Apply policies

This topic introduces the EPM policies , which manage and audit access to applications on endpoint computers.

Overview

This diagram shows the steps you perform to define EPM policies. Click any step to see more information.

Permissions

Users require the following user role permissions to call this API:

  • The relevant policy permissions under Policy New UI

  • All End-User UI > End-User UI (Privilege Management only) permissions in at least View only mode

  • The Advanced > Configuration > View Global Agent Configuration permission

View existing policies

The Policies page displays a list of the policies that are available to your EPM deployment. Some of these are predefined and others are customized, meaning that they were created after your initial EPM deployment.

You can filter the displayed policies to view a list that contains a specific type of policy. The most common filters are displayed in the filter pane. To view the complete list of filters, click All filters.

By default, this page displays application policies. However, you can select any other policy category to display a different type of policy.

The following table describes the available policy categories.

Category

Description

Application policies

Define common application behavior on all endpoints in the Set. For more details, see Application policies.

Credentials rotation policies

Manage credentials on endpoints that are not always accessible from the network. For more details, see Credentials Rotation.

Privilege threat protection policies

Detect and block specific application threats to your system's security. For more details, see Protect against credential theft.

Script distribution policies

Deploy attached scripts or enforce execution of the attached script on the target computers. These scripts and their child processes run without elevation. For more details, see Script distribution policies.

User policies

Manage individual or groups of users by giving them just-in-time (JIT) permissions or specific access.

For more details, see User policies.

Manage policies

You can manage any of the policies in the list with the options that are available to each policy.

In the line of the policy to manage, click the More actions (...) button and select the relevant option, as described in the following table.

Option

Allows you to ...

Edit

Display the policy details and edit existing settings.

Duplicate and change

Copy the policy and change its settings.

Activate or Deactivate

Activate or deactivate this policy immediately.

Export

Export the selected policy to an external file.

Delete

Delete the selected policy.

Export policies

You can export polices to an external file, either individually or all together. When EPM exports policy files, it saves them in an epmp file.

To export a single user policy

  1. In the policies list, in the row of the policy to export, click the More actions (...) button and then select Export.

  2. Confirm that you want to export that specific policy.

EPM exports the policy, and saves it in a policies file in your downloads folder. This file uses the following naming convention: Policies-<timestamp>.epmp.

To export all policies

  1. In the policies list, click the drop-down arrow next to the Create policy button, and select the option to export all policies.

  2. Confirm that you want to export all the policies.

EPM exports the policies, and saves them in a policies file in your downloads folder. This file uses the following naming convention: Policies-<timestamp>.epmp.

Import policies

You can import policies using an epmp file. For details, see Export policies, above.

To import policies

  1. In the policies list, click the drop-down arrow next to the Create policy button, and select the option to import all policies.

    To import policies that use the previous format, select Import policies - old End User UI format.

  2. In the Policies import window, click Browse... and select the policies epmp file, then click Open.

EPM imports the policies, and displays them in the policies list together with the current policies.

Push active policies to endpoints

You can push active policies to endpoints at any time, to ensure that EPM is managing endpoint activities according to the most recent policy updates.

To push policies to endpoints

  1. In the policies list, click the drop-down arrow next to the Create policy button, and select Push active policies to agents.

  2. Confirm that you want to push all the active policies to the EPM agents.

Child processes

Child processes apply the policy to the immediate children of an elevated process, and also to their children (all descendants).

When you apply a policy to the child processes of an application, any process launched by the application or its children use the same security token as the application. Use the Include child processes option with caution and only for applications that require it.

For example, when you apply the Elevate action to an application, all descendants of the elevated application run with elevated privileges as well. Other policies, even if they have a higher priority, do not apply to these descendants. Similarly, when you apply the Allow action to an application, it is applied to all of the application's descendants and prevents other policies (Block or Elevate) from being applied, even if they have a higher priority.

Child processes and trust policies

When starting a new application that meets the criteria of a Trust policy, the EPM agent automatically identifies whether users require admin rights to run the application, in which case the agent elevates the application privileges. Otherwise, the application runs normally.

If, according to the policy, the Trust action is only applied to its target application (without child processes), the application’s children are elevated by the EPM agent just like any other applications. These child processes run with current user rights, or the EPM agent may apply other policies to the child processes.

There are two main consequences to applying the Trust action to the policy's target application and its children (including all descendants):

  • The EPM agent does not apply any other policies to the application children, grandchildren, or any of its descendants.

  • Privilege elevation in this case works as follows:

    1. If the EPM agent determines that the application requires admin rights, the application and all its descendants are elevated.

    2. If the application does not require admin rights, it runs normally. The EPM agent checks whether admin rights are required for each descendant.

    3. Once the EPM agent determines that a descendant application requires admin rights, this application and all its descendants are elevated.

Example

Applications are started as follows: A launches B, B launches C and so on: A -> B -> C -> D -> E -> …

  • Application A is covered by a Trust policy with child processes.

  • Applications A and B do not require admin rights.

  • Application C requires admin rights.

  • Applications D and E may or may not require admin rights – it does not matter.

Result

A (normal rights) -> B (normal rights) -> C (elevated) -> D (elevated) -> E (elevated) -> all following descendants… (elevated)