Enable Enforcement

The first step in moving to enforcement is to switch the Global Device Control policy from Audit mode to Enforcement mode.

After you enable Enforcement mode, all Device Control policies are calculated, combined, and deployed to your endpoints. The endpoints continue logging events as they did in Audit mode, but they begin enforcing the policies they receive.

Each device class has its own default policy. If you leave these policies intact, enabling enforcement is minimally disruptive. These default policies:

• Allow read and write permission for its device class
• Are assigned to the highest level user:

  Everyone

Read and write permissions take priority over read only permissions and no permissions. Therefore, users assigned default policies have read and write access when default policies are in place. The only exceptions are policies configured to explicitly block all access. These policies override the default policies.

To Enable Enforcement:

1. Select Manage > Device Control Policies.
2. Select the Device Control Global Policy and click Edit.
   
   The Global Device Policy dialog opens.
3. Make sure that the Global Device Policy is in Policy enforcement mode.
   
4. After you select Policy enforcement mode, click Finish.
   • Device Control begins enforcing policies. At this point, only the default policies are active, so users will still have relatively full access.
   • On the endpoints:
     • Monitor the system tray for the notification Settings have changed.
     • Or watch the Status dialog available from the system tray icon. This dialog shows what permissions the endpoint is enforcing, which may change based on policies you have configured in your environment. View this dialog to confirm that your policies are being enforced.