Skip to main content

Setting up and configuring a managed company as an MSP Partner

Configure endpoint protection and deploy the security agent

This section provides you with the steps required to deploy security agents on the endpoints of a managed company and customize the level of protection provided for each one by setting up custom installation packages.

Depending on your needs and current network setup, BEST may be deployed in multiple ways.

Creating endpoint tags for managed companies

Note

To use endpoint tags on a managed company it requires the ATS add-on enabled for own use.

  1. Log in to GravityZone Control Center.

  2. Go to the Network page from the left side menu.

  3. Click the Companies folder under the Name column in the right side of the page.

  4. Click the target company name.

  5. Select the target endpoints. You can select one or several endpoints, groups of endpoints, or companies. For more information refer to Viewing endpoint details.

  6. Click the Tags button in the action toolbar and select Assign tags.

    Alternately, right-click on the selected targets and choose Tags > Assign tags from the contextual menu.

    endpoint_tags_network_assign_tags_241987_en.png
  7. Use the + Create tag option to create a new tag for all the endpoints managed by your target company that you wish to assign the policy to.

    endpoint_tags_assign_tags_window_cp_241987_en.png
  8. Select the box next to the newly created tag.

  9. Click Assign.

    A notification in lower-right side of the console informs you about the assignment process.

Refresh the Network grid to view the changes.

For more information on working with endpoint tags refer to Using endpoint tags.

Configuring policies for managed companies

The above procedure makes use of the default GravityZone policy, which is automatically applied to an endpoint when the BEST agent is deployed.

Some features need to be activated in the policy that is applied to an endpoint. If they are not, the feature will not be active on the endpoint.

We recommendation creating separate policy for each company you manage security for.

Create a new policy and apply it to all of the company's endpoints. You can also create additional policies to be applied to specific endpoints for that same company.

Create policies for your managed companies

There are two way of managing policies for your child companies:

  • Create a separate policy for each company. This way you can easily customize, in great detail, the security of each company.

    Tip

    This method is recommended when managing a small number of companies.

  • Create a few policies that cover the needs of the main types of companies you manage. You can then apply these policies to groups of companies, and, when needed, copy and customize them for specific cases.

    Tip

    This method is best used when managing a large number of companies.

  1. Log in to GravityZone Control Center.

  2. Go to the Policies page from the left side menu.

  3. Click the add.pngAdd button at the upper side of the table. This will create a new policy starting from the default policy template.

  4. On the General page, under the Technical Support Information section, type in the contact information for your company so that your customers can contact you whenever they require assistance.

  5. Configure the rest of policy settings. For detailed information, refer to Configuring computer and virtual machine policies.

    Important

    Make sure you enable all feature included in your subscription. For more information, refer to ???.

  6. Click Save to create the policy and return to the policies list.

    You cannot save a policy that contains invalid data. When trying to do so, a specific message appears in lower right-corner of the screen indicating which section has issues. At the moment, the message covers only the Sandbox Analyzer > Endpoint Sensor and Integrity Monitoring > Real Time sections.

Assign policies to managed companies

You can assign a policy to a managed company using one of the following procedures:

Tip

When editing a policy, you can enable the Allow other users to change this policy option under General > Policy details to ensure access to the policy. This will avoid losing access to the policy if the user that created it is no longer available.

Tip

You can also assign policies using user rules, location rules, or integration rules. For more information refer to Assigning local policies.

For a feature to function on an endpoint, it might require multiple conditions to be met. Check the below table to make sure a specific feature is enabled for your endpoints.

The columns present the following information:

  • Feature - The name of the feature.

  • Policy activation – Indicates where you can go to check if the feature is activated on any given policy.

    Tip

    To check what policy is applied on a specific endpoint you can go to the Network page from the left side menu from the left side menu, display the endpoint details, and view the information in the Policy tab.

    You can run a Policy Compliance report to view what policies are deployed on a list of selected endpoints.

  • Modules needed to be deployed on the endpoint – This column specifies if the feature requires any specific module to be deployed on endpoints for the feature to function.

  • Licensing requirements for monthly subscription users – Indicates if the feature is included in the core protection, or if it requires additional add-ons or services to be enabled for a company.

  • Additional dependencies – Includes any other requirements that do not fit into the above categories.

Feature

Policy activation

Modules needed to be deployed on the endpoint

Licensing requirements for monthly subscription users

Additional dependencies

Antimalware

You can enable the feature from the Antimalware > On-access > On-access Scanning setting.

Antimalware

Included in core protection.

The feature provides further functionality that can be enabled from the Antimalware > Settings page, in the the policy applied to the endpoint.

Advanced Anti-Exploit

You can enable the feature from the Antimalware > Advanced Anti-Exploit > Advanced Anti-Exploit setting.

Advanced Anti-Exploit

Included in core protection.

The feature provides further functionality that can be enabled from the Antimalware > Settings page, in the the policy applied to the endpoint.

Advanced Threat Control

You can enable the feature from the Antimalware > On-execute > Advanced Threat Control setting.

Advanced Threat Control

Included in core protection.

The feature provides further functionality that can be enabled from the Antimalware > Settings page, in the the policy applied to the endpoint.

