Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Understanding Apex One Policy Deployment

    • Updated:
    • 22 Feb 2021
    • Product/Version:
    • Apex Central 2019
    • Apex One as a Service
    • Platform:
    • N/A

This article discusses the basics of policy deployment.


iProduct Policy Deployment

What happens after a policy is deployed from Apex Central to Apex One server?

  1. Apex Central deploys policy to Apex One server
  2. Apex One sever dispatches policies to iProduct Servers
  3. For Saas, Apex One server now waits for SaaS agents to poll (default every 10 min)
    • On-premise agent will receive server notification immediately
  4. After Apex One agents get policy tasks/commands, Apex One agents also notify the sibling iProduct agents
  5. Apex One server marks agent as “deployed successfully” once Agent One agents get the policies from server
    • For iProduct agents, after the policies are applied, iProduct agents report policy status to corresponding iProduct servers accordingly
  6. iProduct servers write iProduct agents’ policy status to database & Apex One server consolidates all status result from iProduct servers
  7. Apex One server then sends consolidate policy results/status to Apex Central
ScenarioUse CaseAffected EndpointsAffected PoliciesDeploy Timing
Create PolicyNew filtered policyAll endpoints without policy and match the new criteriaOnly this policyImmediate
New specified policyThe specified endpointsOnly this policyImmediate
Edit PolicyEdit targets (criteria) for filtered policyAll endpoints as long as they are not in specified policesAll filtered policiesImmediate
Edit targets for specified policyEndpoints in this policy
(If endpoints are removed from polices,
they will be regarded as “new” endpoints
by policy deployment flow)
Only this policyImmediate
Edit policy settings onlyThe endpoints in the policyOnly this policyImmediate
Reorder policies
(including policy removal)
All endpoints as long as
they are not in specified polices
All filter policiesImmediate
New or changed
New endpoint reported to Apex CentralThe new endpointsPolicies applicable to these new endpoints120 sec after endpoints are reported to Apex Central
Endpoint property changes
(which also causes policy changes)
The changed endpointsAll policiesEvery 24 hours
Policy enforcementApex Central default mechanism
to ensure all endpoints get policies
All endpointsAll policies
  • On premise: Every 24 hours
  • SaaS: Every 10 minutes

The following are the time needed for Apex One as a Service agents to get the policy deployed and return its policy status:

  • Within 20 minutes
    • Creating new policies for the 1st time, or new registered agents that never had a policy applied (Apex Central checks every 120 seconds to see if there are new agents)
    • Admin reorders policies
    • Admin edit policy settings or targets (either specified or filtered)
  • Wait for next policy enforcement
    • New agents that passed Apex Central’s new agent check (every 120 seconds), but didn’t get an applicable policy (becomes “without policies”)
    • Agents that received policies & need to be moved to another policy due to agent property changes (e.g. location in AU, IP address, etc)
AD-based filtered policies always need to have Apex Central sync the latest AD info first in order to trigger policy changes.

Apex One/Apex Central introduced some features that facilitate easier tracking of the configuration applied to the agents.

Verifying the Policy Deployment status

  1. The Policy Status

    The three fields in that section of the policy deployment page allow to track the status the agents reported.

    If the agents are 'Deployed' status, they should have the correct settings. Otherwise, you may have a problem with the deployment process, which will need to be investigated.

    For detailed information, refer to the Policy Status section of the Apex Central Online Help page.


  2. Policy Version

    There is also a policy enforcement feature, it re-deploys the policy every 24 hours to ensure the agents have the correct setting and any deviations are visible. This number also changes after every manual re-deploy of the policy.

  3. Agent Status

    The policy that is assigned can also be checked on the agent itself. Once you have access to one of the machines, right click on the agent console in the taskbar and select 'Component Version'.

    As shown in the image, you will be able to check the policy name and if you hover over the ' i ', you will be able to see the Policy Version.

Case A. Default iProduct policy settings

iProduct Disabled by default

By default, iProduct settings are set to “disabled”, this implies iProduct agents are not installed. Under this situation, after Apex One server dispatches policies to iProduct servers, iProduct servers will directly respond “successfully deployed” to Apex One server.

The very first policy deployment that enables iProducts settings will trigger iProduct agents installation.

Once iProduct agents are installed, policy setting changes to iProducts will just fall into the normal policy deployment flow

Case B. Apex One server does not have a valid iProduct license

ES without License

When there is a policy containing settings to enable iProduct settings, before dispatching the policies to iProduct servers, Apex One server will first check if there are valid licenses; if there is no valid license, Apex One server will respond “unactuated license” error code to Apex Central directly. (i.e. iProduct license info are managed by Apex One server).

Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.