Rolling out EPM
Decide your Rollout Method
After the EPM server has been installed, you’ll need to decide on a method for rollout. Rollout refers to the installation of the EPM Client on a group of endpoints AND creating a policy set for that group. You might use a different method depending on the group.
LEARNING MODE METHOD
By enabling Learning Mode for a group, you create a permissive-policy environment allowing users to run elevated processes as administrator. Elevations performed will automatically generate 'Allow' policies which are visible and editable in the EPM server interface.
EPM's standard DENY-BY-DEFAULT rule does not apply for the duration that a group is in Learning Mode. However, any explicit 'Deny' polices you create before placing the group in Learning Mode will apply.
or
MANUAL METHOD
If the Learning Mode method is not suitable for your environment, you’ll need to manually create an 'Allow' policy for each process you wish your users to be able to execute.
This is suited for very hardened environments where administrative privileges have already been removed from most endpoints.
Rollout with Learning Mode
PLAN THE ROLLOUT
Prioritise
- Learning Mode can be applied to one group at any one time, so you will need to decide in which order to rollout the EPM client to groups of users.
Schedule
- Give yourself enough time to communicate with users and prepare their workstations before placing the group into Learning Mode.
- You’ll want to capture a healthy sample of typical user behaviour for a group in Learning Mode. Be sure to allot enough time for each group to build a robust policy set.
- Also allow time to handle the review and editing of policies created after you remove the group from Learning Mode.
EXECUTE THE ROLLOUT
Prepare the Group's Workstations
- Identify the group scheduled for EPM rollout
- Ensure the group has been notified of the change in behaviour required and the date of change
- Ensure every member of the group has EPM installed on their machines
- Remove local admin rights from the group
- Create any desired DENY policies using the “Create Policy” function in the EPM server interface
Place the Group into "Learning Mode"
- Place the group in learning mode
- (Test an elevation by asking a user of the group to run an executable as administrator using EPM)
Harden
- Remove the group from learning mode according to your schedule
- Review the policies generated during learning mode
- Edit, delete, or create any policies
- Communicate to users that Learning Mode is complete and how to access processes outside of policy in the future
Rollout with Manual Policies
PLAN THE ROLLOUT
Identify Allowable Processes
- Creating policies manually at rollout entails identifying every process you’d like allowed to be run with administrator rights and then creating an 'Allow' policy for that process.
Schedule
- You may want to rollout EPM one user group at a time as this makes the rollout process more manageable for a sysadmin. Whether you rollout to one or many groups, give yourself enough time to manage the rollout process. Consider:
- Time to communicate with users and prepare their workstations before the rollout.
- Time to handle requests for new policies after you've applied your policies.
EXECUTE THE ROLLOUT
Prepare the Group's Workstations
- Identify the group(s) scheduled for EPM rollout
- Ensure the group(s) has been notified of the change in behaviour required and the date of change
- Ensure every member of the group(s) has EPM installed on their machines
- Ensure local admin rights for every member of the group(s)'s workstations has been removed
Create Policies for Allowable Actions
- Use the “Create Policy” function to create any desired 'Allow' policy(ies) for processes and executables
- Test an elevation by asking a user of the group to run an executable as administrator using EPM