Security

Hello All

We are in process of adding a health check for DLP agent in OnGuard Universal SHV plugin

But there are certain Windows systems which needs to excluded and bypass the health check mandating DLP agent to be present on all systems.

can I enforce a policy using attribute Device Name in service policy for onlyspecific count of Windows systems?

how could I achieve this? Do I need to create a custom profile?

What type of a health check do you mean? 
If you want the DLP Agent to be present on all systems, you create a posture policy, as a Windows Universal System Health Validator then on the respective OS (Windows 10 or Windows 11) you will add:
- Processes: The DLP Agent to be mandatory running
- Services: The DLP Agent service to be mandatory running.

If the DLP Agent Process and Service is not running, then you can do a policy to either Quarantine it or do whatever the use-case will require to do.

Hello All

We are in process of adding a health check for DLP agent in OnGuard Universal SHV plugin

But there are certain Windows systems which needs to excluded and bypass the health check mandating DLP agent to be present on all systems.

can I enforce a policy using attribute Device Name in service policy for onlyspecific count of Windows systems?

how could I achieve this? Do I need to create a custom profile?

Yes. The policy will be created to enforce mandatory DLP agent to be running on all Windows systems.

But there are some systems which we need to exempt from DLP check. ClearPass should not mark these systems as quarantine if DLP agent is not installed on system. Is there any way we can achieve this?

What type of a health check do you mean? 
If you want the DLP Agent to be present on all systems, you create a posture policy, as a Windows Universal System Health Validator then on the respective OS (Windows 10 or Windows 11) you will add:
- Processes: The DLP Agent to be mandatory running
- Services: The DLP Agent service to be mandatory running.

If the DLP Agent Process and Service is not running, then you can do a policy to either Quarantine it or do whatever the use-case will require to do.

Hello All

We are in process of adding a health check for DLP agent in OnGuard Universal SHV plugin

But there are certain Windows systems which needs to excluded and bypass the health check mandating DLP agent to be present on all systems.

can I enforce a policy using attribute Device Name in service policy for onlyspecific count of Windows systems?

how could I achieve this? Do I need to create a custom profile?