In this article, you will learn everything you need to know about the settings you can perform on the HEIMDAL client-side products from the HEIMDAL Dashboard -> Endpoint Settings. To go to the Endpoint Settings, you have to log in to the HEIMDAL Dashboard, click the Endpoint Settings button (top-right corner), and select a Group Policy.
1. Endpoint Settings
2. General
3. DNS Security
4. Patch & Assets
5. Endpoint Detection
6. Privileged Access Management
ENDPOINT SETTINGS
In the Endpoint Settings, you have a section dedicated to macOS endpoints where you can create and manage Group Policies that are applied to the endpoints inside your organization. In the Linux GP tab, you can see all the Group Policies, you can edit their priorities according to your needs (by using drag & drop), you can enable/disable them or you can duplicate them.
Reseller Master GP Distribution
Reseller Master GP Distribution is a feature that allows resellers to deploy a Reseller Group Policy to all the customers that have selected to opt-in to the Reseller Master GP. The Reseller Master GP Distribution feature can be activated only from the Reseller account and enables the Opt-in Reseller Master GP functionality on the reseller's customers. A reseller can create one or multiple Reseller GPs.
Opt-in Reseller Master GP allows the customer (or the reseller) to apply the Group Policy settings configured by the Reseller in the Reseller Master GP. This GP cannot be edited or disabled by an Enterprise customer, but its priority can be changed in the Group Policy list.
The Download button allows you to download an Excel file with all the Group Policies and the settings in each Group Policy.
GENERAL
In the General tab, you can configure Group Policy settings that refer to GP assigning, check intervals, thresholds, and other additional settings.
Policy Name - set the name of the Group Policy;
Language - allows you to select the language of the HEIMDAL Agent to be enforced on the endpoints;
Priority - shows you the priority of the Group Policy in the Group Policy list. It can be set by using Drag and Drop in the GP list;
AD Computer Group - this option is used to bind an AD Global Security Group to the current GP. This way, the endpoint that is a member of the specified AD Global Security Group will apply this GP;
AD User Group - this option is used to bind an AD Global Security Group to the current GP. This way, the endpoint that is a member of the specified AD Global Security Group will apply this GP;
External IPs - this option allows you to assign the Group Policy based on an External IP or more External IPs. Adding multiple IPs is done by separating them by using a comma:
Policy check interval - sets the Group Policy check interval that is automatically performed by the HEIMDAL Agent to communicate with the HEIMDAL Dashboard and servers. The default time for the Policy check interval is 180 min ;
Licensing check interval - sets the HEIMDAL license check interval that is automatically performed by the HEIMDAL Agent;
Proxy Settings
This feature is designed to allow the HEIMDAL Agent to communicate with the HEIMDAL Dashboard if the endpoint(s) is/are placed behind a Proxy Server. It allows you to specify the proxy settings by adding the needed information in the displayed fields.
Proxy Settings - the user needs to manually add the Proxy information for the Host, Port, Domain, Username, and Password;
Additional Settings
Include in Release Candidate Program - enforces the update of the HEIMDAL Agent to the latest HEIMDAL Release Candidate (Beta) version available on the HEIMDAL Servers;
DNS Security
DNS Security is structured into 2 modules: DarkLayer Guard and VectorN Detection. This Group Policy section is designed to manage the HEIMDAL DNS Security engine embedded in the HEIMDAL Agent.
DARKLAYER GUARD
By enabling the DarkLayer Guard engine, the HEIMDAL Agent will enable the network filter that will protect the computer from getting infected.
DarkLayer Guard - turn ON/OFF the DarkLayer Guard DNS Filtering;
General Settings
Force DHCP DNS usage - this feature sets the DNS on the Network Interface Card(s) to Automatic (DHCP) behind the DarkLayer Guard engine. If the DarkLayer Guard engine fails to add 127.7.7.x or fe80::yyyy:yyyy:xxxx:xxxx on the NIC(s) it will revert to Automatic DNS (set automatically by the DHCP). This option is recommended to be enabled if:
- You are using VPN connections in your organization;
- Nobody from your organization uses a static DNS IP Address.
