Policy Based Remediation and Script Running

Following the rollout of policy inheritance, I have now found that a number of automated remediations are no longer possible without having to create remediations for each customer and have also found it more awkward to run scripts on devices that are all using the same policy.

As an example, we have a number of school customers and there were a few remediations that can only be run on student devices, but in order to recreate these, I would need to create a clone of this remediation for each school, selecting the student devices folder. These student device folders all use the same policy, so every device under the student policy is still a student device. It would be extremely useful and time-saving if I could once again make remediations or run scripts against all devices under a certain policy across all customers, rather than having to go through each school.

Another example use case would be an RDS Server policy, which is applied directly to RDS servers but contains no actual policy rules, all it does is specify that the server is an RDS server and nothing more. I could then schedule maintenance across all of these RDS servers at the same time, or run any number of scripts that are only relevant to RDS servers without having to go through and manually find each one across every single one of our customers.

1 Like

I agree with the added flexibility we gained from the policy inheritance we lost a very useful remediation option. The work around is to create asset custom fields to filter on when doing remediations or saved searches. In my opinion each asset should have an “internal” field that contains an array of currently applied policies. This way in searches or remediation you could say "if Asset_Policies contains “workstation policy”, or does not contain, etc etc.

I’m not quite sure if I agree that your RDS example is in fact the easiest way to do what you describe but that does not invalidate the lose in functionality being able to match on policy has caused.

In my RDS example, all I’m really doing is looking for devices with the RDS policy applied, it’s effectively the same thing but may go so far as to only include just a single or a few devices because the policy is only applied directly to specific devices, not any folders.
I would prefer to be able to select the policy itself, but a field on the device that can be filtered for the policy could also work, provided this filter can also be used for running scripts, not just remediation.

This topic was automatically closed after 180 days. New replies are no longer allowed.