This article discusses the basics of policy deployment.
What happens after a policy is deployed from Apex Central to Apex One server?
- Apex Central deploys policy to Apex One server
- Apex One sever dispatches policies to iProduct Servers
- For Saas, Apex One server now waits for SaaS agents to poll (default every 10 min)
- On-premise agent will receive server notification immediately
- After Apex One agents get policy tasks/commands, Apex One agents also notify the sibling iProduct agents
- Apex One server marks agent as “deployed successfully” once Agent One agents get the policies from server
- For iProduct agents, after the policies are applied, iProduct agents report policy status to corresponding iProduct servers accordingly
- iProduct servers write iProduct agents’ policy status to database & Apex One server consolidates all status result from iProduct servers
- Apex One server then sends consolidate policy results/status to Apex Central
|Scenario||Use Case||Affected Endpoints||Affected Policies||Deploy Timing|
|Create Policy||New filtered policy||All endpoints without policy and match the new criteria||Only this policy||Immediate|
|New specified policy||The specified endpoints||Only this policy||Immediate|
|Edit Policy||Edit targets (criteria) for filtered policy||All endpoints as long as they are not in specified polices||All filtered policies||Immediate|
|Edit targets for specified policy||Endpoints in this policy |
(If endpoints are removed from polices,
they will be regarded as “new” endpoints
by policy deployment flow)
|Only this policy||Immediate|
|Edit policy settings only||The endpoints in the policy||Only this policy||Immediate|
|Reorder policies |
(including policy removal)
|All endpoints as long as |
they are not in specified polices
|All filter policies||Immediate|
|New or changed |
|New endpoint reported to Apex Central||The new endpoints||Policies applicable to these new endpoints||120 sec after endpoints are reported to Apex Central|
|Endpoint property changes |
(which also causes policy changes)
|The changed endpoints||All policies||Every 24 hours|
|Daily enforcement||Apex Central default mechanism |
to ensure all endpoints get policies
|All endpoints||All policies||Every 24 hours|
There're 2 timing for Apex One as a Service agents to get policy deployed and feedback its policy status:
- Within 20 minutes
- Creating new policies for the 1st time, or new registered agents that never had a policy applied (Apex Central checks every 120 seconds to see if there are new agents)
- Admin reorders policies
- Admin edit policy settings or targets (either specified or filtered)
- Wait for next daily enforcement
- New agents that passed Apex Central’s new agent check (every 120 seconds), but didn’t get an applicable policy (becomes “without policies”)
- Agents that received polices & need to be moved to another policy due to agent property changes (e.g. location in AU, IP address, etc)
Case A. Default iProduct policy settings
By default, iProduct settings are set to “disabled”, this implies iProduct agents are not installed. Under this situation, after Apex One server dispatches policies to iProduct servers, iProduct servers will directly respond “successfully deployed” to Apex One server.
The very first policy deployment that enables iProducts settings will trigger iProduct agents installation.
Once iProduct agents are installed, policy setting changes to iProducts will just fall into the normal policy deployment flow
Case B. Apex One server does not have a valid iProduct license
When there is a policy containing settings to enable iProduct settings, before dispatching the policies to iProduct servers, Apex One server will first check if there are valid licenses; if there is no valid license, Apex One server will respond “unactuated license” error code to Apex Central directly. (i.e. iProduct license info are managed by Apex One server).
For more details, refer to this document.