Use default loopback address - this feature makes the DarkLayer Guard will set the DNS on the Network Interface Card(s) to 127.0.0.1 instead of 127.7.7.x (for IPv4) and ::1 instead of fe80::yyyy:yyyy:xxxx:xxxx (for IPv6). This will enforce the DarkLayer Guard engine to intercept traffic from a single adapter. This setting helps ensure compatibility between HEIMDAL DNS Security and certain VPN products, as well as other software you may use, such as virtualization products;
Check Interval - allows you to set the time interval of the DarkLayer Guard engine to check for new updates of the filtering database;
Domains allowlist– this feature allows the HEIMDAL Dashboard Administrator to allowlist a domain that is blocked by the HEIMDAL DNS Security. You can allowlist domains, subdomains, top-level domains (.com, .co.uk, etc.) or event multiple domains at once by uploading a CSV file (the domains need to be divided by "," comma):
Domains blocklist - this feature allows the HEIMDAL Dashboard Administrator to blocklist a domain that HEIMDAL DNS Security - Endpoint does not consider a threat or to block the access to a specific domain. You can blocklist domains, subdomains, top-level domains (.com, .co.uk, etc.) or event multiple domains at once by uploading a CSV file (the domains need to be divided by "," comma)
Custom block pages – this feature allows you to add a custom HTML block page that will replace the default Heimdal block page when HEIMDAL DNS Security - Endpoint intercepts and blocks access to a malicious domain (or blocklisted domain):
VECTORN DETECTION
The VectorN Detection engine is a feature that searches for patterns within the blocks of HEIMDAL's DarkLayer Guard records, detecting malware in ways that no other endpoint protection can. It will identify patterns of malicious domain requests and filter these accordingly. The computers identified by VectorN as potentially infected are to be ultimately treated as threats by the system administrator, investigated and scanned for threats either manually or automatically.
VectorN Detection - turn ON/OFF the VectorN Detection engine (this requires the DarkLayer Guard module to be enabled as well);
PATCH & ASSETS
Patch & Assets is structured into 2 modules: 3rd Party Patch Management and OS Updates. This Group Policy section is designed to manage the HEIMDAL Patch & Assets components embedded in the HEIMDAL Agent.
3RD PARTY PATCH MANAGEMENT
The Patch & Asset Management - 3rd Party Patch Management module allows the user(s) to install or update a specific 3rd Party Application from the list of applications managed by HEIMDAL Security.
3rd Party Patch Management - turn ON/OFF the 3rd Party Patch Management module;
General Settings
Keep all applications up-to-date - all current and future 3rd Party Applications that are included in our 3rd Party Patch Management list will be added to automatic update;
Assets View - allows you to track down and manage all the 3rd Party Applications installed on the devices in your organization, even the ones that are not deployed or monitored by Heimdal;
Manage Applications
Install - enable the selected 3rd Party Application(s) to be installed on the endpoint(s) if it is not already installed. If the 3rd Party Application is already installed, it will not do anything;
Update - enable the automatic update of the selected 3rd Party Application(s);
Allow Install - make the selected 3rd Party Application(s) available for manual installation by displaying it in the HEIMDAL Agent - 3rd Party Patch Management list:
Version - allows you to target the selected 3rd Party Application(s) to the Latest Version or to an older version (available in the Patching System). Targeting a version that is older than the Latest Version will downgrade the higher version to the targeted version. This means that Heimdal™ Patch & Assets will not update it anymore (this works ONLY for the 3rd Party Applications that can be uninstalled through the HEIMDAL Agent, where Uninstall is supported);
Check interval - allows you to set the time interval when the HEIMDAL Agent checks for newly available patches;
Delay patching on startup - allows you to set the delay time interval applied on computer startup until the HEIMDAL Agent starts the patching operation;
Patching Schedule - allows you to set a scheduler for the 3rd Party Application patching module:
- You can select one or more days in a week when Heimdal™ Patch & Assets can install the 3rd Party Application(s)/Patches;
- You can select one or more days in a month when Heimdal™ Patch & Assets can install the 3rd Party Application(s)/Patches;
- You can also select a specific interval of any day to exclude the 3rd Party Application patching.
