LEMSS DC frequent policy generation explained

Version 1


    Lumension Endpoint Management and Security Suite (LEMSS) 7.3 SP1 with the Lumension Device Control (LDC) module


    Whenever a DC policy change is manually performed in the UI or when a change in computer group membership occurs in a group that has DC policies assigned, a DC policy generation process is kicked off.

    The resulting policy is created on the LEMSS server at: \Program Files (x86)\HEATsoftware\EMSS\Content\EDSAgents\DCPolicyFiles. If you have assigned a DC policy to Computer Groups (Directory Service groups or Custom groups) and the membership of these changes often you will see DC policy being generated at this location frequently.


    Per the LEMSS DC Best Practices guide (available on the HEATsoftware Customer Portal), it is best to use AD User Groups when assigning Device Control policies.  Typically you will find that this is how you want to enforce policies instead of by endpoint group. This can be a shift in thinking, especially for operational IT organizations which are accustomed to managing other functions such as patching or anti-virus by endpoint.

    Using User Groups allows for more efficient policy distribution and enforcement by LDC, and will ultimately reduce your Administrative workload after LDC is deployed.  Using Endpoints and Endpoint Groups is a less efficient method of assigning policies, so these should be used only as required because hardware changes, is refreshed, and sometimes moves, and trying to keep up with these changes in your policies will be a challenge.


    Support can implement a configuration change to the server that would prevent DC policy generation from happening for a definable period following the last DC policy generation. This would mitigate very frequent DC policy generation should best practice for DC policy configuration not be adhered to. You may contact HEATsoftware Technical Support if this is something you are interested in.