BEYONDINSIGHT POLICY EDITOR USER GUIDE

Policy Editor components

Use the Endpoint Privilege Management Policy Editor to:

• Create policies in BeyondInsight, eliminating the need to use a standalone policy editor.
• View the properties of a policy
• Lock and unlock a policy
• Edit the policy configuration

Policy users must be assigned permissions to use the Endpoint Privilege Management feature:

• Read and write permissions to create, view, lock (or unlock), edit, and delete policies.
• Read-only permissions to only view policy information.

Workstyles

Workstyles are used to assign Application Rules for a specific user, or group of users.

ℹ️

Note

The Policy Editor in BeyondInsight supports integration with Microsoft Entra ID. Filters can be used in Workstyles to query Entra ID groups and users. Only one Entra ID tenant per organization is supported. For this integration to work, you must create an Entra ID directory credential in BeyondInsight.

Application groups

Application Groups are used by Workstyles to group applications together to apply certain Endpoint Privilege Management behavior.

Content groups

Content groups are used by Workstyles to group content together to apply certain Endpoint Privilege Management behavior.

Messages

Messages are used by Workstyles to provide information to the end user when Endpoint Privilege Management has applied certain behavior that you've defined and need to notify the end user.

Utilities

The Utilities includes tools to help with managing policies, including an import policy tool and a license management tool.

Create a policy

1. From the left menu, select Policies under Endpoint Privilege Management.
2. Click Create Policy.
3. Enter a name for the policy and select a Workgroup from the list.
4. Click Create Policy.
5. Select one of the following:
   • QuickStart for Windows: A preconfigured template with Workstyles, Application Groups, messages, and Custom Tokens already configured.
   • QuickStart for Mac: A preconfigured template with Workstyles, Application Groups, and messages already configured.
   • Server Roles: The Server Roles policy contains Workstyles, Application Groups, and Content Groups to manage different server roles such as DHCP, DNS, IIS, and print servers.
   • Blank: Select to configure a policy from scratch. There are no preconfigured settings in this template.

The Policy Editor opens to the Workstyles page. At this point you must configure the Workstyle, Application Groups, Application Rules and other policy configuration as required for your organization. The templates and their configuration components are described in more detail in the below sections.

ℹ️

Note

For quick access to the Workstyles Summary page, click the hyperlink for the Workstyle name.

View a policy

1. From the left menu, select Policies under Endpoint Privilege Management.
2. Click the vertical ellipsis for the policy you wish to view, and then select View Policy.
3. The Policy Editor opens in Read Only mode.

ℹ️

Note

To edit the policy, click the Policy List link at the top of the page to go back to the main Policies page where you can select the policy to edit and lock it.

4. Use the options in the left navigation to view the following policy information:

• For Windows policies:
  • Workstyles
  • Application Groups
  • Content Groups
  • Messages
• For macOS policies:
  • Workstyles
  • Application Groups
  • Messages
• Utilities:
  • Licenses
  • Import Policy
  • Template Policies

ℹ️

Note

You can also filter the contents displayed in each grid using the Filter By list above the grid.

Edit a policy

When you edit a policy, the policy is locked. Other policy administrators cannot access the policy to change the properties when the status is Locked. The policy is unlocked when changes are saved or discarded.

1. From the left menu, select Policies under Endpoint Privilege Management.
2. Click for the policy you want to edit.
3. If a policy is locked, select Unlock Policy in the menu
4. Select Edit and Lock Policy.
5. In the Policy Editor, go to the policy property you want to change and make your edits.
6. Click Save to save a draft of the policy. Clicking Save allows you to keep the Policy Editor open to continue changing the policy.
7. Once the policy is updated, click Save and Unlock to save a new revision of the policy, or Discard Changes to remove changes.
8. If Discard Changes is selected, you are prompted to Continue Editing or Discard Changes.
9. (Optional). On the Save and Unlock dialog box, you can enter Annotation notes about the policy changes. You can also check the Auto Assign Policy to Groups? box, to automatically assign the latest revision to groups the policy is currently assigned to.

ℹ️

Note

The Auto Assign Policy to Groups? option is only available when the groups are currently on the latest policy. If they are on an older version, only the Annotation notes option is displayed.

ℹ️

Note

You can export a policy and import a policy to overwrite the existing one while viewing a policy in read-only mode and while editing a policy in read/write mode. Select Utilities > Import Policy from the left navigation, click Overwrite Policy, and then click Export Existing Policy to export. Drop a file in the box to upload a new policy and then click Upload File.

Policy users

Create and view Smart Rules for policy users

You can manage user-based policies for Endpoint Privilege Management users with Smart Rules, and view the policy users with the assigned policies.

ℹ️

Note

This feature is only available when an Endpoint Privilege Management license is detected.

To deploy policies to users, you must first create rules and policies in the Endpoint Privilege Management Policy Editor, and then create applicable Smart Rules to deploy the policies to policy users.

Create a policy user Smart Rule

When a policy is deployed using a policy user-based Smart Rule, only the policy rules set in the User Configuration Rule Management section of the policy are processed by Endpoint Privilege Management clients that receive the policy. Policy deployment is controlled by the specifications in the Smart Rule.

A policy user-based Smart Rule can deploy policies to Windows Active Directory domain users and local users that are not part of a domain. Create the Smart Rules as follows:

1. From the left menu in BeyondInsight, click Smart Rules.
2. Select Policy User from the Smart Rule type filter dropdown.
3. Click Create Smart Rule. A new window opens.
4. Select Policy Users for the category.
5. Provide a Name and Description for the policy.
6. Select a Reprocessing Limit from the dropdown to set how often the Smart Rule runs.
7. In the Selection Criteria section, select and add your desired filters to add the Endpoint Privilege Management accounts.
   • To onboard local policy users, use the User Account Attribute filter after discovering users via scans. Then use their privilege attribute or their name for the Selection Criteria.
8. In the Actions section, select and add the following actions:
   • Add Policy Users: Adds users to BeyondInsight.
   • Deploy Endpoint Privilege Management Policy: Deploys policies to the user accounts.
   • Mark each policy user for removal: Deletes the user accounts from the Smart Group.
   • Show as Group: Displays the Smart Rule as a Smart Group on the Policies page.
9. Click Create Smart Rule.

View policy users

After the Smart Rule processes, you can view policy users on the Policy Users page. This page shows the policies assigned and applied.

1. To view the page, click Policy Users on the Home page, or from the left menu under Endpoint Privilege Management.
2. Displayed policy users are filtered by the selected Smart Group filter.
3. Displayed policy users can also be filtered by other criteria.
4. Displayed policy users can be downloaded, and the grid view can be modified.

ℹ️

Note

Depending on the configuration of your grid and selected columns, not all policy user details may be visible.

5. To remove a user from a policy, click for the user, and select Delete Policy User.