When you assign a new policy to a particular group of the System Tree, all child groups and
systems that are set to inherit the policy from this assignment point do so.
Assignment locking
You can lock the assignment of a policy on any group or system (provided you have the
appropriate permissions). Assignment locking prevents other users:
• With appropriate permissions at the same level of the System Tree from inadvertently
replacing a policy.
• With lesser permissions (or the same permissions but at a lower level of the System Tree)
from replacing the policy.
Assignment locking is inherited with the policy settings.
Assignment locking is valuable when you want to assign a certain policy at the top of the System
Tree and ensure no other users replace it anywhere in the System Tree.
Assignment locking only locks the assignment of the policy, but does not prevent the policy
owner from making changes to its settings. Therefore, if you intend to lock a policy assignment,
ensure that you are the owner of the policy.
Policy ownership
All policies for products and features to which you have permissions are available from the
Policy Catalog page. To prevent any user from editing other users’ named policies, each policy
is assigned an owner — the user who created it.
Ownership provides that no one can modify or delete a policy except its creator or a global
administrator. Any user (with appropriate permissions) can assign any policy in the Policy
Catalog page, but only the owner or a global administrator can edit it.
If you assign a policy that you do not own to managed systems, be aware that if the owner of
the named policy modifies it, all systems where this policy is assigned receive these modifications.
Therefore, if you wish to use a policy owned by a different user, McAfee recommends that you
first duplicate the policy, then assign the duplicate to the desired locations. This provides you
ownership of the assigned policy.
Client tasks and what they do
ePolicy Orchestrator allows you to create and schedule client tasks that run on managed systems.
You can define tasks for the entire System Tree, a specific group, or an individual system. Like
policy settings, client tasks are inherited from parent groups in the System Tree.
Which extension files are installed on your ePO server determines which client tasks are available.
Client tasks are commonly used for:
• Product deployment.
• Product functionality. (For example, the VirusScan Enterprise On-Demand Scan task.)
• Upgrades and updates.
See the product documentation for your managed products for information and instructions.
Managing Products with Policies and Client Tasks
Client tasks and what they do
117
McAfee ePolicy Orchestrator 4.0.2 Product Guide