Stevo may have a PC for the kids that is fully locked down without asking them about any blocking (just doing it), yet he may also have another PC that is his own where he wants to be asked about everything… This means Steve’s PC should be part of the ‘Self Managed’ group, whereas Kids1 is part of the ‘Restricted’ group. These policies may be applied to many PC’s for many clients.
But I’d like to be able to manage home/work networks by ‘sub’ groups.
For example a home client, should have their home network recognised (by the MAC address of the router), and then allow file access to/from all hosts on that LAN. I’d then create a different type of group called Stevo’s and I’d like to push that network setting & rules for that home network across all their PC’s, but ensure it does NOT overwrite other policy sections.
PS Edit. WRT Local policy & Internet policy, is it possible to make ‘local policy’ apply to ‘Home/Work Network’? Or is that how it works already.
Local Policy means the default CIS configuration on that machine when on a LAN, Internet Policy means when it is on the WAN. So, to define different policies (i.e. “Self-managed” or “Restricted” you would either edit these default policies or create new ones which would dictate the system’s settings.
For example the “Restricted” machine would have Sandbox enabled, Defense+ set to “Paaranoid” or “Safe” mode and the alerts disabled. The “Self-managed” may have the same configuration but with alerts enabled. That way the kids would be tied down without seeing any alerts but Stevo will see all the alerts.
While this doesn’t exactly fit the criteria of sub-grouping it probably does solve the problem. ESM version 3 will be able to perform the sub-grouping you specify but this feature will probably only be available later in Q1 2013.