Been scratching my head on this and hope someone can provide me some clarity. It shouldnt matter for this question, but I am running IVE OS 7.0r4.
In the endpoint I have a policy that evaluates for AV another policy that evaluates for FW and a seperate policy that is supposed to only be for IT that adds a few more supported AV vendors than just the regular users.
In the realm have it set to evaluate all three policies, in the user role (depending on the role) these host checker policies are required.
Here is the delema, the IT policy at the realm level, where it is only set to evaluate and not enforce, is kicking my end users off even though the end user doesnt have this policy listed in their role as a requirement.... what am I missing?
as i understood you have 3 policies with one check each?
I would suggest to build 2 policies instead :
1. EndUser policy (contains one rule for standard AV and one rulefor evaluating FW)
2. IT Staff Policy (contains one rule for a bigger list of AV-Vendors and one rule for evaluating FW)
This will maintain two independent checks for the two user groups and each policy can be mapped to the corresponding role.
Care about that radio buttons in the "Require" Section and make sure that in this Case in each Hostchecker Policy "All of the above rules" is marked.
One more suggestion. If you also check for AV-Updates and if you require updates "not older than xxx" make sure your clients are able to reach an AV-update Server bevor they connect via the SA..... or do not not use this feature with too restrictive policies.....
I would be nice to get an feedback if this may help
@fuman.... thank you, although here is where the issues lies (irregardless if I have 2 or 3 policies at the realm level)
The user logs in, and then the realm level policies are all set to evaluate, the user also evaluates the IT policy, except instead of just evaluating, it enforces at the realm level. So the user is not able to log in.