Posted: 6/11/2010, Updated: 6/23/2014
This article provides a step by step guide to creating a simple policy in the console. Before executing the steps in this article, it is necessary to have a console, at least one endpoint, and functional communication between the two.
For more information, please refer to these articles:
Console policies provide the mechanism to configure settings for Windows and Mac clients. Those settings allow the customization of the user experience, the forced configuration of options, and the establishment of search criteria. While this article assumes the endpoint is a Windows client, most of the information is applicable to a Mac client version 3.0 or later.
This article contains the following sections:
- Creating a Policy
- Assigning Endpoints
- Configuring Settings
- Adding Search Locations
- Additional Resources
To create a new policy, select the Policies button from the ribbon and select Create to display the Policy Wizard. Provide a unique name to identify the policy and an optional description. The select the policy type and click Next. There are three types of policies, System, User Default, and Scheduled Task. For this example, a System policy will be used. System policies force settings on the selected endpoints and cannot be changed by an end user interacting with the client. Once the policy type is selected, it cannot be changed.
After the policy has been created, it is necessary to specify the endpoints to which the policy will apply. Any combination of endpoints and tags can be specified and the list can be modified at any time. To add an endpoint, select the Endpoint tab of the Policy Wizard and then add check marks next to the endpoints and/or tags to which the policy will apply. To select a single endpoint, expand All Endpoints by clicking the arrow to the left of All Endpoints and then click the checkbox next to the desired endpoint. For this example, select a single Windows endpoint. If no endpoints appear in the list, then the requirements for this article have not been met and it is necessary to return to the overview, view the requirements and the associated documentation, and complete the necessary configuration. Click Finish to create the policy and advance to the next step.
The settings specified in the policy control the behavior of the client. In this example, a sampling of different types of settings are described; however, not all settings are appropriate for all environments and this list is by no means a complete list of available settings. Settings can be modified at any time.
Note: When only one policy is assigned to an endpoint, any setting not specified in that policy will cause the client to use the application default value for that setting. The default setting is shown selected when a setting is edited.
To set the values for settings, expand the policy by clicking the arrow to the left of the policy name and click on Settings. The available settings will appear in the right pane and it is possible to navigate to individual settings by clicking the arrows to the left of a settings folder or by using the search box in the toolbar. For this example, the representation Settings\Actions\Disable\disableAction_Recycle means to expand Settings, expand Actions, expand Disable and then double-click on disableAction_Recycle to open the edit setting dialog.
- Require profile login (Profile\RequireProfileLogin): Set this value to, "Require login" to prevent end users from executing the client with the Guest profile. This will require users to use their Identity Finder profile password each time they use the application. Because the defaults for Profile\UseProfilePasswordForSave and Profile\UseProfilePasswordForSecureAction specify that the profile password should be used, and the user is required to sign in with their profile password, the user will not be prompted to enter any additional passwords while using the client.
- Disable recycle action (Settings\Actions\Disable\disableAction_Recycle): Set this value to, "Disable Recycle" to disable the Recycle action. The Recycle action utilizes the Windows recycle bin and is not secure as files can be easily removed from the recycle bin or read from disk even after the recycle bin has been emptied. Because the Shred action is a permanent operation and files can never be recovered after a shred, some users or organizations allow the use of the Recycle action and then require users to use Identity Finder to shred the contents of the recycle bin after confirming that the files are no longer needed. Because this requires an additional manual step by the end user, many organizations prohibit the use of the Recycle action.
- Force creation of the quarantine folder (Settings\Actions\Quarantine\CreateFolderIfNonexistent): Set this value to, "True" to ensure that the destination folder to receive quarantined folders will be created if it does not exist. The Quarantine action copies a file from the current location to the specified location and then shreds the original file. By default, Identity Finder will not create the quarantine folder to reduce the risk that folders will be created in locations deemed undesirable by the organization. If the destination quarantine folder does not exist and this setting is, "False" (the default), then the Quarantine operation will fail and an error will be written to the client log. Click the Win UI tab to view the location where this appears in the client user interface.
- Duplicate quarantine folder path structure (Settings\Actions\Quarantine\DuplicateFolderPaths): Set this value to, "Enable" to create folders and subfolders that mirror the full path to the file being quarantined. This setting ensures that files of the same name that are quarantined from different locations are easily distinguishable. Click the Explain tab for a detailed example.
