What is a one sentence summary of your feature request?
I would like the option to define both the order of processing and order of application (where applicable) related to user, machine, and switched modes/scopes within each respective Endpoint Policy Manager (EPM) product.
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
Request
I would like the option to define both the order of processing and order of application (where applicable) related to user, machine, and switched modes/scopes within each respective Endpoint Policy Manager (EPM) product.
Definitions
RSoP Products - EPM products that create a RSoP XML file (reference C:\ProgramData\PolicyPak[Product]\RSoP...):
File Associations Manager
Java Rules Manager
Endpoint Privilege Manager
Policy Scripts Manager
Non-RSoP Products - EPM products that do not create a RSoP XML file (no XML files nor directories found at C:\ProgramData\PolicyPak[Product]\RSoP...):
All other EPM products not listed above
TLP - Top Level Policy
IP - Internal Policy
Order of Processing - CSE initial processing of the IPs
Order of Application - CSE “second processing” or “second parsing” of respective RSoP products’ XML files
What I have found
Each product honors the link order priority as configured in the respective Company Group. However, and more importantly, it honors the link order with respect to how the CSE processes each scope. For example…
Policies:
Link order 1: Policy A: machine scope TLP with only machine scope IPs A1 and A2
Link order 2: Policy B: machine scope TLP with machine scope IPs B1 and B2 and user scope (switched) IPs B3 and B4
Link order 3: Policy C: machine scope TLP with only machine scope IPs C1 and C2
Link order 4: Policy D: machine scope TLP with machine scope IPs D1 and D2 and user scope (switched) IPs D3 and D4
Link order 5: Policy E: user scope TLP with only user scope IPs E1 and E2
Link order 6: Policy F: user scope TLP with only user scope IPs F1 and F2
Client-side Policy Processing Order:
F2, F1, E2, E1, D2, D1, C2, C1, B2, B1, A2, A1, D4, D3, B4, B3
That is, it honors the link order priority by processing the policy directives/IPs in reverse order, thereby honoring the “last applied wins” by applying the highest priority link order directive/IP last. However, notice that it processed the directives/IPs in the following order.
- User - User scope TLP, user scope IP
- Machine - Machine scope TLP, machine scope IP (i.e. it skips all switched policies, saving them to process last)
- Switched - Machine scope TLP, user scope (switched) IP
In other words, above is the initial client-side processing order. What the CSE does after or during the processing is where things seem to differentiate. For non-RSoP proucts, the respective client-side computer settings are configured during this initial processing. For RSoP products, the respective machine, switched, and user RSoP XML files are created during this initial processing. Then, the CSE parses the respective RSoPs as needed (e.g. when launching an EXE). For RSoP products, the CSE parses/processes the respective RSoP XML files in the following order.
- Machine
- Switched
- User
For RSoP products, this “second processing” is what I’m referring to as “order of application.” For RSoP products, the highest precedence machine scope policy will always win vs. a conflicting user scope policy, even if the user scope policy is a higher precedence as seen in the Policy Forecast/Modeling Report.
I understand that the local computer’s handling of local settings (e.g. how the local computer prioritizes HKLM or HKU policy keys) is outside of Netwrix’s control. This request is to be able to define both the initial processing order and the order of application (or “second processing order”) where applicable.
Why
EPM Cloud is machine-centric with regards to delivering policies. Our company has very user-centric targeting related to special access, rights, etc. Carving out special access, rights, policies, etc. gets awkward and sometimes difficult to troubleshoot when there are baseline machine policies. Allowing customers to choose the client-side order of operations would allow EPM to more easily align with all companies and customers.
How do you currently solve the challenges you have by not having this feature?
Machine policies with awkward ILTs targeting user groups (using unconventional methods to target said user groups as needed). This usually requires duplicate and/or multiple policies with ILTs to exclude from X policy because we have an ILTed policy Y for a respective group.
