Endpoint profile provisioning based on on-net or off-net status
You can configure an endpoint policy to apply a different profile to the endpoint when it is on-net, compared to when the endpoint is off-net.
To configure an on-net and off-net profile:
- Go to Endpoint Profiles > Manage Profiles. Create a new profile or modify an existing profile to configure the on-net profile. You will configure the policy to apply this profile to endpoints when they are on-net. The example Profile_OnNet profile only has VPN and Vulnerability Scan enabled.
- Create another profile or modify another existing profile to configure the off-net profile. You will configure the policy to apply this profile to endpoints when they are off-net. The example Profile_OffNet profile has a different feature set enabled than Profile_OnNet: Malware Protection, Sandbox Detection, and Web Filter in addition to VPN and Vulnerability Scan.
To configure an on-net detection rule:
- Go to Policy Components > On-net Detection Rules.
- Click Add.
- In the Name field, enter the desired name.
- Enable the rule by toggling Enable Rule on.
- In the IP Addresses/Subnet Masks field, enter the desired values. You can enter multiple values by clicking the + button.
- (Optional) In the Gateway MAC Addresses field, enter the desired values. You can enter multiple values by clicking the + button.
- Click Save. In this example, a policy with this rule set configured will determine an endpoint to be on-net if it is inside the 172.17.81.0/23 subnet.
To configure the endpoint policy:
- Go to Endpoint Policy > Manage Policies.
- Configure the policy:
- Click Add.
- In the Endpoint Policy Name field, enter the desired name.
- (Optional) In Endpoint domains, select the domains to apply the policy to.
- (Optional) In Endpoint workgroups, select the workgroups of endpoints to apply the policy to.
- In Endpoint Profile, select an endpoint profile from the dropdown list. This is the on-net profile. In this example, Profile_OnNet is selected.
- (Optional) In Endpoint profile (Off-net), select an endpoint profile in the policy to apply to the endpoint when it is off-net according to the on-net detection rules configured in this policy. In this example, Profile_OffNet is selected.
- (Optional) In On-Net Detection Rules, select the on-net detection rules to include in the policy. In this example, OnNet1 is selected.
- (Optional) In Telemetry gateway list, select the desired Telemetry gateway list from the dropdown list. You must have already configured a Telemetry gateway list in EMS for this option to be available. See Creating a Telemetry gateway list.
- (Optional) In Comments, enter any comments.
- Enable the policy by toggling Enable Policy on.
- Click Save.
You cannot delete a profile, Telemetry gateway list, or on-net detection rule that is configured as part of a policy. If you attempt to delete such a profile, list, or rule, EMS displays a Cannot delete an assigned <profile/telemetry gateway list/on-net subnet component> message. To delete a profile, list, or rule that is part of a policy, first edit the policy so that it no longer uses that profile, list, or rule, then delete the profile, list, or rule. |
To view the results on the endpoint:
The following illustrates the results of configuring an on-net and off-net profile for a policy applied to an endpoint.
In this example, the policy applied to the endpoint does not have on-net detection rules configured. In this case, the endpoint has an online/on-net status and has the feature set enabled in the on-net profile.
In this example, the policy applied to the endpoint has on-net detection rules configured, and on-net and off-net profiles. In this case, the endpoint's IP address is in the configured subnet, so the endpoint has an online/on-net status and the feature set enabled in the on-net profile.
In this case, let's assume that the on-net detection rules have been modified so that endpoints inside the 172.17.93.0/23 subnet are considered-on net, not endpoints inside the 172.17.81.0/23 subnet. The endpoint's IP address, 172.17.81.131, is no longer in the on-net subnet. Therefore, the endpoint has an online/off-net status and the feature set enabled in the off-net profile.
In this case, let's assume that the on-net detection rules have been modified so that endpoints inside the 172.17.81.0/23 subnet are considered on-net. The endpoint's IP address, 172.17.81.131, is in the configured subnet, but the endpoint now cannot connect Telemetry to EMS. The endpoint has an offline/on-net status and EMS displays its location as unavailable.
Let's modify the on-net detection rules again so that endpoints inside the 172.17.93.0/23 subnet are considered on-net. In this case, the endpoint's IP address, 172.17.81, 131, is not in the configured subnet and the endpoint cannot connect Telemetry to EMS. The endpoint has an offline/off-net status and EMS displays its location as unavailable.