ESET Online Help

Search English
Select the category
Select the topic

Policies

Policies are used to push specific configurations to ESET products running on client computers. This allows you to avoid configuring each client's ESET product manually. A policy can be applied directly to individual Computers as well as groups (Static and Dynamic). You can also assign multiple policies to a computer or a group.

Policies and permissions

The user must have sufficient permissions to create and assign policies. Permissions needed for certain Policies actions:

To read the list of policies and their configuration a user needs Read permission.

To assign policies to targets, a user needs Use permission.

To create, modify or edit policies, a user needs Write permission.

See the list of permissions for more information on access rights.

There is a lock icon icon_locked_policy next to locked (uneditable) policies - specific built-in policies (for example, the Auto-updates policy or ESET LiveGuard policies) or policies where the user has the Read, but not Write permission.

example

If user John needs only to read policies created by himself, Read permission for Policies are needed.

If user John wants to assign certain policies to computers, he needs Use permission for Policies and Use permission for Groups and Computers.

To allow John full access for policies, Administrator must set Write permission for Policies.

Policy application

Policies are applied in the order that Static Groups are arranged. This is not true for Dynamic Groups, where child Dynamic Groups are traversed first. This allows you to apply policies with higher impact at the top of the Group tree and apply more specific policies for subgroups. Using flags, an ESET PROTECT On-Prem user with access to groups located higher in the tree can override the policies of lower groups. The algorithm is explained in detail in How Policies are applied to clients.

Policy removal rules

When you have a policy in place and decide to remove it later on, the resulting configuration of the client computers will depend on the version of installed ESET security product on the managed computers:

When you remove a policy or select the icon_no_apply_policy Not apply flag, the configuration automatically reverts to the previous local values. When a computer leaves a Dynamic Group where specific policy setting were in place, these policy settings will be removed from the computer. This behavior applies to:

ESET security products for Windows

version 7 and later

ESET security products for macOS

version 7 and later

ESET security products for Linux

version 8.1 and later

Earlier ESET security products (than listed above): The configuration will not automatically revert back to the original settings after the policy is removed. The configuration will remain according to the last policy that was applied to the clients. The same thing happens when a computer becomes a member of a Dynamic Group to which a certain policy is applied that changes the computer's settings. These settings remain even if the computer leaves the Dynamic Group. Therefore, we recommend that you create a policy with default settings and assign it to the root group (All) to have the settings revert to defaults in such a situation. This way, when a computer leaves a Dynamic Group that changed its settings, this computer will revert to default settings.

Merging policies

A policy applied to a client is usually the result of multiple policies being merged into one final policy.

note

We recommend that you assign more generic policies (for example, the update server) to groups that are higher in the group tree. More specific policies (for example, device control settings) should be assigned deeper in the group tree. The lower policy usually overrides the settings of the upper policies when merged (unless defined otherwise using policy flags).