Applications Blocklist
This feature allows you to uninstall a specific 3rd Party Application(s) to restrict the usage of unwanted applications or to get applications removed from all endpoints that are applying the current Group Policy. This feature removes most of the applications that Patch & Asset Management is monitoring and also uninstalls other 3rd Party Applications that are present on the endpoints but not managed by Patch & Asset Management module.
To uninstall a 3rd Party Application you need to specify the name of the application. You can also specify at least the first word of the name (in case the 3rd Party Application has a name composed of more than 1 word) to target multiple 3rd Party Applications that have their name starting with the same word and tick the Starts with a tickbox to be able to add the entry.
- The example below targets the Poly Lens application that is installed on the endpoint(s);
Example:
- If you want to uninstall a 3rd Party Application that is in the 3rd Party Patch Management list, you need to make sure that the tickboxes for Install and Update are unticked in order to be able to add the 3rd Party Application to the Application Blocklist.
OS UPDATES
Operating System Updates - turn ON/OFF the Operating System Updates product. The System Updates and Security Updates can be deployed by the module. Other updates can be deployed using the Infinity Management module.
General Settings
Download new updates when available - allows you to automatically download (in the background) available updates without installing them;
Install macOS updates - allows you to install available updates automatically (according to Apple's scheduler);
Assets view - allows you to track down and manage all the OS Updates installed on the devices in your organization;
Install Security Responses and system files - allows you to install available security updates and other system files automatically;
Install application updates from the App Store - allows you to update applications installed from the App Store automatically;
Check interval - allows you to set the time interval when the HEIMDAL Agent checks for new Available OS Updates:
ENDPOINT DETECTION
Endpoint Detection currently includes the Next-Gen Antivirus. This Group Policy section is designed to manage the HEIMDAL Endpoint Detection components embedded in the HEIMDAL Agent.
NEXT-GEN ANTIVIRUS
The Endpoint Detection - Next-Gen Antivirus will allow you or the users to perform scan operations on the endpoints in your environment to keep viruses and other threats away.
Next-Gen Antivirus - turns ON/OFF the Next-Gen Antivirus module;
General Settings
Protection Cloud- sends a suspicious file's digital fingerprint to our real-time protection cloud for further analysis and returns a fast response on whether the file is infected or safe;
Allow Manual Scan - enables/disables the ability of the end-user to start any scan directly from the HEIMDAL Agent;
Allow Cancel Scan - enables/disables the ability of the end-user to cancel any running or scheduled scan operation directly from the HEIMDAL Agent;
Default Scan Action on Infected - allows you to select the action that you want the Next-Gen Antivirus to take upon detecting an infected file: Deny, Quarantine, Allow or Delete. Be advised that the Deny option is available only if Real-Time Protection is turned ON in the Group Policy;
Default Scan Action on Suspicious - allows you to select the action that you want the Next-Gen Antivirus to take upon detecting a suspicious file: Deny, Quarantine, or Allow. Be advised that the Deny option is available only if Real-Time Protection is turned ON in the Group Policy.
Update virus definitions interval [min] - allows you to set the update time interval for the virus definition files. The default value is 120 minutes and it can be extended to 360 minutes. This feature is designed to check whether there are any new virus definition files (VDFs) available on the HEIMDAL servers. When a new VDF file is available, it will get automatically downloaded to the local agent database. It is recommended to have the limit set to 120 min in order to update the database as soon as possible.
