Create or edit update policies to manage agent program and component versions in your environment.
Important
|
Configure version control policies to manage the agent and component updates for endpoints
with the Trend Vision One Endpoint Security agent installed which report to Trend Vision One
Endpoint Inventory.
Procedure
- In the Trend Vision One console, go to .
- Create or edit a policy.
-
To create a new policy, click Create Version Policy.
-
To edit a policy, find the policy you want to edit and click the name.
The policy configuration screen appears. -
- Specify a unique Policy Name.
Note
You cannot edit the policy name for the Default policy. - Select one or more endpoint groups to assign to the policy.
- In the Endpoint group field, click the edit icon
().The Select Endpoint Group window appears.
- Locate and select the endpoint group you want to add.
Important
-
Endpoint groups can only be assigned to one policy at a time. Selecting a group that is already assigned to a policy moves that endpoint group to the new policy.
-
Selecting an endpoint group automatically selects any child groups including those already assigned to a policy. You can clear the selection for any child group you do not want to include in the new policy.Child groups can be assigned to a different policy than the parent group.
-
- After selecting one or more endpoint groups, click Select.
- In the Endpoint group field, click the edit icon
().
- Configure your priority rules.
- To add a new priority rule, click Add Priority
and provide a name for the rule.New rules are automatically added to the top of the priority list as Priority 1.
- To change the order of your priority rules, click and drag the priority
rule you want to change.The priority rule number changes automatically.For example, moving Priority 1 under Priority 3 automatically changes the original Priority 1 to Priority 3, and the old Priority 2 and Priority 3 become Priority 1 and Priority 2, respectively.
- To change the name of a priority rule, click the options icon next to the name () and select Rename.
- To delete a priority rule, click the options icon next to the name
() and select
Delete.
Important
You cannot delete the Default priority rule.
- To add a new priority rule, click Add Priority
and provide a name for the rule.
- Click the priority rule you want to configure.
- Configure the General settings for the selected priority
rule.
Important
If an endpoint matches multiple priority rule criteria, the endpoint uses the highest priority rule matched.If an endpoint does not match any priority rule criteria, the endpoint uses the Default priority rule.The Default priority rule criteria is All endpoints and cannot be changed.- Select the Criteria type.
- Specify the criteria values.The criteria is used to determine which endpoints within the assigned endpoint groups the priority rule applies to. The criteria value input method changes depending on which criteria type you select.Criteria typeDescriptionInput methodEndpoint nameThe priority rule is applied to any endpoint containing at least one specified value in the endpoint nameFor example, if you specify Test, the priority rule is applied to the endpoint
Test01
.Specify a value and either type a comma (,) or press ENTER to separate values.Endpoint policyThe priority rule is applied to any endpoint assigned to the selected Server & Workload Protection or Standard Endpoint Protection policyClick the edit icon () to find and select endpoint policies.IP rangeThe priority rule is applied to any endpoint with an IP address within one of the specified rangesSpecify an IP range in either IPv4 or IPv6 format. Click the add icon () to add up to 200 IP ranges.Operating systemThe priority rule is applied to any endpoint with the specified operating systemClick the edit icon () to select the OS family or a specific OS version.Specify target(s)The priority rule is applied to specific endpoints from the Endpoint InventoryClick the edit icon () to select up to 200 endpoints from Endpoint Inventory.Click the filter icon () to help find the endpoints you want to target.
- Configure the Agent update settings for the selected
priority rule.
- Select the Update check setting for the agent
update.
-
Scheduled: The endpoint agent checks for updates.
-
Disabled: The endpoint agent does not check for updates.
-
- Select the Update policy.Specify the agent program version the endpoint agents update to when the agents run the scheduled update check.SettingDescriptionn (latest version)The agent always updates to the latest version availableThe version listed next to this option is the current latest version. Use this setting if you want the agent to always update to the latest version when a new version is released.n - 1 (previous)The agent always updates to the previous released versionThe version listed next to this option is the current previous version. Select this option if you want the agent to only update to the previous version when a new agent program version is released.n - 2The agent always updates to the next older version prior to n - 1The version listed next to this option is the current n - 2 version. Select this option if you want the agent to always update to two versions behind the latest version when a new version is released.FixedThe agent only updates to the specified versionThe agent updates to the selected version and does not continue to update past the selected version even if a newer version is released. You can select a version within the last 12 releases.
Important
This setting requires you to manually change the selected version when you wish to update the agent version. Older agent versions might require redeployment if they are too outdated.Note
In the case that a hotfix is required to patch the latest version, the hotfix replaces the latest version and the unpatched version is made unavailable. The hotfix version keeps the same version number as the unpatched version. For example, if a hotfix for version 202412 is released, the hotfix version still shows 202412. The hotfix version is used in subsequent updates for policies set to n - 1 and n - 2.Occasionally, Trend Micro makes custom hotfixes available for limited regions or customers. Custom hotfixes usually have an amended version number, such as 202412A. A custom hotfix can only be selected as a fixed version. Policies set to n, n - 1, and n - 2 ignore custom hotfixes when updating.
- Select the Update check setting for the agent
update.
- Under Component update, select the Update
policy for the agent detection components.The endpoint agent has many different detection components which update at different times and frequencies. The update policy utilizes a series of daily snapshots to allow you to control which component versions your agents update to.SettingDescriptionn (latest version)The agent always update to the latest component versions availableThis policy does not use a snapshot and instead updates to the latest component versions. Use this setting if you want your agents to always update to the latest security component releases.n - 1 (one snapshot prior)The agents always update to the snapshot from the day before the current daten - 2 (two snapshots prior)The agents always update to the snapshot from two days before the current daten - 3, n - 4, …, n - 8The agents always update to the snapshot from the corresponding number of days before the current dateFor example, n - 5 updates to the snapshot from five days before the current date.
Important
Scheduling of component updates is configured in Server & Workload Protection and Standard Endpoint Protection.-
For Standard Endpoint Protection, access the managing product server and go to .To configure update settings within the Protection Manager, see Component Updates.
-
For Server & Workload Protection, go to component update task.and create aTo configure update settings, see Apply security updates.
-
- After you have configured all of your priority rules, click
Save.
Tip
If you are creating a new policy, make sure you configure the Default priority rule.