Policies Overview

 

The main way to manage devices via the Business Hub is through policies, which are groups of security rules that determine how Business Agent and available services work on end devices in your network. In other words, policies provide all of the settings for the features/services installed on the endpoints. Any changes to a policy are applied to the devices and groups using that policy.

Accessing Policies

All created policies will be visible on the Policies page of the Business Hub. In the single-tenant console (or at the site/customer level of the multi-tenant/partner console), you will be able to see the following information for each of your policies:

• Status: In use (applied to device(s)) or Unused (not applied to any devices)
• Policy name: Name of the policy and its description, if any. Clicking the name will open the policy's Detail drawer (see the Policy Settings section for more information).
• Type: Site/Customer/Company policy (multi-tenant/partner/single-tenant) or Global policy - site/customer (multi-tenant/partner only - see the Global vs. Site Policies section for more information)
• Assigned/Overrides: The number of devices assigned to the policy, and the number of devices that override the policy individually in the device detail. Clicking the count will open the Assignments tab of the policy (see the Assignments section for more information).
• Last Modified: Last modified date/time (tooltip displays the exact date/time)

Also, a star icon will be displayed next to the default policy.

At the top (company) level of the multi-tenant/partner Business Hub, aside from site policies, you will have the option to view and manage global policies, i.e. policies that apply to multiple sites (see the Global vs. Site Policies section below for more information). You can switch between the two policy types via the tabs at the top of the page.

The Site Policies tab will contain policies from all sites and display the same information for them as at the site level, plus the site/customer name so you could easily see which site each policy applies to.

The Global Policies tab will also display the policy status, name, type, and date/time of last modification, but instead of the Assigned/Overrides column, you will see the Assigned column, showing the number of sites each global policy applies to.

Global vs. Site Policies

As mentioned above, there are two policy types in the multi-tenant/partner Hub: global and site policies. A site policy, as the name suggests, applies only to its respective site, whereas a global policy can be assigned to multiple sites to allow real centralized control of settings.

When a global policy is applied to a site, it will be displayed at site level as Global policy - site.

From here, the admin (global or site) can further modify the policy as they require for that site, meaning they will have centralized control, with the possibility of local customization. Changes made here will not affect the global policy itself, as it is a local copy of the global policy.

The policy can also be converted to a site policy via the policy's Detail drawer (see the Overview Tab section).

 

Another major difference between global and site policies is the possibility to lock policy settings. In global policies, the global admin can lock each setting to ensure the local site copy cannot be modified. This is especially useful when some settings are mandatory (e.g. client UI protection that all customers must have). Site policies do not have this option.

Once a setting is locked by closing the padlock, it will become completely inaccessible in the site-level policy. This can only be changed by the global admin.

Policy Settings

All settings of a policy can be accessed by clicking the policy's name, which will open its Detail drawer, split into four main tabs:

• Overview
• Settings
• Exclusions
• Assignments

A single policy contains settings for Windows and macOS workstations and Windows servers, so you do not need to have separate policies for each operating system. This enables you to configure settings for a device group that contains multiple OS types at once.

Note, however, that some policy settings are not available for all operating systems - the OS icons displayed next to each section and setting will inform you which OS a setting can be applied to.

Overview Tab

This tab provides some brief details about the policy: description (editable), type, time of creation and of last update, name of the user who created/updated it, and template type used for its creation (Avast recommended policy for workstations, Avast recommended policy for servers, or an existing policy).

For the local copy of a global policy (Global policy - site/Global policy - customer), you will also have the option to convert it to site policy.

Settings Tab

Detailed settings for the Business Agent and each service available in the account are found here, divided into several tabs:

• General
• Antivirus
• Firewall
• Cloud Backup
• VPN
• USB Protection
• Patch Management

Only the settings related to the services you are subscribed to will be shown (e.g. the Patch Management tab will be hidden if your subscription does not include the Patch Management service).