Schedule Scan
This section allows you to schedule a scan according to your preferences. You can start creating a schedule by pressing Add New Scan button.
Scan Profile Name - specify the name for the profile you want to create;
Scan Type - select the type of scan you wish HEIMDAL Next-Gen Antivirus to run in the created profile;
- Full Scan - scans all the files on the endpoint;
- Quick Scan - scans critical OS locations and the most usual target folders which are known for virus activity (macOS: /System/Library/Extensions/, /System/Library/LaunchAgents, /System/Library/LaunchDaemons, /System/Library/StartupItems, /Library/Extensions, /Library/Internet Plug-Ins, /Library/LaunchAgents, /Library/LaunchDaemons, /Library/StartupItems, /Library/PrivilegedHelperTools, /Library/Preferences/loginwindow.plist, /Library/Preference/loginitems.plist, /Library/Preference/loginwindows.plist, /Users/*/Library/Internet Plug-Ins, /Users/*/Library/LaunchAgents);
- Hard Drive Scan - scans all files on the hard drive while ignoring the files on all external media types;
- Local Drive Scan - scans all local disks including the hard drives, optical drives, and external storage;
- System Scan - scans the system directory;
- Removable Drive Scan - scans files stored on flash, optical, or external drives;
- Network Drive Scan - scans files on Mapped Network Drives, it detects the infection(s), but NO action will be performed because the Next-Gen Antivirus cannot remove something from a network location to place it in the local Quarantine folder. This scan type works with Mapped Network Drives but does NOT work with Network locations:
- Active Processes Scan - scans the processes that are currently running on the endpoint;
- Custom Scan - available only on the end user's computer in the HEIMDAL Agent, allows the scan of any file by using the right-click context menu and then selecting Scan with HEIMDAL Next-Gen Antivirus & MDM which will open a new window with the result;
You can set up a scheduler to run the selected Scan Type in the specified timeframe. The scheduler enables you to choose a day or multiple days during the week or during the month and the time interval when to run the selected Scan Type.
IMPORTANT
The scan profile does not apply automatically in the policy after clicking the Set Scan button. The configured scheduler needs to be confirmed by updating the policy. If the Update GP button is not clicked, the defined scan profile will be lost if the current page is left before updating the policy. Multiple scan profiles can be created inside a Group Policy. However, the scan type is exclusive. This means that it is not possible to create multiple profiles with the same scan type. For example, there cannot be 2 scan profiles to perform full scans in the same Group Policy.
Next-Gen Antivirus Exclusion List
This feature allows you to add exclusions that Next-Gen Antivirus & MDM will ignore after scanning. The Exclusion List comes with different Priorities and enables you to exclude file names, file paths, directories, or patterns (wildcards).
Types
Filename - allows you to specify the filename that you want to exclude (e.g. test.exe, file.doc, file.txt, example.msi);
File Path - allows you to specify the file path where the file is located on the hard drive (e.g. C:\Users\Username\Desktop\test.exe, C:\test.exe);
Directory - allows you to specify a directory path to be excluded (sub-directories are automatically excluded) from scanning (e.g. C:\Users\Username\Desktop, C:\Downloads);
Pattern - allows you to specify a pattern that should be excluded from scanning. This option does not work with System Variables (e.g. C:\test\*.*, *.bat).
Global Quarantine List
The Global Quarantine List allows you to add a file to quarantine if it is detected by the Antivirus engine (the file will be marked as Suspicious or Infected).
- A file that is added to the Global Quarantine List based on File Name can be quarantined ONLY if the Antivirus engine detects the file as Suspicious/Infected;
- A file that is added to the Global Quarantine List based on File Path can be quarantined no matter if the Antivirus engine detects it as Suspicious/Infected or not;
- Files added by File Path will be marked as Suspicious;
- .txt files added by File Path will not work with Real-Time Scanning.
PRIVILEGES & APP CONTROL
Privileges & App Control allows to you control user permissions in your organization and enables you to manage elevations and special permissions to applications that are used on each endpoint.
