In this article, you will learn how to assign Group Policies to an endpoint or to a group of endpoints from the HEIMDAL Dashboard depending on your needs.
1. Priorities when using a Group Policy assignment method
2. Manually assigning a Group Policy
3. Automatically assigning a Group Policy based on External IPs
4. Automatically assigning a Group Policy based on Azure AD Groups
5. Automatically assigning a Group Policy based on AD Computer Groups
6. Automatically assigning a Group Policy based on AD User Groups
7. Automatically assigning a Group Policy based on Hostname Groups
8. Automatically assigning a Group Policy based on ComputerTags or UserTags
9. Automatically assigning a Group Policy based on Group Policy priorities
Priorities when using a Group Policy assignment method
The Group Policy assignment methods are prioritized as follows: Specific assignment of GP (highest priority), External IPs, Azure AD Groups, Active Directory Computer Groups, Active Directory User Groups, Hostname Groups, ComputerTag and UserTag, and Group Policy priority (lowest priority). This means that if you are using multiple Group Policy assignment methods, the manual assignment of a GP bypasses the automatic assignment based on AD Computer/User Group or that the Azure AD Group assignment has priority over the Hostname Groups assignment (and will apply first).
Manually assigning a Group Policy
This feature allows the HEIMDAL Dashboard Administrator to manually assign a Group Policy based on what you specify in the Specific GP drop-down menu.
1. Log in to the HEIMDAL Dashboard with your email address.
2. Click the Unified Endpoint Management section -> Device info view:
3. Select the endpoint(s) that follow to be assigned to the specific Group Policy.
4. From the Select Specific GP drop-down menu, select the Group Policy that you want to apply.
5. Press the Apply to specific GP button.
Note that the selected Group Policy will apply to the endpoint(s) on the next Group Policy check.
Automatically assigning a Group Policy based on External IPs
This feature allows the HEIMDAL Dashboard Administrator to automatically assign a Group Policy based on the External IP Address used by a user to connect to the Internet. This is useful for users that work from multiple offices or switch between the office and home environment.
1. Log in to the HEIMDAL Dashboard with your email address.
2. Click the Endpoint Settings and click on the Group Policy that you want to be automatically assigned to your endpoints.
3. In the General -> General Management tab, add your external IP Address(es)* and press Update GP.
*Multiple IP Addresses can be added by separating them with a comma (ex. 1.2.3.4, 2.3.4.5, 3.4.5.6)
Example: in the scenario where the Office IP Address is 1.2.3.4 (set on GP A) and the Home IP Address is 2.3.4.5 (set on GP B), the user's endpoint will get assigned to GP A when running from the Office and will be assigned to GP B when running from Home.
Automatically assigning a Group Policy based on specific Azure AD Groups
This feature allows the HEIMDAL Dashboard Administrator to automatically assign a Group Policy based on the specified Azure AD Group. This is useful for users that work from multiple offices or switch between the office and home environment. In order for Azure AD Groups to work, SAML Login 2.0 must be enabled and your Azure AD Groups and Users must be synchronized with the HEIMDAL Dashboard (in the Guide section -> Customer Settings tab).
If you have multiple users (who are part of different Azure AD Groups) using the same computer, you can have different Group Policies applying to each logged-in user, because the HEIMDAL Agent performs a check 10-15 seconds after the user login to apply the corresponding Group Policy.
Example:
- User1 is a member of Azure AD Group 1 (which is linked to the Test1 group policy), User2 is a member of Azure AD Group 2 (which is linked to the Test2 group policy). When User1 is logged in, the HEIMDAL Agent will apply the Test1 group policy to the computer (hostname: Test-Endpoint). If User1 signs out and User2 logs in, the HEIMDAL Agent will apply the Test2 group policy to the computer (hostname: Test-Endpoint);
- when switching from one user to another (without signing off), the HEIMDAL Agent will apply the group policy corresponding to the last user that logged in.
1. Log in to the HEIMDAL Dashboard with your email address.
2. Click the Endpoint Settings and click on the Group Policy that you want to be automatically assigned to your endpoints.
3. From the Specific Azure Groups drop-down menu you can select one or multiple Azure AD Groups. You also have the option to search and synchronize multiple AAD groups directly from the Group Policy, rather than from the Customer Settings. Heimdal will perform a call directly to the Microsoft Graph API in order to retrieve groups for the tenant that have been synchronized.
4. To save the changes, scroll to the bottom of the page, and click Update GP.
Automatically assigning a Group Policy based on AD Computer Group
This feature allows the HEIMDAL Dashboard Administrator to automatically assign a Group Policy based on the specified AD Computer Group. The computer that follows to be assigned to the HEIMDAL Dashboard GP must be a member of the Active Directory Global Security Group (see the snippet below) specified in the AD Computer Group field. AD Computer Group has priority over AD User Group.
1. Log in to the HEIMDAL Dashboard with your email address.
2. Click the Endpoint Settings and click on the Group Policy that you want to be automatically assigned to your endpoints.
3. In the AD Computer Group field, specify the Active Directory Security Group that the computer(s) is/are a member of.
4. Scroll down and Update GP.
5. To get the computer(s) to apply the Group Policy that is matched to the AD Computer Group, you need to go to the Device Info page, select the computer(s) in question, and apply the Automatic option from the Select GP dropdown menu.
