Jump to content
twerck

Rule to automatically move machines between managed groups based on tags

Recommended Posts

We're looking to squeeze more bandwidth out of one of our major sites and I've been approached to see about configuring Kaspersky clients at this location to get their updates through the administration server (also located on-site) instead of going out and pulling updates down from the Internet. I believe the simple solution would be to update our "Update" task so that our priority update source for endpoints to pull down updates is "Kaspersky Security Center" - in my environment we currently have "Kaspersky Lab Update Servers" set as the priority, as the majority of our endpoints are located off-site. It seems that I need to separate the endpoints in this major site into their own group so that they can be targeted by the new task that prioritizes KSC as the update source. The problem is that all endpoints are in a single management group and so I'm trying to figure out a way to automatically move out endpoints located at this major site from this main group into their own group so that I can assign this new task to it.

I've tested with tagging and it looks like I can "tag" a machine if it's located on a specific subnet but there doesn't seem to be a way to target "tagged" machines with a rule that would move them into their own management group. Is this possible? Is it possible to target a tag with a task?

Share this post


Link to post
16 minutes ago, Konstantin Antonov said:

Hi,

Could you please specify versions that you use.

Thank you!

Hi Konstantin,

All endpoints in my environment are on KES 11.0. Kaspersky Security Center is on 10.5.1781.

Thanks!

Share this post


Link to post
14 hours ago, Ivan.Ponomarev said:

Hello!

Please check this article: https://help.kaspersky.com/KSC/SP3/en-US/3908.htm 

Thanks!

Hi Ivan,

Thanks for the response!
My concern with this method is that this site is quite busy with many mobile endpoints frequently joining and leaving its subnets, and so I'd like to find a way to have Kaspersky Security Center automatically scan these subnets to move and remove endpoints from these groups accordingly. Is that possible through this method?

Thanks.

Share this post


Link to post
12 часов назад, twerck сказал:

Thanks for the response!
My concern with this method is that this site is quite busy with many mobile endpoints frequently joining and leaving its subnets, and so I'd like to find a way to have Kaspersky Security Center automatically scan these subnets to move and remove endpoints from these groups accordingly. Is that possible through this method?

Hi,

If I understood you correctly you should use the following feature - https://help.kaspersky.com/KSC/SP3/en-US/92437.htm

Thank you!

Share this post


Link to post
On 2/8/2019 at 11:23 PM, Konstantin Antonov said:

Hi,

If I understood you correctly you should use the following feature - https://help.kaspersky.com/KSC/SP3/en-US/92437.htm

Thank you!

Hello Konstantin,

Yes, thank you! This seems to be exactly what I'm looking for! One question - if I create a rule that basically says "Move all clients with an IP address on this subnet to this group", that is set to run "Permanently", what will happen when one of the clients that are moved into this group no longer has an IP address on this subnet so that it no longer matches the parameters within these? Or will I need to create a separate rule that targets all subnets but the one in the previous rule and manually list out every other subnet as there doesn't seem to be a way to target "all subnets but x"?

Thank you!

Share this post


Link to post
24 минуты назад, twerck сказал:

Hello Konstantin,

Yes, thank you! This seems to be exactly what I'm looking for! One question - if I create a rule that basically says "Move all clients with an IP address on this subnet to this group", that is set to run "Permanently", what will happen when one of the clients that are moved into this group no longer has an IP address on this subnet so that it no longer matches the parameters within these? Or will I need to create a separate rule that targets all subnets but the one in the previous rule and manually list out every other subnet as there doesn't seem to be a way to target "all subnets but x"?

Thank you!

Hello!

"By default, a device moving rule is intended for one-time initial allocation of devices to administration groups. The rule moves devices from the Unassigned devices group only once. If a device once was moved by this rule, the rule will never move it again, even if you return the device to the Unassigned devices group manually. This is the recommended way of applying moving rules."

We strongly recommend that you avoid moving a single device from one group to another repeatedly (for example, in order to apply a special policy to that device, run a special group task, or update the device through a specific update agent).

You can use policy profiles to manage such computers.

Tank you!

Share this post


Link to post
4 hours ago, Dmitry Parshutin said:

Hello!

"By default, a device moving rule is intended for one-time initial allocation of devices to administration groups. The rule moves devices from the Unassigned devices group only once. If a device once was moved by this rule, the rule will never move it again, even if you return the device to the Unassigned devices group manually. This is the recommended way of applying moving rules."

We strongly recommend that you avoid moving a single device from one group to another repeatedly (for example, in order to apply a special policy to that device, run a special group task, or update the device through a specific update agent).

You can use policy profiles to manage such computers.

Tank you!

Hi Dmitry,

Thanks for the response.

I saw that on the linked page but figured I could get around it by creating a second rule.
Assuming this is not the correct way to go about having a task assigned to a dynamically changing group of endpoints, what other methods are there to accomplish this task with KSC? I'm not sure how the use of a policy profile will address this, as what needs to change is the priority in which the endpoints will reach out for updates (via KSC or Kaspersky Lab servers) through the Update task.

Share this post


Link to post

Hi,

In your case you have to use relocation rules, instead of policy profiles, despite it is not recommended way.

The thing is, that Update source should be specified at group Update task, not at policy.

Share this post


Link to post
10 hours ago, Nikolay Arinchev said:

Hi,

In your case you have to use relocation rules, instead of policy profiles, despite it is not recommended way.

The thing is, that Update source should be specified at group Update task, not at policy.

Hi Nikolay,

So assuming I'm understanding correctly, it seems the only way I can do this within Kaspersky Security Center is by creating two subnet-based rules that move machines between groups, with different update source tasks pointed to each group?

Share this post


Link to post

Hello!

As told before, the update source is not specified in the policy, it is specified in the update task. 

The task you can create for a set of machines or for a group. 

Thanks!

Share this post


Link to post

Hi Ivan,

Thanks. That confirms my belief. If I were to go this route, I'll need to create two groups with two rules that move machines between the groups based on subnets the machines are on when they check in. I'd need to have two separate Update tasks, each with a different Update Source priority (KSC vs. KL Update Servers), and associate each with a different group. That's unfortunate - I'm surprised there isn't an easier way to automate this.

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.