Configuring version control policies

Procedure

1. In the Trend Vision One console, go to Endpoint Security → Endpoint Security Configuration → Version Control Policies.
2. Create or edit a policy.
   • To create a new policy, click Create Version Policy.
   • To edit a policy, find the policy you want to edit and click the name.
   The policy configuration screen appears.
3. Specify a unique Policy Name.

   Note You cannot edit the policy name for the Default policy.

4. Select one or more endpoint groups to assign to the policy.
   1. In the Endpoint group field, click the edit icon ().
      The Select Endpoint Group window appears.
   2. Locate and select the endpoint group you want to add.

      Important Endpoint groups can only be assigned to one policy at a time. Selecting a group that is already assigned to a policy moves that endpoint group to the new policy. Selecting an endpoint group automatically selects any child groups including those already assigned to a policy. You can clear the selection for any child group you do not want to include in the new policy. Child groups can be assigned to a different policy than the parent group.

   3. After selecting one or more endpoint groups, click Select.
5. Configure your priority rules.
   1. To add a new priority rule, click Add Priority and provide a name for the rule.
      New rules are automatically added to the top of the priority list as Priority 1.
   2. To change the order of your priority rules, click and drag the priority rule you want to change.
      The priority rule number changes automatically.

      For example, moving Priority 1 under Priority 3 automatically changes the original Priority 1 to Priority 3, and the old Priority 2 and Priority 3 become Priority 1 and Priority 2, respectively.
   3. To change the name of a priority rule, click the options icon next to the name () and select Rename.
   4. To delete a priority rule, click the options icon next to the name () and select Delete.

      Important You cannot delete the Default priority rule.

6. Click the priority rule you want to configure.
7. Configure the General settings for the selected priority rule.

   Important If an endpoint matches multiple priority rule criteria, the endpoint uses the highest priority rule matched. If an endpoint does not match any priority rule criteria, the endpoint uses the Default priority rule. The Default priority rule criteria is All endpoints and cannot be changed.

   1. Select the Criteria type.
   2. Specify the criteria values.
      The criteria is used to determine which endpoints within the assigned endpoint groups the priority rule applies to. The criteria value input method changes depending on which criteria type you select.

      Criteria type	Description	Input method
      Endpoint name	The priority rule is applied to any endpoint containing at least one specified value in the endpoint name For example, if you specify Test, the priority rule is applied to the endpoint Test01.	Specify a value and either type a comma (,) or press ENTER to separate values.
      Endpoint policy	The priority rule is applied to any endpoint assigned to the selected Server & Workload Protection or Standard Endpoint Protection policy	Click the edit icon () to find and select endpoint policies.
      IP range	The priority rule is applied to any endpoint with an IP address within one of the specified ranges	Specify an IP range in either IPv4 or IPv6 format. Click the add icon () to add up to 200 IP ranges.
      Operating system	The priority rule is applied to any endpoint with the specified operating system	Click the edit icon () to select the OS family or a specific OS version.
      Specify target(s)	The priority rule is applied to specific endpoints from the Endpoint Inventory	Click the edit icon () to select up to 200 endpoints from Endpoint Inventory. Click the filter icon () to help find the endpoints you want to target.

8. Configure the Agent update settings for the selected priority rule.
   1. Select the Update check setting for the agent update.
      • Scheduled: The endpoint agent checks for updates.
      • Disabled: The endpoint agent does not check for updates.
   2. Select the Update policy.
      Specify the agent program version the endpoint agents update to when the agents perform the scheduled update check.

      Setting	Description
      n (latest version)	The agent always updates to the latest version available The version listed next to this option is the current latest version. Use this setting if you want the agent to always update to the latest version when a new version is released.
      n - 1 (previous)	The agent always updates to the previous released version The version listed next to this option is the current previous version. Select this option if you want the agent to only update to the previous version when a new agent program version is released.
      n - 2	The agent always updates to the next older version prior to n - 1 The version listed next to this option is the current n - 2 version. Select this option if you want the agent to always update to two versions behind the latest version when a new version is released.
      Fixed	The agent only updates to the specified version The agent updates to the selected version and does not continue to update past the selected version even if a newer version is released. Important This setting requires you to manually change the selected version when you wish to update the agent version. Older agent versions might require redeployment if they are too outdated.

      Note In the case that a hotfix is required to patch the latest version, the hotfix replaces the latest version and the unpatched version is made unavailable. The hotfix version keeps the same version number as the unpatched version. For example, if a hotfix for version 202412 is released, the hotfix version still shows 202412. The hotfix version is used in subsequent updates for policies set to n - 1 and n - 2. Occasionally, Trend Micro makes custom hotfixes available for limited regions or customers. Custom hotfixes usually have an amended version number, such as 202412A. A custom hotfix can only be selected as a fixed version. Policies set to n, n - 1, and n - 2 ignore custom hotfixes when updating.

9. Under Component update, select the Update policy for the agent detection components.
   The endpoint agent has many different detection components which update at different times and frequencies. The update policy utilizes a series of daily snapshots to allow you to control which component versions your agents update to.

   Setting	Description
   n (latest version)	The agent always update to the latest component versions available This policy does not use a snapshot and instead updates to the latest component versions. Use this setting if you want your agents to always update to the latest security component releases.
   n - 1 (one snapshot prior)	The agents always update to the snapshot from the day before the current date
   n - 2 (two snapshots prior)	The agents always update to the snapshot from two days before the current date
   n - 3, n - 4, …, n - 8	The agents always update to the snapshot from the corresponding number of days before the current date For example, n - 5 updates to the snapshot from five days before the current date.

   Important Scheduling of component updates is configured in Server & Workload Protection and Standard Endpoint Protection. For Standard Endpoint Protection, access the managing product server and go to Updates → Agents → Automatic Update. To configure update settings within the Protection Manager, see Component Updates. For Server & Workload Protection, go to Endpoint Security → Server & Workload Security → Administration → Scheduled Tasks and create a component update task. To configure update settings, see Apply security updates.

10. After you have configured all of your priority rules, click Save.

    Tip If you are creating a new policy, make sure you configure the Default priority rule.