Automatically assigning a Group Policy based on AD User Group
This feature allows the HEIMDAL Dashboard Administrator to automatically assign a Group Policy based on the specified AD User Group. The computer that follows to be assigned to the HEIMDAL Dashboard GP must be a member of the Active Directory Global Security Group (see the snippet below) specified in the AD User Group field. This feature works with Global Security Groups. AD Computer Group has priority over AD User Group.
1. Log in to the HEIMDAL Dashboard with your email address.
2. Click the Endpoint Settings and click on the Group Policy that you want to be automatically assigned to your endpoints.
3. In the AD User Group field, specify the Active Directory Security Group assigned to the computer(s).
4. Scroll down and Update GP.
5. To get the computer(s) to apply the Group Policy that is matched to the AD User Group, you need to go to the Device Info page, select the computer(s) in question, and apply the Automatic option from the Select GP dropdown menu.
Additional information
The HEIMDAL Agent does a gpresult /r locally, thus interrogating the host about the AD Computer Group membership and AD User Group membership. It then tries to match whatever it detects in the HEIMDAL Dashboard policy to the results that stem from the gpresult /r command. If a match is found, then the corresponding HEIMDAL Group Policy applies to the matched Active Directory Security Group.
Example:
- Policy 1 – linked to AD Computer Group ActiveD 1 (this is where all the machines and resources are added);
- Policy 2 – linked to AD User Group ActiveD 2 (this is where all the user accounts are added);
- Since an endpoint can be a member of both Security Groups - ActiveD 1 and ActiveD 2, you need to take into consideration that AD Computer Group ActiveD 1 has priority over the ActiveD 2 group even if Policy 2 is above Policy 1. This means that the endpoint that is a member of both AD Security Groups - ActiveD 1 and ActiveD 2, will get assigned to GP Policy 1.
- The only AD Group types that are supported are Global Security Groups (Computer or User Security Groups);
- Nested Groups are NOT supported (only the 1st level group, the Parent group because child groups are NOT discoverable) for use within the Heimdal Dashboard. The HEIMDAL Agent can only get the Security groups that are listed by the gpresult /r command line;
- Keep in mind that each user can have only one policy. If you have two policies for the same AD Global Security Group, Heimdal will use only the policy with a higher priority value;
- The group names are case-sensitive inside the HEIMDAL Dashboard, so, for a successful bind, the names must be an exact match.
- If there is an AD Computer Group or an AD User Group set in the Group Policy, a change is made in the policy, and the endpoint is logged out, we cannot find out which GP to use, so the agent uses the one from Storage since there could be multiple users on the endpoint, with different GPs, having different AD groups.
Automatically assigning a Group Policy based on Hostname Groups
This feature will allow one or multiple endpoints to automatically apply a Group Policy based on the Hostname Groups. In order to automatically apply a Group Policy based on Hostname Groups, you need to select the desired hostname(s) and add them to an existing Hostname Group.
Once added to the Hostname Group, you need to add the Hostname Group in the AD Computer Group field in the Group Policy settings (under the General -> General Management tab).
In the test case, the 2 endpoints (Support1 and Support2) that are members of the Test hostname group will automatically apply the DarkLayer Guard GP. It will take 24 hours to apply a Group Policy (that is linked to a Hostname Group) to an endpoint or multiple endpoints that are added to the Hostname Group.
Automatically assigning a Group Policy based on ComputerTags/UserTags
This feature will allow endpoints that are not domain-joined and are not managed by an Active Directory Domain Controller to apply a Group Policy based on tags that can be found in the registries of each machine.
- These registry entries are read and concatenated to AD Computer Groups and AD User Groups;
- These fields will be used to assign the correct GP for the client info.
The path where the tags can be found and set is: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\HeimdalSecurity
To bind a computer to a HEIMDAL Dashboard Group Policy (with AD Computer Group set) just open the Windows Registry Editor, navigate to the path from above and edit the ComputerTags data to specify the AD Computer Group set in the HEIMDAL Dashboard. The same can be done for AD User Group and UserTags.
Automatically assigning a Group Policy based on Group Policy priorities
This feature allows the HEIMDAL Dashboard Administrator to automatically assign a Group Policy based on the specified priorities in the Group Policy list. This means that the Group Policy with the highest priority (highest priority number) will automatically apply to the machines that are set on Automatic (Example: Priority 3 is higher than Priority 2). Group Policy priorities can be set by dragging and dropping a Group Policy onto the desired priority.
Study cases
1. A computer that is a member of an AD Global Security Group linked to several Heimdal Dashboard GPs
If endpoint Computer1 is a member of the Computers AD Global Security Group that is linked to the 3 Heimdal Dashboard Group Policies below (Test 1, Test 2, Test 3), then the Group Policy that will apply to Computer1 will be the one with the highest priority among all the Group Policies: Test 1 (Priority 5).
2. A computer that is a member of multiple AD Global Security Group linked to several Heimdal Dashboard GPs
If endpoint Computer2 is a member of AD Computer Group 1, AD Computer Group 2, AD Computer Group 3 AD Global Security Groups, then the Group Policy that will apply to Computer2 will be the one with the highest priority among all the Group Policies: Test 1 (Priority 5).
3. A computer that is not domain-joined
If endpoint Computer3 is not domain-joined, then the Group Policy that will apply to Computer2 will be the one with the highest priority among all the Group Policies: Test 1 (Priority 5).
4. A Group Policy that is linked to an AD Computer Group and an AD User Group
When a Group Policy is linked to both an AD Computer Group and an AD User Group, a computer that meets both conditions will prioritize the AD Computer Group and then the AD User Group. So, the AD Computer Group's precedence over the AD User Group is still applicable.