Using policy target rules

Policy target rules let you specify when a device or device group should use a specific policy. Each policy target rule has a set of conditions. If the conditions match, the device automatically applies the associated policy. The feature is similar to location awareness in the Symantec Endpoint Protection Manager. See:
Supported policies and devices
Policy targeting is supported for the following cloud policies:
  • Antimalware
  • Firewall
  • Device Control
  • Intrusion Prevention
  • System
  • Allow List
  • Deny List
  • Memory Exploit Mitigation (MEM)
  • Traffic Redirection
  • Detection and Response (EDR)
  • Adaptive Protection
Policy targeting only takes effect for cloud-enabled devices that are managed by the cloud. Policy targeting does not take effect for hybrid-managed devices. Also, policy targeting only applies to cloud policies and not Symantec Endpoint Protection Manager (SEP 14) policies that are available in the cloud.
Policy target rules
You can apply a policy to a device group based on a set of conditions that are included in a policy target rule.  When you create a policy and apply it to a device group, you select a policy target rule to use.
By default, two policy target rules are available:
  • Quarantine rule that is automatically applied to any quarantined devices.
  • Default rule with no conditions.
Any default policies are automatically assigned to the Default policy target rule.
You can create additional policy target rules and specify conditions such as user or computer IP address.
You can use policy target rules to target multiple policies of the same type to the same device group based on a set of conditions. For example, you might want to target an Antimalware policy to a device group for most users, but a subset of users requires a separate Antimalware policy. You can apply two different Antimalware policies to this same device group, one with the default target rule and the other with a user target rule.
The order of the rules in the list indicates priority. However, any rule that is currently applied takes priority over another match.
You can use policy targeting to track the current location of a device group even if the location does not require a policy change. Apply at least one policy with an associated policy target rule to the group.
To create a policy target rule
  1. On the
    page, on the
    Policy Target Rules
    tab, select
  2. On the
    Add Policy Target Rule
    page, enter a name for the rule. You can also enter a description.
  3. Next to
    Policy Targeting Conditions
    , select
  4. Select the
    Condition Type
    , such as
    Computer IP address
  5. Specify a value for the condition. For example, for users, you enter a user name or user group name.
  6. Select
  7. The rule is now available for you to target policies. When this rule is triggered, an associated policy is applied to the user or group or whatever condition you specified.
    You must have administrative access to any group on which you target a policy.
Policy target conditions
The conditions in the policy target rule do not have any precedence. The first level conditions can use logical AND or OR. The second level of conditions can only use OR.
Some conditions can be positive or negative. For example, a device matches because it uses an IP address within a specified IP address range or it has a particular registry key. In another condition, a device matches because it does not use an IP address within a specified range.
Condition Type
Computer IP Address
You can specify the following types of device IP address conditions: IP Address, IP Range, Subnet Address, or Host Group and their values.
IPv4 or IPv6 is supported for IP Address, IP Range, or Subnet Address.
Host group
as the
Address Type
, the target rule ignores any DNS host, DNS domain, or MAC address configured for the host group. The rule only honors host groups configured with IP address, IP address range, or IP subnet.
This condition matches on user or user group name. Be careful if you configure a wildcard in the
User/Group Name
field. You might find that a user unexpectedly triggers the rule because of the user group name.
For example: You define a condition as contains
. You might expect that only user names starting with
trigger the rule. But any domain user name triggers the rule because the domain administrator group name matches the condition.
ICMP Request
You can specify the following types of ICMP request conditions: IP Address, Host Name, or Host Group and their values. IPv4 or IPv6 is supported for IP Address.
Registry Key
This condition matches when the device's registry has a setting that is equal or not equal to the specified registry key, registry key name, or registry value.
DNS Lookup
This condition matches when a device resolves or does not resolve the specified host name and IP type.
DHCP Server Address
You can specify the following criterion types: IP Address, IP Range, Subnet Address, Host Group, or MAC address and their values.
IPv4 or IPv6 is supported for IP Address, IP Range, or Subnet Address.
NIC Description
This condition matches when a device has a Network Interface Card (NIC) that matches or does not match the description.
Cloud connection
This condition matches when a device is connected or not connected to the cloud.
DNS Connection: DNS suffix
This condition matches when the device uses or does not use the specified DNS suffixes.
Trusted Platform Module
You can specify the following Trusted Platform Module (TPM) types:
  • Any TPM token
  • IBM TPM token
  • HP TPM token
Wireless SSID
This condition matches if the device uses or does not use any of the specified SSIDs.
User notification of target rule change
Changes in the device group might trigger a different policy target rule. These changes are called location changes. You can configure a notification to appear on the user device when a location change triggers a different rule.
Rule Settings
, turn on
Policy targeting rule change notification
Under Notification Message
, enter the text for the message that appears on the user's device. You can specify how often Symantec Endpoint Security checks for rule matching.