Create a Security Management policy
BEFORE YOU BEGIN Before you can create a Security Management policy, you need to configure the Kaspersky Endpoint Security (KES) Integration or the Webroot Endpoint Security Integration. Refer to Kaspersky Endpoint Security Integration and Webroot Endpoint Security Integration.
IMPORTANT Please note that the Kaspersky Endpoint Security Integration is no longer available for new implementations. Refer to Kaspersky Endpoint Security Integration.
Security and navigation
SECURITY Permission to manage Policies at account and/or site level
NAVIGATION Account > Policies
NAVIGATION Sites > select a site > Policies
What is a Security Management policy?
This type of policy is used with the Kaspersky Endpoint Security (KES) Integration and the Webroot Endpoint Security Integration. Once you have set up any of the two integrations for your Datto RMM account, you can create a Security Management policy that will allow you to push out Kaspersky or Webroot to your endpoints and raise alerts and tickets as per the criteria set in the monitor details. You can create the policy at account or site level.
IMPORTANT A device cannot be targeted by two different kinds of security policy. For example, if your device is targeted by a KES policy, it cannot be targeted by a Webroot policy as well.
How to...
Specify the Security Management policy details
- Navigate to Account > Policies or Sites > click on a site name > Policies.
- Click New account policy... or New site policy....
- Enter a policy Name.
- Under Type, select Security Management Policy.
- You will now be able to select the Security Product that you want to create the policy for. Select KES or Webroot from the drop-down.
NOTE You will only see KES and Webroot in the list if you have configured the integrations. Refer to Kaspersky Endpoint Security Integration and Webroot Endpoint Security Integration.
-
To copy an already existing policy to use it as a template, choose it from the Based on drop-down list. To create a new policy, select New Policy.
- Click Next and you will be presented with the policy details.
Add a target
To target your devices with the policy:
- Click on Add a target.
- Select the required Target type. For information about target types, refer to Filters and Groups.
- Choose the required filter(s) or group(s).
NOTE Filters will present you with a list of the device filters that are in every account and any custom filters you've created yourself.
NOTE Devices of Unknown device type will not be targeted by the policy.
- Click Add.
- If you want to add more than one target type, repeat steps 1-4.
NOTE Multiple targets will apply the "OR" logic, that is, the policy will be run on a device if it is included in any of the targets.
Configure the Security Management Install Options
In the Security Management Install Options section, you can configure the following options:
| Security product | Install options |
|---|---|
| KES | • Password - Enter your KES password. If the password entered here is incorrect, the installation will be unsuccessful. Prior to KES version 10.2.4.674 (Windows) and KES version 10.0.0.327b (macOS), you had to specify a password when adding a configuration file on the KES integration page. The password has now been moved from the configuration file and is used during the installation process. All previous configuration file passwords have been migrated to already existing policies. IMPORTANT If you have an already existing KES policy, make sure that the policy password matches the password of your existing configuration file. You can request the last used password of your existing configuration file via email from within the policy. Refer to Configure the Security Management Policy Options. NOTE The password cannot be changed once the policy has been saved. • Uninstall incompatible products - Uninstalls other antivirus products from the endpoints.• Allow force reboot - Allows automatic restart of the computer if it's required after the installation of the application. • Microsoft exclusions - Allows adding areas that are recommended by Microsoft to the KES exclusions. • Kaspersky Lab Scan exclusions - You can define processes, files, areas on the disk and some threats as excluded objects which can be added to the trusted zone so that they are excluded from the scan. • Kaspersky Security Network - Kaspersky Security Network (KSN) is a special security network that allows users to get additional protection level, applications' reputation data, websites' reputation data, and quick reaction on new threats. • Uninstall KES from the devices that are removed from the list of target devices - If this option is selected, KES will be uninstalled from the devices if they are removed from the policy's target list. |
| Webroot | • Webroot Console Group - Allows you to enter a group name or group ID from the Webroot Console so that specific settings can be applied. This will only work correctly on fresh Webroot installations, that is, on devices that have never been seen by the Console before. If Webroot was already installed on a device for a specific group, you will be able to change it to another group in the Webroot Console. Ensure that the group you enter in the Datto RMM policy already exists in the Webroot Console. Spaces or localized characters are not supported in the group name, however, the following characters are supported: - _ @ • Language - Select any of the following languages from the drop-down: English, Japanese, Spanish, French, German, Italian, Dutch, Korean, Simplified Chinese, Brazilian Portuguese, Russian, Turkish, Traditional Chinese. By default the language is set to English. • Proxy Settings - Select any of these settings: No Proxy, Auto Proxy, Manual Settings. By default, it's set to No Proxy. Should you select Manual Settings, you will be required to fill in the following fields: proxy host, proxy port, proxy username, proxy password and proxy authentication (any, basic, digest, negotiate, NTML). • Uninstall Webroot - If this option is selected, Webroot will be removed from the devices if the Webroot policy is removed or the device is removed from the list of targeted devices. |
NOTE If you already have KES or Webroot installed in your environment, the policy will not attempt to install the agent again. It will simply monitor that agent according to the policy you set up.
