App Control: How to Tell Why a Device Moved Into Another Policy
search cancel

App Control: How to Tell Why a Device Moved Into Another Policy

book

Article ID: 288745

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

How to tell who, or what changed a device's policy

Environment

  • App Control Console: All Supported Versions
  • App Control Agent: All Supported Versions

Resolution

In the Events page, filter on the Subtype "Computer Modified". This event contains multiple items which will help understand why a device moved policies. 
  • Computer was moved by a user: 
    Computer '$computer$' was moved into the Policy '$policyName$' by '$username$'.
  • Computer was moved by automatic policy (such as Active Directory Policy Mapping) 
    Computer '$computer$' was modified by '$username$' to use automatic Policy assignment.
  • Moved back to a policy from Local Approval Mode: 
    Computer '$computer$' was restored to its previous Policy by '$username$'.

Additional Information

  • If a device is being moved automatically it is generally because of an Event Rule or Active Directory Policy Mapping
  • Check under Rules>Event Rules to see if there are any rules that have an action of "move computer" to another policy
Powered by Wolken Software