General

• Restart Options: Select when to restart endpoint devices between only when needed by the Antivirus or Patch Management service, automatically, when user logs off, or not at all. For more information on these options, see Configuring Automatic Restarts.
• Proxy Settings: Set up HTTP or SOCKS v4 proxy when a network uses proxies for end devices (see Configuring Proxy Settings for Devices).

Antivirus

• General Settings: Set up version switch (available for beta-enabled accounts only), UI protection, silent mode, reputation services, Avast tray icon, scanning of external drives, CyberCapture, and hardened mode (see General Antivirus Settings). In this section, you can also modify privacy settings of endpoint users (see Configuring Privacy Settings in Business Hub).
• Antivirus Scans: Set the frequency of quick and full system Antivirus scans (see Scheduling Antivirus Scans).
• Updates: Select either automatic or manual updates for your virus definitions and Antivirus program (see Configuring Virus Definitions and Antivirus Program Updates).
• Troubleshooting: Enable or disable the anti-rootkit monitor, Avast self-defense module, limited program access for Guest accounts, hardware-assisted virtualization, delayed Avast startup, LSA protection, debug logging, or enter the details for your mail ports (see Troubleshooting Features in Business Hub).
• Antivirus Protection: Enable, disable, and configure settings for the main protection components (follow the links under Configuring Components in Component Overview for more information)
• Data Protection: Enable, disable, and configure settings for Data Shredder, Exchange Shield, or SharePoint Shield.
• Identity Protection: Enable or disable Browser Cleanup and Passwords, configure settings for Webcam Shield, or set up Password Protection.

Firewall

• Networks: Select the firewall profiles for undefined network connections, and define networks (see Firewall Network Settings).
• Firewall rules: Set the various Firewall System Rules, Firewall Application Rules, and Firewall Advanced Packet Rules.
• Advanced: Enable or disable Leak Protection, Port Scan Alerts, and ARP Spoofing Alerts (see Advanced Firewall Features).

Cloud Backup

• What to backup: Define folders and content to be backed up (All files or Only specified file types)
• Specify file types: In case of backing up only certain types of files, select them here
  • Skip files based on file size: Exclude the files whose size exceeds a defined lower or upper limit from the backup
• Exceptions: Click on the provided link to the Exclusions Tab tab to define the folders and file types to be excluded from the backup
• Schedule: Define the frequency of backups
• Retention: Choose how long the backed up data will be stored before being deleted

For more information, see Configuring Cloud Backup.

VPN

The link in the VPN section will send you to the Devices page, where you can enable or disable VPN connections for each of your devices. For more information, see VPN.

USB Protection

• Access to removable storage devices: Allow or block access to connected devices with storage capabilities (see USB Protection).

Patch Management

• Patch Scans and Deployments: Set the frequency of scans for missing patches, and whether or not to deploy m issing patches immediately, on a specific schedule, or manually (see Scanning Devices for Missing Patches).
• Other Settings: Select when to clear the local patch files on the end device (see Configuring Cache Clearance).

Exclusions Tab

This is the central area for exclusion configuration for all services where exclusions are possible.

• Antivirus exclusions: Specify paths to be excluded from either all scans and shields or specific shields only (see Configuring Antivirus Exclusions).
• Patch Management exclusions: Specify vendors/products to be excluded from patch deployment (see Configuring Patch Management Exclusions).
• Cloud Backup exclusions: Specify folders and file types to be excluded from backup (see Configuring Cloud Backup Exclusions).
• USB Protection exclusions: Specify removable devices to be excluded from USB Protection (see Configuring USB Protection Exclusions).

Assignments Tab

For site policies, this section provides a list of devices to which the policy has been assigned, as well as information on whether any of them had their applied service settings overridden (see Overriding Inherited Policy Settings for more information). Via the + Assign policy button, you can apply the policy to additional devices.

For global policies, the sites to which the policy has been assigned will be listed here, along with the number of devices using the policy and that of overrides. Via the + Assign to sites button, you can apply the policy to additional sites.