- Leave a warning text file after quarantining (Settings\Actions\Quarantine\LeaveBehindWarningText): Set this value to, "Enable" to leave a plain text file in the folder from which a file was quarantined. This placeholder file specifies the new destination location for the file and can remind users to where a file has been moved.
- The text to write to the quarantine warning file (Settings\Actions\Quarantine\LeaveBehindWarningTextContent): Set this value to, "The file %source% was quarantined to %dest%. If you do not know why you are seeing this message, please contact your local help desk." to replace the default contents of the quarantine leave behind file with the specified text. This setting is especially useful when administrators will be using the quarantine function on user files without their knowledge. The text of this file can be used to alert users that the file contained sensitive information and whom they should contact to discover to where it was moved.
- Specify the number of shred passes (Settings\Actions\Shred\ShredPasses): Set this value to, "1" to require a single pass wipe. The default of 3 passes is suitable for most organizations; however, a single pass is very effective and reduces disk i/o while a seven pass wipe might be more "secure" but takes more time and processing. This setting is used in all places within the client that perform a shred such as the Shred action, the File Shredder tool, and during the shredding of temporary files.
- Enable AnyFind searching for Social Security Numbers (Settings\Identities\SSN\EnableAnyFind): Set this value to, "Enable" to require the search to include social security numbers (SSNs). When this setting is enabled in the policy, the user will not be able to deselect Social Security from the Identities ribbon tab in the client.
- Additional keywords for finding unformatted SSNs (Settings\Identities\SSN\AnyFind\USSN\CustomKeywords): Set this value by adding SIN and EmpID to the text box, one per line by pressing the enter key between words. When searching for unformatted social security numbers (USSNs) (SSNs without spaces or dashes but rather just 9 digit numbers) by default, Identity Finder requires there to be a minimum of 3 USSNs in a location as well as an SSN keyword, before any of the 9 digit numbers in the location are considered to be an SSN. In addition to the default keywords such as SS#, it is possible to add additional keywords such as SIN (eg, Student Identifier) or EmpID (eg Employee ID) to match 9 digit numbers as SSNs in locations that have valid social security numbers but not a default keyword. For example, if an old excel spreadsheet exists on a human resources computer with employee names, dates of birth and social security numbers, but the column header for the SSNs is, "Employee ID", that phrase can be added to this list to identify those 9 digit numbers as valid SSNs.
- Enable AnyFind searching for E-mail Addresses (Settings\Identities\EmailAddress\EnableAnyFind): Set this value to, "Disable" to prevent e-mail addresses from being included in the search. When this setting is disabled in the policy, the user will not be able to select E-Mail Address from the Identities ribbon tab in the client. Because this setting is disabled by default, the search would not include e-mail addresses if the user did not modify that option in the client; however, they would have the ability to do so. Because e-mail addresses are extremely common in documents, this setting often produces many results that may not be actionable. To allow users to include e-mail addresses in their search, but prevent those results from being reported to the console, leave this setting as Not Defined and modify the setting Console\matchTypes.
- Search files (Settings\Locations\Files\EnableFiles): Set this value to, "Enable file search" to require that files are included in every search run on the client. When this setting is enabled in the policy, the user will not be able to deselect Files from the Locations ribbon tab in the client. Because this setting is enabled by default, the search would include files if the user did not modify that option in the client; however, they would have the ability to do so.
- The folder location(s) to search for files (Settings\Locations\Files\FileLocations): Set this value to, "My Computer" to search the entire computer including all local drives. By default, the policy specifies, "My Documents" which will automatically detect the my documents and settings folders of the user running the search. By specifying this value in the policy, a user will not be able to change the file locations that are included in the search. To change the default to, "My Computer" but allow a user to change the setting in the client, a User Default policy would be utilized.