NOTE In case of previous compatible KES versions where KES was installed without a password, please ensure to manually set your password in KES. It must match the password used in the KES Security Management policy so that the policy settings can be applied on the targeted device(s).
Configure the Security Management Policy Options
IMPORTANT This section is configurable for KES only.
Under the Security Management Policy Options section, you need to select:
- The KES license you want the device count to go against
- The Windows / Mac Configuration File you want to use for the KES deployment
If you have an existing KES policy and would like to find out which password was last used for that installation:
- Open the policy from the policy list at account or site level.
- Scroll down to the Configuration Files section.
- Click the Request Password icon
next to the configuration file.
- An email will be sent to the Account Administrator who registered the account. The email will contain a list of devices that have applied the configuration file along with the last password.
NOTE By clicking on the Manage Licenses and Manage Configuration Files hyperlinks in the Security Management Policy Options area, you will be directed to the KES integration page where you can edit them.
Add a monitor
When setting up a KES Security Management policy, a monitor is applied to the policy by default. You can modify the monitor by clicking on the pencil icon 
, delete it by clicking on the Remove this monitor icon 
, or you can add further monitors.
You can also apply one or more monitors to your Webroot Security Management policy, and edit or delete them as required.
For more information, refer to Create a monitor.
Save the policy and push the changes
Click Save and Push Changes.
If you click Save Only, you'll be directed to your list of policies where you can click Push changes... next to the policy in question.
The targeted devices will now be notified that a new policy has been applied and you will start to see alerts (as well as receive them via email if you configured that option) for any device that meets the criteria set in the policy.
NOTE The changes will be pushed instantly if the Agent is online or as soon as it checks in to the platform. The security product will be installed first (if required). The policy will be pushed out after the install.
NOTE If you click Save Only (current UI) or Save and Deploy Later (New UI) instead of Save and Push Changes (current UI) or Save and Deploy Now (New UI) when creating or updating a policy, the changes will still be deployed at midnight in your timezone because policies are automatically deployed every 24 hours.
NOTE In the Web Portal, sites with an active KES policy will display the Kaspersky logo 
.
NOTE To learn how to view an alert in the Web Portal, refer to Manage alerts.
Edit the policy
- Locate your policy on the account or site policy list and click on its name.
- Edit the policy details.
-
Click Save and Push Changes.
If you click Save Only, you'll be directed to your list of policies where you can click Push changes... next to the policy in question.
NOTE The changes will be pushed instantly if the Agent is online or as soon as it checks in to the platform.
NOTE If you click Save Only (current UI) or Save and Deploy Later (New UI) instead of Save and Push Changes (current UI) or Save and Deploy Now (New UI) when creating or updating a policy, the changes will still be deployed at midnight in your timezone because policies are automatically deployed every 24 hours.
