Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Understanding Apex One Policy Deployment

    • Updated:
    • 13 Aug 2019
    • Product/Version:
    • Apex One as a Service All.All
    • Apex Central 2019.All
    • Platform:
    • N/A N/A
Summary

This article discusses the basics of policy deployment.

Details
Public

iProduct Policy Deployment

What happens after a policy is deployed from Apex Central to Apex One server?

  1. Apex Central deploys policy to Apex One server
  2. Apex One sever dispatches policies to iProduct Servers
  3. For Saas, Apex One server now waits for SaaS agents to poll (default every 10 min)
  4. On-premise agent will receive server notification immediately
  5. After Apex One agents get policy tasks/commands, Apex One agents also notify the sibling iProduct agents
  6. Apex One server marks agent as “deployed successfully” once Agent One agents get the policies from server
    • For iProduct agents, after the policies are applied, iProduct agents report policy status to corresponding iProduct servers accordingly
  7. iProduct servers write iProduct agents’ policy status to database & Apex One server consolidates all status result from iProduct servers
  8. Apex One server then sends consolidate policy results/status to Apex Central
ScenarioUse CaseAffected EndpointsAffected PoliciesDeploy Timing
Create PolicyNew filtered policyAll endpoints without policy and match the new criteriaOnly this policyImmediate
New specified policyThe specified endpointsOnly this policyImmediate
Edit PolicyEdit targets (criteria) for filtered policyAll endpoints as long as they are not in specified policesAll filtered policiesImmediate
Edit targets for specified policyEndpoints in this policy
(If endpoints are removed from polices,
they will be regarded as “new” endpoints
by policy deployment flow)
Only this policyImmediate
Edit policy settings onlyThe endpoints in the policyOnly this policyImmediate
Reorder policies
(including policy removal)
All endpoints as long as
they are not in specified polices
All filter policiesImmediate
New or changed
Endpoints
New endpoint reported to Apex CentralThe new endpointsPolicies applicable to these new endpoints120 sec after endpoints are reported to Apex Central
Endpoint property changes
(which also causes policy changes)
The changed endpointsAll policiesEvery 24 hours
Daily enforcementApex Central default mechanism
to ensure all endpoints get policies
All endpointsAll policiesEvery 24 hours

There're 2 timing for Apex One as a Service agents to get policy deployed and feedback its policy status:

  • Within 20 minutes
    • Creating new policies for the 1st time, or new registered agents that never had a policy applied (Apex Central checks every 120 seconds to see if there are new agents)
    • Admin reorders policies
    • Admin edit policy settings or targets (either specified or filtered)
  • Wait for next daily enforcement
    • New agents that passed Apex Central’s new agent check (every 120 seconds), but didn’t get an applicable policy (becomes “without policies”)
    • Agents that received polices & need to be moved to another policy due to agent property changes (e.g. location in AU, IP address, etc)
 
AD-based filtered policies always need to have Apex Central sync the latest AD info first in order to trigger policy changes.

Case A. Default iProduct policy settings

iProduct Disabled by default

By default, iProduct settings are set to “disabled”, this implies iProduct agents are not installed. Under this situation, after Apex One server dispatches policies to iProduct servers, iProduct servers will directly respond “successfully deployed” to Apex One server.

The very first policy deployment that enables iProducts settings will trigger iProduct agents installation.

Once iProduct agents are installed, policy setting changes to iProducts will just fall into the normal policy deployment flow

Case B. Apex One server does not have a valid iProduct license

ES without License

When there is a policy containing settings to enable iProduct settings, before dispatching the policies to iProduct servers, Apex One server will first check if there are valid licenses; if there is no valid license, Apex One server will respond “unactuated license” error code to Apex Central directly. (i.e. iProduct license info are managed by Apex One server).

For more details, refer to this document.

Premium
Internal
Rating:
Category:
Deploy
Solution Id:
1123401
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.