for example, to the devices located in a specific unit or security group of Active Directory, having a specific hardware configuration, or marked with specific tags. Use tags to filter devices that meet specific criteria. For example, you can create a tag called Windows, mark all devices running Windows operating system with this tag, and then specify this tag as an activation condition for a policy profile. As a result, Kaspersky Lab applications installed on all devices running Windows will be managed by their own policy profile.
By default, Kaspersky Security Center automatically synchronizes the Administration Server with the managed devices every 15 minutes. During the synchronization, the new or changed policies and policy profiles are propagated to the managed devices. You can circumvent auto-synchronization and run the synchronization manually by using the Force synchronization command. When synchronization is complete, the policies and policy profiles are delivered and applied to the installed Kaspersky Lab applications.
If you use Kaspersky Security Center 11 Web Console, you can check whether the policies and policy profiles were delivered to a device. Kaspersky Security Center specifies the delivery date and time in the properties of the device.
When the device-centric scenario is complete, the Kaspersky Lab applications are configured according to the settings specified and propagated through the hierarchy of policies.
The configured application policies and policy profiles will be applied automatically to the new devices added to the administration groups.