For those who are looking to start out on building block lists for EPM, below are some tips and resources available.
Analytics can shift this exercise from ‘blocking by vibes’ to data-informed changes.
Tips for Implementing a Block Rule:
-
Check your analytics for application definitions that match your anticipated block rule
-
This can help determine estimated impact
-
-
Check your policy for allow rules that may match your block (either on purpose or by accident)
-
If so, then your allow or block may need to be altered to not conflict
-
-
Block Rules are the only time you’re going to want to be more generic, and typically the widest net possible. It’s the opposite of allow rules where we recommend more than one definition
-
Examples:
-
One rule for the Publisher
-
One rule for the file name of the executable
-
One rule for the Product Name
-
-
-
Block rules will only block what can be managed by EPM - seems redundant but a general guide I have is that if the configuration of a function is done elsewhere, then EPM may not be the only/best space to place the block rule (e.g. browser extensions)
-
Optionally: put in a ‘monitoring’ block rule to audit everything that hits the rule so you’ll have better visibility of current usage in the environment in the case that events are being captured in a rule without analytics configured.
Additional Resources:
Ringed testing approaches: EPM Saas : Packages, Policies, and Preferable Practices | Community
If test groups need to be made and bulk move systems: Bulk move computers to different computer groups with API methods | Community
Kick Start Approach for EPM: Kick Start to EPM Windows & mac OS | Community
KB0017838 - How to create policy rules in EPM - Best practice for policy rule creation (application & On-Demand) - https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0017838
KB0017940 - Best Practices when using the QuickStart for Windows policy template - https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0017940
