Manual and automatic assignment of settings profiles

After you create a settings profile, you can assign it to one or more computers in two different ways:

  • Manually (directly).

  • Automatically (indirectly) through inheritance from a group to subgroups, computers, and devices.

Both strategies complement each other. It is highly advisable that administrators understand the advantages and limitations of each one in order to define the most simple and flexible computer structure possible to minimize the workload of daily maintenance tasks.

Manual/direct assignment of settings profiles

Consists of directly assigning settings profiles to computers or groups. It is the administrator who manually assigns a profile to a computer or computer group.

After you create a settings profile, there are many ways to manually assign it:

  • From the Computers menu at the top of the console, from the group tree in the left panel.

  • From the target computer’s details, accessible from the Computers list.

  • From the profile when it is created or edited.

For more information about the group tree, see Group tree.

From the group tree

To assign a settings profile to a computer group:

  • Click the Computers menu at the top of the console. From the left panel, select a filter or group.

  • Click the group’s context menu.

  • Click Settings. A window opens with the profiles already assigned to the selected group and the type of assignment:

  • Manual/Direct assignment: The text Directly assigned to this group is displayed.

  • Inherited/Indirect assignment: The text Settings inherited from is displayed, followed by the name and full path of the group the settings profile is inherited from.

Example of inherited and manually assigned settings profiles

Select one of the available types of settings profiles. Select the specific settings profile to apply. Click OK. The profile is immediately deployed to all members of the group and its subgroups.

From the Computers list panel

To assign a settings profile to a specific computer or device:

  • Go to the Computers menu at the top of the console. From the left panel, select the filter or group that contains the computer you want to assign the settings to. From the list of computers, select the computer. The computer details page opens.

  • Select the Settings tab. A window opens with the profiles already assigned to the selected computer and the type of assignment:

    • Manual/Direct assignment: The text Directly assigned to this group is displayed.

    • Inherited/Indirect assignment: The text Settings inherited from is displayed, followed by the name and full path of the group the settings profile is inherited from.

  • Select one of the available types of settings profiles. Select the specific settings profile to apply. Click OK. The profile is immediately applied to the computer.

From the settings profile

The fastest way to assign a settings profile to several computers belonging to different groups is from the settings profile itself.

To assign a settings profile to multiple computers or computer groups:

  • Go to the Settings menu at the top of the console. From the left panel, select the type of settings you want to assign.

  • Select a settings profile from the list. Click Recipients. The Recipients page opens. This page is divided into two sections: Computer groups and Additional computers.

  • Click the buttons to add individual computers or computer groups to the settings profile.

  • Click Back. The profile is assigned to the selected computers and the settings are applied immediately.

If you remove a computer from the list of computers assigned to a settings profile, it re-inherits the security settings profile from the group it belongs to. A warning message is displayed in the management console before the computer is removed and the changes are applied.

Indirect assignment of settings profiles: the two rules of inheritance

Indirect assignment of settings profiles takes place through inheritance, which enables automatic deployment of a settings profile to all computers below the node to which the settings were initially assigned.

The following is a description of the rules that govern the interaction between the two ways of assigning profiles (manual/direct and automatic/inheritance):

Automatic inheritance rule

A computer or computer group automatically inherits the settings of its parent group (the group above it in the hierarchy).

The settings are manually assigned to the parent group and automatically deployed to all child nodes (computers and computer groups with computers inside).

Inheritance/indirect assignment

Manual priority rule

Manually assigned settings take precedence over inherited settings.

When you manually assign a new settings profile to a group, all computers and devices below that group use the manually assigned settings, not the inherited or default ones.

Precedence of manually assigned settings over inherited settings

Inheritance limits

Manually assigned settings override inherited settings from the higher-level group. That is, settings assigned to a group (manual or inherited) apply to all subgroups, computers, and devices unless manually assigned settings apply.

When the solution encounters manually assigned settings, that group and all of its subgroups, computers, and devices receive the manually assigned settings and not the original inherited ones.

Inheritance limits

Overwriting settings

Manually assigned settings take precedence over inherited settings. When you manually assign a new settings profile to a group, all computers and devices below that group use the manually assigned settings, not the inherited or default ones.

Bearing that in mind, changes you make to settings in a higher-level group affect the groups, computers, and devices that inherit the settings differently, based on whether they have existing manually assigned or inherited settings. There are two scenarios:

  • Subgroups and computers with no manually assigned settings: When you change settings in a group that are inherited by subgroups and computers that have no manual settings applied, the new settings automatically apply to all subgroups, computers, and devices in the group.

  • Subgroups and computers with manually assigned settings: When you change settings in a group that are inherited by subgroups and computers that have manually assigned settings applied, any subgroups or computers with manually assigned settings do not inherit the new settings, regardless of the level.

Overwriting manual settings

The solution prompts you to specify whether to inherit the settings or keep the manually assigned settings.

Make all inherit these settings

Be careful when you choose this option as this action is irreversible! When you select this option, all manually assigned settings below the parent node are removed and all groups and computers inherit the new settings. The wayAdvanced EDR behaves might change on many computers on the network.

The new directly assigned settings propagate through inheritance across the entire tree, overwriting the previously assigned settings up to the last-level child nodes.

Keep all settings

When you select this option, new settings apply only to groups and computers that do not have manually assigned settings.

Keeping manual settings

Existing manual settings are retained and the application of new inherited settings stops at the first group or computer with manually configured settings.

Deleting manually assigned settings and restoring inheritance

To restore inheritance to a group or computer with manually assigned settings, you must delete the manually assigned settings:

  • Go to the Computers menu at the top of the console. From the left panel, click the group with manually assigned settings that you want to delete.

  • Click the branch’s context menu icon and select Settings. A pop-up window opens with the profiles assigned to the group. Select the manually assigned profile you want to delete.

  • A list is shown with all available settings profiles and the Inherit from parent group button. Click Inherit from parent group. The manually assigned settings are removed. The group inherits profile settings from the specified group.

Moving groups and computers

When you move computers from one branch in the tree to another, the way Advanced EDR operates with respect to the settings profile to apply varies depending on whether the items moved are groups or individual computers.

Moving individual computers

All settings profiles that were manually assigned to the computer are kept. Inherited profiles are overwritten with the settings established in the new parent group.

Moving groups

A dialog box appears with the following question: “Do you want the settings inherited by this group to be replaced by those in the new parent group?

  • If the answer is YES, the process is the same as when you move a single computer: The manual settings are kept and the inherited settings are overwritten with those established in the parent node.

  • If the answer is NO, both the manual settings and the original inherited settings of the group are kept.

Exceptions to indirect inheritance

All computers that are integrated into a native group in the web console automatically receive, from Advanced EDR, the network settings assigned to the target group by means of the standard indirect assignment/inheritance mechanism. However, if a computer is a member of an Active Directory or IP-based group, you must manually assign network settings. This change in the way network settings are assigned results in a change in behavior if that computer is moved from an Active Directory or IP-based group to another group: It does not automatically inherit the network settings assigned to the target group, but retains its own.

This particular behavior of the inheritance feature is due to the fact that, in midsize and large companies, the department that manages security might not be the same as the one that manages the company’s Active Directory. Therefore, a group membership change made by the technical department that maintains the Active Directory could inadvertently change network settings in the Advanced EDR console and leave the protection agent installed on the affected computer without connectivity and full protection. To prevent settings changes when a computer changes groups in the Advanced EDR console because of a group change in Active Directory, you must manually assign network settings.