Policy setup and propagation: User-centric approach

This section describes the scenario of user-centric approach to the centralized configuration of Kaspersky Lab applications installed on the managed devices. When you complete this scenario, the applications will be configured on all of the managed devices in accordance with the application policies and policy profiles that you define.

This scenario can only be implemented through Kaspersky Security Center 11 Web Console.

Prerequisites

Before you start, make sure that you have successfully installed Kaspersky Security Center 11 Administration Server and Kaspersky Security Center 11 Web Console, and completed the main deployment scenario. You might also want to consider device-centric security management as an alternative or additional option to the user-centric approach. Learn more about two management approaches.

Process

The scenario of user-centric management of Kaspersky Lab applications consists of the following steps:

  1. Configuring application policies

    Configure settings for Kaspersky Lab applications installed on the managed devices by creating a policy for each application. The set of policies will be propagated to the client devices.

    When you configure the protection of your network in Quick Start Wizard, Kaspersky Security Center creates the default policy for Kaspersky Endpoint Security. If you completed the configuration process by using this Wizard, you do not have to create a new policy for this application. Proceed to the manual setup of Kaspersky Endpoint Security policy.

    If you have a hierarchical structure of several Administration Servers and/or administration groups, the slave Administration Servers and child administration groups inherit the policies from the master Administration Server by default. You can force the inheritance by the child groups and slave Administration Servers to prohibit any modifications of the settings configured in the upstream policy. If you want only part of the settings to be forcibly inherited, you can lock them in the upstream policy. The rest unlocked settings will be available for modification in the downstream policies. The created hierarchy of policies will allow you to effectively manage devices in the administration groups.

    How-to instructions: Creating a policy

  2. Specifying owners of the devices

    Assign the managed devices to the corresponding users.

    How-to instructions: Assigning a user as a device owner

  3. Defining user roles typical for your enterprise

    Think about different kinds of work that the employees of your enterprise typically perform. You must divide all employees in accordance with their roles. For example, you can divide them by departments, professions, or positions. After that you will need to create a user role for each group. Keep in mind that each user role will have its own policy profile containing application settings specific for this role.

  4. Creating user roles

    Create and configure a user role for each group of employees that you defined on the previous step or use the predefined user roles. The user roles will contain set of rights of access to the application features.

    How-to instructions: Creating a user role

  5. Defining the scope of each user role

    For each of the created user roles, define users and/or security groups and administration groups. Settings associated with a user role apply only to devices that belong to users who have this role, and only if these devices belong to groups associated with this role, including child groups.

    How-to instructions: Editing the scope of a user role

  6. Creating policy profiles

    Create a policy profile for each user role in your enterprise. The policy profiles define which settings will be applied to the applications installed on users' devices depending on the role of each user.

    How-to instructions: Creating a policy profile

  7. Associating policy profiles with the user roles

    Associate the created policy profiles with the user roles. After that: the policy profile becomes active for a user that has the specified role. The settings configured in the policy profile will be applied to the Kaspersky Lab applications installed on the user's devices.

    How-to instructions: Associating policy profiles with roles

  8. Propagating policies and policy profiles to the managed devices

    By default, Kaspersky Security Center automatically synchronizes the Administration Server with the managed devices every 15 minutes. During the synchronization, the new or changed policies and policy profiles are propagated to the managed devices. You can circumvent auto-synchronization and run the synchronization manually by using the Force synchronization command. When synchronization is complete, the policies and policy profiles are delivered and applied to the installed Kaspersky Lab applications.

    You can check whether the policies and policy profiles were delivered to a device. Kaspersky Security Center specifies the delivery date and time in the properties of the device.

    How-to instructions: Forced synchronization

Results

When the user-centric scenario is complete, the Kaspersky Lab applications are configured according to the settings specified and propagated through the hierarchy of policies and policy profiles.

For a new user, you will have to create a new account, assign the user one of the created user roles, and assign the devices to the user. The configured application policies and policy profiles will be automatically applied to the devices of this user.

See also:

Main deployment scenario and other deployment scenarios

A hierarchy of Administration Servers

Administration groups

Policies

About policy profiles

Hierarchy of policies

About user roles

Page top