Policies enable administrators to enforce a minimum set of protections and Cigent settings across a population of endpoints. Policies are associated to all members of a Group. The Default is automatically associated to endpoints that are not a member of any group. If an endpoint is a member of more than one group, the endpoint is associated to the policy highest on the list.
File Protection Levels:
Cigent will not allow a user to change the protection below the policy level but they can change it to a higher level of protection. For example, if the policy setting is set to Dynamic and user can increase the protection to Always On, but not to None.
Set to Recommended will set file type protections for the most commonly used file types.
Microsoft Office Files:
Select the minimum protection level for each Microsoft Office file type.
Select the minimum protection level for each Adobe file type.
Custom File Types:
Custom file types allows protection to be added to file types not covered by the pre-defined Microsoft or Adobe File Types. Administrators should take precautions and test the effects of protecting file types to prevent any undesired side-effects.
Import allows the importation of a CSV containing definitions for custom file type protection as an easier means of defining large quantities of file types.
Folders can be used to add Dynamic and AlwaysOn folder protection. To support variability in Windows deployments folder protection be leverage several environment variables which will be resolved by Cigent when received. For example, $HOME will be expanded to C:\Users\<username>\Documents for each user on the endpoint protecting every user’s Documents folder.
Import allows the importation of a CSV containing definitions for many folders.
Deception can be used to add additional deception files. Environment variables are available to support variability in Windows deployments. It is important to choose a unique deception file name and location to as to prevent creation issues.
Safe applications are allowed to access protected files without authorization. Common usage of Safe apps include backup programs and cloud file storage applications.
Applications are securely identified by matching of the applications certificate and optionally name or folder location. Application certificates can be exported from the Security tab of the file properties and must be Base-64 encoded X.509. The path should only include the folder name starting below C:\Program Files. For example, when adding Backblaze located in C:\Program Files\Backblaze, enter only Backblaze.
If you enter just the folder, all programs under the folder having the same certificate will be authorized. If you want to narrow the list to just a single program, just enter the program name ( ie backblaze.exe )
Enabled toggle allows temporarily disabling the safe app while keeping the definition.
The setting page contains important options related to protection control and communications. Take care when updating these settings from their default as they can impact network and CPU consumption on the endpoints.
Allow ‘Always On’ file type protection:
When disabled neither the policy nor associated endpoints will allow the usage of Always On file types. It is important that administrators be aware of the potential impacts of enabling Always On file type protection and therefore must explicitly enable this feature.
How often a device will contact the console to synchronize policy settings.
Sync Interval metered:
How often a device will contact the console to synchronize policy settings when connected to a metered connection.
How often an endpoint will validate its license status.
Import the protection settings of a preconfigured endpoint to use a starting point for a new policy.