Using policies in McAfee ePO

Policies enable you to configure managed products and apply the configuration to systems in your network, all from the McAfee ePO console.

Policies are collections of settings that you create, configure, and apply, then enforce. Most policy settings correspond to settings that you configure in the Endpoint Security Client. Other policy settings are the primary interface for configuring the software.

Adaptive Threat Protection adds the following categories to the Policy Catalog.

Table 1: Adaptive Threat Protection categories
Category Description
Dynamic Application Containment Runs applications with specific reputations in a container, blocking actions based on containment rules. Uses TIE server, if available, or McAfee GTI for the application reputation.
Options Specifies options for Adaptive Threat Protection, including:
  • Enabling and disabling Adaptive Threat Protection.
  • Selecting rule groups.
  • Enabling and disabling Real Protect client-based and cloud-based scanning.
  • Setting reputation thresholds.
  • Configuring user messaging.
  • Specifying options for sending files to Advanced Threat Defense.

In each category, Adaptive Threat Protection provides predefined policies:

Table 2: Adaptive Threat Protection predefined policies
Policy Description
McAfee Default Defines the default policy that takes effect if no other policy is applied.

The McAfee Default Dynamic Application Containment policy sets rules to Report only. Users experience no blocking or prompting.

Note: To send Dynamic Application Containment Would Block events to McAfee ePO, in the CommonOptions settings, set Adaptive Threat Protection events to log to Warning, Critical, and Alert.

You can duplicate, but not delete or change, this policy.

My Default Defines predefined settings for the category.
McAfee Default Balanced Defines a Dynamic Application Containment policy with Block rules set to provide a base level of protection while minimizing false positives for common unsigned installers and applications.

Use this policy for typical business systems where new programs and changes are installed infrequently. Users experience some blocking and prompting.

McAfee Default Security Defines a Dynamic Application Containment policy with Block rules to provide aggressive protection. This policy might cause false positives more frequently on unsigned installers and applications.
Tip: Best practice: Evaluate the impact of Dynamic Application Containment rules by enforcing the McAfee Default policy. To determine whether to set rules to block, monitor the logs and reports for "Dynamic Application Containment violation allowed" (event ID 37280) events. Then, set Enterprise Level Reputations or Dynamic Application Containment exclusions and enforce the McAfee Default Balanced policy.

You can use predefined policies as is, edit the My Default predefined policies, or create new policies.

For information about policies and the Policy Catalog, see the McAfee ePO Help.

Comparing policies

You can compare all policy settings for the module using the Policy Comparison feature in McAfee ePO. For information, see the McAfee ePO Help.