ESET Online Help

Search English
Select the category
Select the topic

Flags

When merging policies, you can change the behavior by using policy flags. Flags define how a setting will be handled by the policy.

For each setting, you can select one of the following flags:

icon_no_apply_policy Not apply - Any setting with this flag is not set by policy. Because the setting is not forced, it can be changed by other policies later on.

icon_apply_policy Apply - Settings with this flag will be sent to the client. However, when merging policies, it can be overwritten by a later policy. When a policy is applied to a client computer and a specific setting has this flag, that setting is changed regardless of what was configured locally on the client. Because the setting is not forced, it can be changed by other policies later on.

icon_force_policy Force - Settings with the Force flag have priority and cannot be overwritten by a later policy (even if the later policy has a Force flag). This assures that this setting won’t be changed by later policies during merging.

To make navigation easier, all rules are counted. The number of rules you have defined in a specific section will be displayed automatically. Also, you'll see a number next to the category names in the tree on the left. This shows a sum of rules in all its sections. This way, you'll quickly see where and how many settings/rules are defined.

You can also use the following suggestions to make policy editing easier:

Use icon_apply_policy to set the Apply flag to all items in a current section

Use icon_no_apply_policy to delete rules applied to the items in the current section.


important

ESET security products version 7 and later:

icon_no_apply_policy Not apply flag turns individual policy settings to the default state on client computers.

How can Administrator allow users to see all policies


example

Administrator wants to allow user John to create or edit policies in his home group and allow John to see policies that are created by Administrator. Policies created by Administrator include icon_force_policy Force flags. User John can see all policies, but cannot edit policies created by Administrator because Read permission for Policies with access to Static Group All is set. User John can create or edit policies in his Home Group San Diego.

Administrator has to follow these steps:

Create environment

1.Create a new Static Group called San Diego.

2.Create new Permission set called Policy - All John with access to Static Group All and with Read permission for Policies.

3.Create a new Permission set called Policy John with access to Static Group San Diego, with functionality access Write permission for Group & Computers and Policies. This permission set allows John to create or edit policies in his Home Group San Diego.

4.Create new user John and in Permission Sets section select Policy - All John and Policy John.

Create policies

5.Create new policy All- Enable Firewall, expand Settings section, select ESET Endpoint for Windows, navigate to Network protection > Firewall > Basic and apply all settings by icon_force_policy Force flag. Expand the Assign section and select Static Group All.

6.Create new policy John Group- Enable Firewall, expand Setting section, select ESET Endpoint for Windows, navigate to Network protection > Firewall > Basic and apply all settings by icon_apply_policy Apply flag. Expand the Assign section and select Static Group San Diego.

Result

Policies created by Administrator will be applied first because they are assigned to group All. Settings with the icon_force_policy Force flag have priority and cannot be overwritten by a later policy. Then policies created by user John will be applied.

Navigate to More > Groups > San Diego, click the computer and select Details. In Configuration > Applied policies is the final policy application order.

admin_policy_flags_example

The first policy is created by Administrator and the second created by user John.

Home Group is automatically detected based on the assigned permission sets of the currently active user.


example

Example scenario:

The currently active user account has the Write access right for Software Install Client Task and the user account Home Group is "Department_1". When the user creates a new Software Install Client Task, "Department_1" will be automatically selected as the client task Home Group.

If the pre-selected Home Group does not meet your expectations, you can select the Home Group manually.