How to apply policies to all sub-groups?

---

QC wrote:

I've already discussed policies and propagation/inheritance (with someone at Sophos) some time ago. If a "push down" option were available you might need also an "exclude this group" attribute. 

IMHO the problem is only really a problem if you need to exchange policies.

But what you're talking about is not exchanging the policy for a group but applying the same changes to a number of policies. I can see why you could have that many AV policies - exceptions/exclusions. Now these are bad anyway. Really. But I don't say you shouldn't use them - perhaps you really need them. In this case though you'd need a policy hierarchy and not propagation. Or am I wrong?

And please elaborate on the limitations.

Christian

---

QC,

Correct, I'm not exchanging, but replicating a change down that I deem a "global change" that needs to be reflective to all other policies within that policy category.

For example, my company may use an application to implement patch management.  If that application's executable can't run becuase Sophos stops it noting that it's a "Suspicious Behavior" thus patching efforts are halted.  I'd have to go in and exclude: the xyz.exe name, directory it's executing from, or a list of *.exe's depending on the situation.  So, let's say I have to exclude abc.dll, xyz.dll, xyz.exe, and %Program Files%\xyzPatcherProgram\* .  Since they have to patch all machines, I'd have to implement that addition of those 4 instantces across 20 Anti-Virus Policies.  That is a lot of manual work for one application to run.

Your point of "exlude this group" attribute would be a natural and nessessary step, but I'd rather have that opt-out option than to have no option to change a policy down from root to sub-OUs.

---

QC wrote:

I've already discussed policies and propagation/inheritance (with someone at Sophos) some time ago. If a "push down" option were available you might need also an "exclude this group" attribute. 

IMHO the problem is only really a problem if you need to exchange policies.

But what you're talking about is not exchanging the policy for a group but applying the same changes to a number of policies. I can see why you could have that many AV policies - exceptions/exclusions. Now these are bad anyway. Really. But I don't say you shouldn't use them - perhaps you really need them. In this case though you'd need a policy hierarchy and not propagation. Or am I wrong?

And please elaborate on the limitations.

Christian

---

QC,

Correct, I'm not exchanging, but replicating a change down that I deem a "global change" that needs to be reflective to all other policies within that policy category.

For example, my company may use an application to implement patch management.  If that application's executable can't run becuase Sophos stops it noting that it's a "Suspicious Behavior" thus patching efforts are halted.  I'd have to go in and exclude: the xyz.exe name, directory it's executing from, or a list of *.exe's depending on the situation.  So, let's say I have to exclude abc.dll, xyz.dll, xyz.exe, and %Program Files%\xyzPatcherProgram\* .  Since they have to patch all machines, I'd have to implement that addition of those 4 instantces across 20 Anti-Virus Policies.  That is a lot of manual work for one application to run.

Your point of "exlude this group" attribute would be a natural and nessessary step, but I'd rather have that opt-out option than to have no option to change a policy down from root to sub-OUs.