logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

App Control: How to Tell Why a Device Moved Into Another Policy

App Control: How to Tell Why a Device Moved Into Another Policy

Environment

  • App Control Console: All Supported Versions
  • App Control Agent: All Supported Versions

Objective

How to tell who, or what changed a device's policy

Resolution

In the Events page, filter on the Subtype "Computer Modified". This event contains multiple items which will help understand why a device moved policies. 
  • Computer was moved by a user: 
    Computer '$computer$' was moved into the Policy '$policyName$' by '$username$'.
  • Computer was moved by automatic policy (such as Active Directory Policy Mapping) 
    Computer '$computer$' was modified by '$username$' to use automatic Policy assignment.
  • Moved back to a policy from Local Approval Mode: 
    Computer '$computer$' was restored to its previous Policy by '$username$'.

Additional Notes

  • If a device is being moved automatically it is generally because of an Event Rule or Active Directory Policy Mapping
  • Check under Rules>Event Rules to see if there are any rules that have an action of "move computer" to another policy

Related Content


Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
CB_Support
Creation Date:
‎09-09-2020
Views:
886
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.