Policies define OneView's behavior when running a scheduled scan, using Real-Time Protection, or monitoring Suspicious Activity. Policies are applied at the site and group level in OneView, and all endpoints in a group use the same policy. By default, endpoints added to the console belong to the Default Group, which uses the Default Policy.
Configure Endpoint agent settings
- On the left navigation menu, click Configure > Policies.
- Click the + icon or select an existing policy.
- Select the Endpoint agent tab to see the specific settings available for each operating system.
For the default settings, see ThreatDown recommended policy for OneView.
User interface options
User interface options allow you to adjust the endpoint user experience. This controls what your end users see on their machines and how they can interact with Endpoint Agent.
Options in this section are as follows:
- Show the ThreatDown icon in the notification area: Shows the Endpoint Agent icon in the Windows taskbar or Mac menu bar.
- Display real-time protection notifications: Shows pop-up notifications on the endpoint when a website or application is blocked by Real-Time Protection. For macOS, this setting also controls if the user receives a notification when a scan is completed. Toggle this off or disable it to prevent these pop-up notifications from appearing on the endpoint.
-
Allow users to run a User Threat Scan: Allows users to run Threat Scans with all detected threats in quarantine. Users may cancel Threat Scans but can't cancel scans controlled by the console. Threat Scans run by users are listed in the Events screen as On demand scans.
- Show ThreatDown shortcuts on Start menu and desktop to run Threat Scans: Creates shortcuts in the endpoint's Start Menu and desktop. User Threat Scan must be enabled to use this setting.
- Show ThreatDown option in context menus: Allows users to scan files by right-clicking them. These scans share the same properties as the User Threat Scan above.
- Allow only Administrator level users to interact with the ThreatDown Tray: Disables the Endpoint Agent Tray process from loading on standard-level user accounts. Only Administrator-level users will have access to the tray process and icon. For general end users, the icon won't display on the endpoint. This is useful for running the Endpoint Agent in a more silent manner or for a multi-user environment such as Microsoft Terminal Services.
Endpoint agent updates
The Endpoint agent updates policy option in OneView allows control over when endpoints receive software updates. This option only applies to Protection Service updates; Component Package updates are always automatic.
We use a ring deployment system to push updates to our endpoint agents. With this system, we initially send updates to a small subset devices, then over time to a wider group. We monitor closely for issues throughout the update process, and halt our rollout if a problem is identified. This allows us minimize any negative impact to endpoints customers when pushing out endpoint agent software updates.
Options in this section are as follows:
- Automatically download and install ThreatDown application updates: Automatically downloads and installs protection service updates on endpoints. Protection service updates are always automatic for macOS devices.
- Pause endpoint agent updates: Stops software updates from being applied on endpoints for up to 31 days. After 31 days, endpoints resume receiving software updates when they are released. When enabled, the policy screen shows the date and time when updates will continue.
Mobile performance
Mobile performance options control the impact of the endpoint agent on mobile devices. Options in this section are as follows:
- Use memory caching: Increase the agent's performance, but at the cost of using more memory in the background (not recommended on older devices).
Reboot settings
Reboot options control how the Endpoint Agent handles requests from the console to restart endpoints. Reboots are sometimes needed to finish malware remediation or to apply system changes after the software is updated or removed.
Options in this section are as follows:
- Automatically reboot endpoints when required: Choose if the endpoint automatically restarts as needed. If you turn this off, malware might not be entirely removed from the endpoint, and software updates might not be applied.
- Delay time before automatic reboot: The amount of time the endpoint will wait before rebooting.
- Message to display when a reboot is required: A customizable message is displayed on the endpoint when it needs to reboot.
- Allow users to postpone a reboot: Enables a popup on endpoints that allows users to postpone a reboot by preset times of 10, 30, or 60 minutes. Users can also click the X in the top-right corner to dismiss the pop-up and honor the reboot timer displayed in the window. Reminders to postpone the reboot appear 10 minutes before and once the time elapses. If the reboot is not postponed, the endpoint automatically reboots 1 minute after the time elapses. Reboot postponements are displayed on the Events screen as an Audit event.
Inactive endpoints
The Inactive Endpoint Removal option in OneView allows you to remove endpoints from your OneView sites that have been inactive for a set period. When enabled in a policy, endpoints not checked in with the console within the specified time frame are automatically removed. This setting can be adjusted to a range of 60 to 365 days.
Endpoints removed due to this option automatically reappear in OneView with their historical data if they come online again. Some example scenarios are:
- Laptop devices are kept in storage and then powered on at a later date
- Desktop devices not used while employees are working remotely for an extended period but are powered on at a later date once employees return to the office
Once you enable this option in a policy, allow up to 24 hours for the OneView console to automatically remove endpoints outside your specified time frame.
Startup options
Startup Options control how services behave on your endpoints. Options in this section are as follows:
- Provide all services with additional time to initiate: Enables extra time for services to finish loading at system startup before they timeout.
- Maximum time to wait for the services to initiate: Choose a preset timeout period. You may select 1, 5, or 10 minutes. The endpoint may need more time to start if it has many services loading at startup or is running additional security software
Health monitoring
Health monitoring provides additional settings to ensure the endpoint agent is running correctly. Options in this section are as follows:
- Enable service health monitoring: Launches a secondary service on endpoints designed to monitor and restart the endpoint agent service if it goes offline or is stopped manually on the endpoint.