Device Control Policy creation guideline when assigning to Everyone / All Users

Version 1

    Issue:

    Device Control policies assigned to a specific endpoints/endpoint-groups and the Everyone user-group can result in unwanted permission leaks if the specific endpoints/endpoint-groups gets deleted from the Web Console.

     

     

    Background Information:

    The Device Control Policies have two ways of assigning a policy to Everyone/All Users. This is the Implicit and Explicit methods as described below:

    Explicit:    In the Users tab of the assignment page for the Policy, you select the Everyone built-in group and add it to the policy.

    Implicit:    You do not assign any users to the Policy. The Device Control module takes this to mean you want the policy to be applied to Everyone/all users for the specified endpoints/endpoint groups.

     

    When you do not select any specific endpoints/endpoint-groups for a Device Control Policy, the system assumes you want to assign the Policy to all endpoints with Device Control.

     

    Cause:

    The logic of the Device Control policy generator on the EMSS/IES Application Server is that when a specific endpoints/endpoint-groups are deleted from the system, the Device Control Policy file will be updated the next time it is regenerated to remove the reference to the now-deleted endpoints/endpoint-groups.

     

    If the same Device Control policy is using the implicit “Everyone” method for assigning it to all users, the policy now has no directly assigned endpoints and no directly assigned users so the policy is set as Unassigned. This keeps your resultant permissions of your other endpoints intact.

     

    If the same Device Control policy is using the explicit “Everyone” method for assigning it to all users, the policy now has no directly assigned endpoints and the Everyone user-group assigned so the policy applies to ALL USERS ON ALL ENDPOINTS. This can cause a change in your resultant permissions for your other endpoints. You will need to review these possible changes in order to ensure any risks are mitigated.

     

     

    Resolution:

    The policy generation/updating logic in the product that is related to this will not be altered. At this time it is recommended to use the Implicit method of assigning policies to all users so that the specific policy would be unassigned in the event of the specific endpoints/endpoint-groups being deleted.