This article discusses the basics of policy deployment.
What happens after a policy is deployed from Apex Central to Apex One server?
- Apex Central deploys policy to Apex One server
- Apex One sever dispatches policies to iProduct Servers
- For Saas, Apex One server now waits for SaaS agents to poll (default every 10 min)
- On-premise agent will receive server notification immediately
- After Apex One agents get policy tasks/commands, Apex One agents also notify the sibling iProduct agents
- Apex One server marks agent as “deployed successfully” once Agent One agents get the policies from server
- For iProduct agents, after the policies are applied, iProduct agents report policy status to corresponding iProduct servers accordingly
- iProduct servers write iProduct agents’ policy status to database & Apex One server consolidates all status result from iProduct servers
- Apex One server then sends consolidate policy results/status to Apex Central
|Scenario||Use Case||Affected Endpoints||Affected Policies||Deploy Timing|
|Create Policy||New filtered policy||All endpoints without policy and match the new criteria||Only this policy||Immediate|
|New specified policy||The specified endpoints||Only this policy||Immediate|
|Edit Policy||Edit targets (criteria) for filtered policy||All endpoints as long as they are not in specified polices||All filtered policies||Immediate|
|Edit targets for specified policy||Endpoints in this policy|
(If endpoints are removed from polices,
they will be regarded as “new” endpoints
by policy deployment flow)
|Only this policy||Immediate|
|Edit policy settings only||The endpoints in the policy||Only this policy||Immediate|
(including policy removal)
|All endpoints as long as|
they are not in specified polices
|All filter policies||Immediate|
|New or changed|
|New endpoint reported to Apex Central||The new endpoints||Policies applicable to these new endpoints||120 sec after endpoints are reported to Apex Central|
|Endpoint property changes|
(which also causes policy changes)
|The changed endpoints||All policies||Every 24 hours|
|Policy enforcement||Apex Central default mechanism|
to ensure all endpoints get policies
|All endpoints||All policies||
The following are the time needed for Apex One as a Service agents to get the policy deployed and return its policy status:
- Within 20 minutes
- Creating new policies for the 1st time, or new registered agents that never had a policy applied (Apex Central checks every 120 seconds to see if there are new agents)
- Admin reorders policies
- Admin edit policy settings or targets (either specified or filtered)
- Wait for next policy enforcement
- New agents that passed Apex Central’s new agent check (every 120 seconds), but didn’t get an applicable policy (becomes “without policies”)
- Agents that received policies & need to be moved to another policy due to agent property changes (e.g. location in AU, IP address, etc)
Apex One/Apex Central introduced some features that facilitate easier tracking of the configuration applied to the agents.
The Policy Status
The three fields in that section of the policy deployment page allow to track the status the agents reported.
If the agents are 'Deployed' status, they should have the correct settings. Otherwise, you may have a problem with the deployment process, which will need to be investigated.
For detailed information, refer to the Policy Status section of the Apex Central Online Help page.
There is also a policy enforcement feature, it re-deploys the policy every 24 hours to ensure the agents have the correct setting and any deviations are visible. This number also changes after every manual re-deploy of the policy.
The policy that is assigned can also be checked on the agent itself. Once you have access to one of the machines, right click on the agent console in the taskbar and select 'Component Version'.
As shown in the image, you will be able to check the policy name and if you hover over the ' i ', you will be able to see the Policy Version.
Case A. Default iProduct policy settings
By default, iProduct settings are set to “disabled”, this implies iProduct agents are not installed. Under this situation, after Apex One server dispatches policies to iProduct servers, iProduct servers will directly respond “successfully deployed” to Apex One server.
The very first policy deployment that enables iProducts settings will trigger iProduct agents installation.
Once iProduct agents are installed, policy setting changes to iProducts will just fall into the normal policy deployment flow
Case B. Apex One server does not have a valid iProduct license
When there is a policy containing settings to enable iProduct settings, before dispatching the policies to iProduct servers, Apex One server will first check if there are valid licenses; if there is no valid license, Apex One server will respond “unactuated license” error code to Apex Central directly. (i.e. iProduct license info are managed by Apex One server).