How flags work

The policy that is applied to a client computer is usually the result of multiple policies being merged into one final policy. When merging policies, you can adjust the expected behavior of the final policy, due to the order of applied policies, by using policy flags. Flags define how the policy will handle a specific setting.

For each setting, you can select one of the following flags:

icon_no_apply_policy Not apply

Any setting with this flag is not set by the policy. Since the setting is not set by the policy, it can be changed by other policies applied later.

icon_apply_policy Apply

Settings with the Apply flag will be applied to the client computer. However, when merging policies, it can be overwritten by other policies applied later. When a policy is sent to a client computer containing settings marked with this flag, those settings will change the local configuration of the client computer. Since the setting is not forced, it can still be changed by other policies applied later.

icon_force_policy Force

Settings with the Force flag have priority and cannot be overwritten by any policy applied later (even if it also has a Force flag). This assures that other policies applied later won't be able to change this setting during merging. When a policy is sent to a client computer containing settings marked with this flag, those settings will change the local configuration of the client computer.


example

Scenario: The Administrator wants to allow user John to create or edit policies in his home group and see all policies created by the Administrator including Policies that haveicon_force_policy Force flags. The Administrator wants John to be able to see all policies, but not edit existing policies created by Administrator. John can only create or edit policies within his Home Group, San Diego.

Solution: Administrator has to follow these steps:

Create custom static groups and permission sets

1.Create a new Static Group called San Diego.

2.Create a new Permission set called Policy - All John with access to the Static Group All and with Read permission for Policies.

3.Create a new Permission set called Policy John with access to Static Group San Diego, with functionality access Write permission for Group & Computers and Policies. This permission set allows John to create or edit policies in his Home Group San Diego.

4.Create a new user John and in the Permission Sets section select Policy - All John and Policy John.

Create policies

5.Create a new policy All- Enable Firewall, expand the Settings section, select ESET Endpoint for Windows, navigate to Personal Firewall > Basic and apply all settings by icon_force_policy Force flag. Expand the Assign section and select the Static Group All.

6.Create a new policy John Group- Enable Firewall, expand the Setting section, select ESET Endpoint for Windows, navigate to Personal Firewall > Basic and apply all settings by icon_apply_policy Apply flag. Expand the Assign section and select Static Group San Diego.

Result

The Policies created by Administrator will be applied first since icon_force_policy Force flags were applied to the policy settings. Settings with the Force flag applied have priority and cannot be overwritten by another policy applied later. The policies that are created by user John will be applied after the policies created by the Administrator.

To see the final policy order, navigate to More > Groups > San Diego. Select the computer and select Show details. In the Configuration section, click Applied policies.