PRIVILEGED ACCESS MANAGEMENT
The Privileged Access Management module will allow you to give users the ability to install software they need for a period of time you select using the Administrator Session or the Run with Privileged Access Management option for single file elevation. Rights granted can be revoked at any time and actions are logged for a full audit trail. This is the feature that allows an end-user to request admin privileges over his machine by sending a request to the Heimdal Dashboard System Administrator who can deny or accept his request.
Privileged Access Management - turn ON/OFF the Privileged Access Management module;
Run as Administrator
Allow run as administrator - turn ON/OFF the single-file elevation request (Run with AdminPrivilege) feature;
Require reason - when requesting an elevation, the Heimdal Agent will display a pop-up to request a reason for the elevation:
Auto-mode - all single-file elevation requests (Run with AdminPrivilege) will be automatically approved and queried in the Heimdal Dashboard (under Products -> Privileges & App Control -> Privileged Access Management -> History filter);
Approval via Dashboard - all single-file elevation requests and responses will require the approval of the HEIMDAL Dashboard Administrator. The pending elevations will be displayed in the Heimdal Dashboard (under Products -> Privileges & App Control -> Privileged Access Management -> Pending Approvals filter). Once approved, the requesting user will be able to start the session after receiving a Start elevation pop-up (this is automatically displayed in 1-5 minutes);
Administrator Session
Allow administrator session - turn ON/OFF the full administrator elevation request feature. Note that some changes cannot be committed during an Administrator Elevation although the user has Administrator rights;
Require reason - when requesting an elevation, the Heimdal Agent will display a pop-up to request a reason for the elevation:
Auto-mode - all Administrator Session elevation requests (Run with AdminPrivilege) will be automatically approved and queried in the Heimdal Dashboard (under Products -> Privileges & App Control -> Privileged Access Management -> History filter);
Approval via Dashboard - all Administrator Session elevation requests and responses will require the approval of the HEIMDAL Dashboard Administrator. The pending elevations will be displayed in the Heimdal Dashboard (under Products -> Privileges & App Control -> Privileged Access Management -> Pending Approvals filter). Once approved, the requesting user will be able to start the session after receiving a Start elevation pop-up (this is automatically displayed in 1-5 minutes);
SESSION LENGTH (2-120 minutes) - allows you to set the interval for a single-file elevation or a full administrator session;
Copy changes to other policies
Pressing the Update GP button displays a pop-up message that allows you to save the changes to the current Group Policy, specific Group Policies, or all Group Policies.
Current Group Policy - saves the changes to the current Group Policy;
Specific Group Policies - allows you to select the Group Policies to which the new settings should be applied;
All Group Policies - allows you to apply the new settings to all of the Group Policies.
Corner cases
-
Schedulers - changing an existing scheduler in the Group Policy and copying the changes to another Group Policy or multiple Group Policies will not work if the module is disabled (if the change doesn't also enable the module).
Example: GP1 has the 3rd Party Software enabled and you change the time interval in the Patching Scheduler. In this case, copying the new Patching Scheduler settings to GP2 will not be possible if 3rd Party Software is disabled in GP2; - Schedulers - changing an existing scheduler and copying the changes to another Group Policy or multiple Group Policies that don't use a scheduler will not work/apply;
- Regular lists - copying the Domains Allowlist / Domains Blocklist to a Group Policy that does not have Domains Allowlist / Domains Blocklist enabled will not enable the options but the lists are copied and they become available once the Domains Allowlist / Domains Blocklist are enabled;
-
in the Custom Block Page, changing the custom block page file/filename will not get copied to the Group Policy or Group Policies where you want to copy if the Custom Block Page option is not enabled;
- Pre-determined Category lists - copying a Category List to a Group Policy where the feature is disabled will not enable the feature but it will carry the copied Category List and the user can see it by enabling the feature;