- Advanced file type identification method (Settings\Locations\Files\UseAdvancedFileIdentification): Set this value to, "Included File Types" to allow Identity Finder to analyze the file to determine its type only in the case where the file extension doesn't not match the file type. For example, if a file is named, "Q3FinancialSummary.doc", Identity Finder will attempt to search the file as a Microsoft Word document. If the file is not a Word document but rather a rich text file (RTF), by default the filtering will fail and an error message will be written to the client log. When this setting is set to "Included File Types", after the initial failure, Identity Finder will perform advanced analysis on the file to determine its actual type. In this case, the file would then be searched as a rich text file because RTF is included in the list of file types/extensions to search. The extension is included because this policy has not changed the default for Settings\Locations\Files\FileTypeSearchOption.
- Specify that new updates should automatically be downloaded and installed without prompting the user (Settings\Updates\AutomaticallyDownloadandInstallUpdates): Set this value to, "Enable" to suppress the prompts that notify users that a new version of the software is available. When enabled, the user will not be able to decline the downloading and installation of the update. However, once the installation is launched, the user will be able to cancel the upgrade process unless the Settings\Updates\InteractiveInstall is disabled.
- After an application update is downloaded, launch the upgrade installer to allow user interaction (Settings\Updates\InteractiveInstall): Set this value to, "Disable" to automate the installation process after new application updates are downloaded. By default, users will be able to cancel the update or change their setup options, but disabling interactive installation will automatically upgrade their installed features without any user interaction.
- Disable the Websites and Database search locations (Settings\Locations\Websites\Disable\disableSearch_Websites and Settings\Locations\Databases\Disable\disableSearch_Database): Set these values to "Disable website search" and "Disable database search" respectively to prevent end users from searching Database or Website locations. When a license is purchased that includes these modules, the license file will allow access to these modules. In organizations where only administrators will be searching websites and/or databases, it may be undesirable to allow end users access to these functions.
The search locations section of the policy provides a way to include or exclude specific folders (Customer Folders) and to include or exclude specific information (OnlyFind Identities) to find during the search. The search locations are also the section of the policy to specify remote machines, websites, and database connection strings which allow an endpoint with the client software installed to search an endpoint that does not have a client.
In this example, the system root will be excluded from the search of My Computer, as configured above. It is often desirable to search certain drives or folders but to exclude certain folders from the search. When a folder is specified in the Custom Folder list to Include in Search, it will always be searched, regardless of the FileLocations settings as long as EnableFiles is set to Enable File search. The folder will not appear in the client UI and cannot be viewed, modified, or deleted by the end user.
To exclude the system root (for example C:\Windows) from the search, expand the policy by clicking the arrow to the left of the policy name, expand the Search Locations section, click the Custom Folders item, and then click the Add Custom Folder button in the toolbar of the right pane. In the Folder Location column, type "%systemroot%" (without the quotes). In the Scope column, select Exclude From Search and then click Save. Any valid Windows (or Mac) environment variable can be used in the Custom Folder list.
Once a policy has been created and assigned to endpoints, the console application must process this policy, make it available to the endpoints, and then the endpoints must download and apply the policy. Depending on a variety of factors including the complexity of the policy, the available system resources, the other processing requests queued on the console and the polling interval on the client (Console\pollingInterval), this process can take up to 2 hours.
Because the steps in this article are likely to be performed before any clients are reporting search results to the console, the client will likely have this sample policy within 10 minutes because the default polling interval is set to 5 minutes.
To determine if the endpoint has applied the policy, expand the policy name, click Endpoints, and view the State column. If the value reads, "Applied", then the endpoint has applied the policy. If the value reads, "Never Applied" or "Outdated" for a long period of time (as noted above), there may be a communication issue between the client and the console that requires troubleshooting.
Once the policy has been applied, open the Identity Finder client on the endpoint to which the policy was applied by double-clicking on the application icon in Windows Explorer. Because of the policy settings, it will be necessary to log in (and/or create) an Identity Finder profile. Attempts to bypass the profile and to use the Guest profile will be unsuccessful. Once the client is open, it is further possible to view the effects of the policy by trying to disable the Social Security AnyFind type or changing the file locations to My Documents. After running a search, the Recycle action will be unavailable. After opening the Settings and viewing the Actions page, it will be evident that the number of shred passes has been set to 1 and cannot be modified.
It is now possible to modify this policy with relevant settings or to delete this policy and create an appropriate policy from scratch.
This article covered a limited scope to introduce policy functionality. There are additional policy types, settings, and configuration options covered in other documents and articles: