Kaseya Community

What is the best way to implement Policy Management

  • We have all our customers organisations setup as a first level under Kaseya.  I then have each site setup within each organisation.

    The majority of organisations are Service Level Customers.

    Some are "Time and Materials" customers and the remainder are "Under Assessment" prospects.

     

    I would like Policy Management to automagically apply things (monitoring & scripting) to all service level customers but not to T&M or Assessment customers.

    We currently have these different types of organisations separated by Scopes within Kaseya.

    I cannot see how to apply policy via Scope.

    Can anyone suggest another way to apply policies.   Having to setup a policy for each orgainsation would be a long manual process.

  • You can assign policies based on machine views.  You dont have to create a policy for each organization.

  • You create one policy based on the view (ie - server or workstation or SBS or exchange, etc ...) you then set the policy on every client that is a service level client and not on the time & materials or prospects and voila - everything set for service-level and nada set for the others!

  • I'm currently playing around with KPM and although I'm disappointed that any machines that change view won't be reflected, as long as those that change group are, then it is still a massive improvement on the old system.

    I've taken a screenshot of my structure at the moment. We have various service levels and contract types, but they all involve the same amount of monitoring and patch management, therefore I'm just splitting it into Contract and Non-Contract (ad-hoc) clients.

    My "All Organizations" policy contains Agent Menu, Check-in control, Credential and Working Directory settings because these are largely the same for all clients whether they're contract or not. Agent Credentials are set using a domain account that is created on all domains that we look after and that is only used for that purpose, therefore nobody needs to know the password and it can be changed by script across the board on a regular basis.

    The "Contract" and "Non-Contract" policies are just for Log History - i.e. we want to keep the history for longer for contract clients, and only for a few days for "Non-Contract". For the "Non-Contract" policy, I'd also like to be able to remove any monitoring, alerting, patching settings etc, but that's not possible for everything - e.g. because the monitoring and alerting lists apply the combination of the policies, just setting an empty list does nothing.

    Then we have the bulk of the monitoring and alerting. To keep this as consistent and easy as possible, all of these policies are applied to all contract clients. They are filtered by views, therefore only servers, or only machines with ShadowProtect installed. They apply monitoring, alerting, patch policy membership, our default patch reboot action (i.e. do not reboot) and some scripts.

    I then apply patch schedule scripts to individual servers, and also to whole machine groups for workstations. These are purely patch scan and patch update schedules.

    I have one policy that applies a script to create a hidden local administrator account on workstations that are not on a domain and then uses this account as the agent credentials. This is applied to either "remote" or "home" machine groups, or to individual machines to override the standard agent credentials.

    The final folder contains policies for each client. I've got a few test examples here. These at the moment only include "Machine Profile" and "Patch File Source" information that is obviously different from company to company (or possibly site to site).

    I think that I've got a system that will be easy to maintain, and also easy to on-board new clients etc, but I'm very open to suggestions...