Kaseya Community

Is there a way to exempt a specific machine from a Policy applied to it's group?

  • I applied a certain policy to run a procedure on all machines in specific groups.  However I have one machine that I need to exempt from this policy and I can't change the group because of IP naming policy.  Is there a way to exempt this one machine.  Looked all over agent menu and Policy assignment and didn't see anything.

  • Not really...   If there is just one thing, you could try to create a policy that overrides the existing one.   It would probably be nice to have a switch that would stop a policy or groups of policies from being applied to a specific machine.

  • Absolutely can! We have hundreds of such policies that we refer to as "Auto-Pilot" policies. We link these to the Org Root so they apply to every agent.

    They use the Advanced Filter option in the view to control when - and when not - to apply to specific customers, groups, or even agents. We utilize a standard set of custom fields to manage the ability to automatically deploy monitors, schedule patching and updating, run maintenance and more. Use one field to define if the policy should apply based on a specific condition, and another field if it should not, based on other conditions. NOT overrides APPLY, and this allows granular, per agent control. This is a bit simplified - we have 4-7 fields that combine to allow a control, and 2-4 that combine to deny, allowing very fine control. We deploy EVERY setting with policies, and haven't had to perform manual configuration of any agent beyond setting some control values for quite some time.

    With this kind of control, 95% of our policies are linked to the root, and the rest are linked to an org folder. No agent has a policy individually linked, or manual settings for monitoring, patching, or anything applied directly to it.

    For example, with our RMM Suite, we use this to precisely control server patching - specific change window, reboot time, and patch install time, which allows application groups to be booted in the proper sequence. The settings come from a common policy, the schedule is defined by another, and the controls allow you to specify the patch schedule as well as set patching to "NONE" or "MANUAL". Even with a schedule defined, I can apply a control value to temporarily suspend patching (or maintenance, monitoring, app updating, etc.). We just released an "Offline Management" tool that lets you pull a list of servers from VSA and populate a spreadsheet, use the spreadsheet to document customer server groups, schedule the patching, and then push it back into VSA.