Automatically Restore a Computer from Local Approval to Normal Enforcement Policy
search cancel

Automatically Restore a Computer from Local Approval to Normal Enforcement Policy

book

Article ID: 290538

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection) Carbon Black App Control

Issue/Introduction

For agents that are in the Local Approval Policy, create an Event Rule that automatically restores them back to normal enforcement level. 

Environment

  • App Control Console: All Supported Versions

Resolution

  1. Edit the built-in "Local Approval Alert" under Tools > Alerts
    1. Configure the maximum time period an agent is allowed to stay in Local Approval (e.g. 1 hour).
    2. Configure the Reset After to a very small interval (e.g. 1 minute), so that the alert triggers multiple times for multiple agents in Local Approval
    3. Enable and Save it
  2. Create an Event Rule under Rules > Event Rules > Create Rule
    1. Rule Name: Restore Computer To Normal Enforcement
    2. Description: Restores computer to normal enforcement level
    3. Status: Enabled
    4. Add Event Properties:
      • Subtype is: Alert Triggered
      • Policy is: Local Approval Policy
    5. Action: Move computer
    6. Target: Restore to normal enforcement level
    7. Save it
Powered by Wolken Software