Inheritance

With this new hierarchy of scope, Capture Client 3.7 also introduces a concept of policy inheritance. Inheritance refers to the ability to configure a policy at a child scope to be automatically inherited from the policy of a parent scope. For example: If an MSSP has a baseline policy for Threat Protection, they can configure it at the Account level and enable inheritance for every new tenant they provision. If inheritance is enabled, any changes to the policy at the parent level are automatically propagated to child scopes.

Inheritance propagates from Accounts to Tenants and from Tenants to Groups. And if inheritance is enabled at the Tenant and Group level, the account policy is effectively applied to the Group level.

Policy Inheritance is applicable at an individual policy type and there are different rules for how inheritance works:

Policy Type	Inheritance Rules
Capture Client, Threat Protection, Trusted Certificates and Web Content Filtering	Inheritance can either be Enabled or Disabled. With inheritance enabled in a particular scope, the policy for that scope cannot be modified.
Blacklists & Exclusions	Inheritance is always enabled and cannot be disabled. But you also can create scope-specific configurations.
Device Control	Inheritance can either be Enabled or Disabled. In either case, you can also add scope-specific rules. And the priority of rules will always be in the reverse order of inheritance – the inherited rules from the highest scope is at the bottom of the list.
Email and Notification Settings	Inheritance can either be Enabled or Disabled. For the new tenants, it will be always enabled by default. You can disable it later, if required.

You can create several kinds of policies that can be effectively leveraged through inheritance. These include: Client, Threat Protection, Trusted Certificates, Web Content Filtering, Blacklist, Exclusions, Device Control and Email and Notification Settings. You can choose to either inherit policies or create custom policies for each tenant.

Blacklists and Exclusions are forced on tenants: You cannot disable inheritance of Blacklist and Exclusions items on to the tenants, instead you can add blacklist and exclusion items for tenants as required.

Even while you are inheriting the Email and Notification settings from the account scope, you can customize or edit the Email Address and Time Zone for a specific tenant.

The following is an example of creating a policy for Capture Client version management and enabling inheritance across selected tenants.

To create a Capture Client base policy and enable inheritance tenants

1. Log into the Client Management Console and select the master account in the Scope Selector at the top of the page.
2. Navigate to Policies > Capture Client.
3. Configure the required Capture Client version management settings.
4. Click Update to save the base Capture Client policy.
5. From the Scope Selector at the top of the page, select any tenant that you want to inherit the parameters of this core Capture Client policy.

6. Navigate to Policies > Client and select the Inheritance option to green.

   

7. Provide confirmation.

Repeat steps 4 through 6 for other tenants if you wish to copy this Capture Client policy to other tenants too. If inheritance is enabled, any changes to the policy at the parent level are automatically propagated to child scopes.