EDR

You can enable the feature from the Incident Sensor > Incident Sensor setting.

EDR Sensor

Requires the EDR add-on to be enabled for the company's own use.

N/A

Fileless Attack Protection

You can enable the feature from the Antimalware > On-execute > Fileless Attack Protection setting.

Antimalware

Requires the Advanced Threat Security add-on to be enabled for the company's own use.

The feature provides further functionality that can be enabled from the following settings in the the policy applied to the endpoint.

  • The Antimalware > Settings page.

  • The Antimalware > On-execute > Fileless Attack Protection page, from the Command-Line Scanner and Antimalware Scan Interface Security Provider settings.

Firewall

You can enable the feature from the Firewall > Firewall setting.

Note

If using an installation package created prior to the release of the Firewall feature on Windows Servers, activating the feature in the applied policy will have no effect on the endpoint.

Firewall

Included in core protection.

N/A

HyperDetect

You can enable the feature from the Antimalware > Hyper Detect > Hyper Detect setting.

Antimalware

Requires the Advanced Threat Security and HyperDetect add-ons to be enabled for the company's own use.

N/A

Network Attack Defense

You can enable the feature from the Network Protection > General > Network Protection setting.

Network Protection > Network Attack Defense

Included in core protection.

N/A

eXtended Detection and Response

You can enable the feature from the Incident Sensor > Incident Sensor setting.

EDR Sensor

Requires the eXtended Detection and Response add-on and at least one of the sensor add-ons need to be enabled for the company.

  • Sensors need to be added from the Configuration > Sensors Management page.

  • The following prerequisites must be met on the domain where the endpoints are located:

    • All domain controllers must have the BEST agent installed with the EDR Sensor module included.

    • All domain controllers must have a policy assigned that has the EDR feature enabled under the Incident Sensor page.

  • The following settings must be set in Active Directory:

    • With the exception of Global Object Access Auditing policies, all group policies in Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies must be set to audit all login events.

Content Control

You can enable the feature from the Network Protection > General > Network Protection setting.

Network Protection > Content Control

Included in core protection.

The feature provides additional functionality that you can enable and configure from the Network Protection > Content Control policy page.

Device Control

You can enable the feature from the Device Control > Device Control setting.

Device Control

Included in core protection.

N/A

Endpoint Risk Analytics

You can enable the feature from the Risk Management > Risk Management setting.

This feature requires BEST to be installed on endpoints, but does not require any particular module to be deployed.

Included in core protection.

N/A

Full Disk Encryption

You can enable the feature from the Encryption > General > Encryption Management page.

Encryption

Requires the Full Disk Encryption add-on to be enabled for the company.

N/A

Integrity Monitoring

You can enable the feature from the Integrity Monitoring > Real time > Enable real-time monitoring setting.

Integrity Monitoring

Requires the Integrity Monitoring add-on to be enabled for the company.

Requires a rule set to be created and added to the applied policy.

Patch Management

This feature does not require policy activation.

Patch Management

Requires the Patch Management add-on to be enabled for the company.

Requires maintenance windows to be created from the Policies > Configuration Profiles page and assigned to the policy installed on the endpoint..

Security for Exchange

This feature does not require policy activation.

Exchange protection

Requires the Security for Exchange add-on to be enabled for the company.

Requires User Groups to be created and configured for the policy.

Sandbox Analyzer - console submissions

This feature does not require policy activation.

This feature works independently of endpoints.

Requires the Advanced Threat Security > Sandbox Analyzer add-on to be enabled for the company.

N/A

Sandbox Analyzer - endpoint submissions

You can enable the feature from the Sandbox Analyzer > Endpoint Sensor section, by selecting the Automatic sample submission from managed endpoints check box.

This feature requires the BEST agent to be installed on an endpoint, but does not require any specific module to be deployed.

Requires the Advanced Threat Security > Sandbox Analyzer add-on to be enabled for the company.

N/A

Email Security

This feature does not require policy activation.

This feature works independently of endpoints.

Requires the Email Security add-on to be enabled for the company.

N/A

GravityZone Security for Containers

This feature does not require policy activation.

  • Container Protection

  • Advanced Anti-Exploit

  • EDR

Requires the Container Protection add-on to be enabled for the company.

Requires the following options to be enabled in the policy applied to the endpoint:

  • Antimalware > On-Access > On-access scanning

  • Antimalware > Advanced Anti-Exploit > Advanced Anti-Exploit

  • Incident Sensor > Incident Sensor

Mobile Security

This feature does not require policy activation.

This feature only works with mobile devices, which use the Bitdefender GravityZone MTD agent.

Requires the Mobile Security add-on to be enabled for the company.

N/A

Ransomware Mitigation

You can enable the feature from the Antimalware > On-Execute > Ransomware Mitigation setting.

  • Antimalware

  • Advanced Threat Control

Included in core protection.

  • Requires the following options to be enabled in the policy applied to the endpoint:

    • Antimalware > On-Execute > Advanced Threat Control

    • Antimalware > On-Access > On access-Scanning

  • Requires the installation package used to install the security agent on the endpoint to have the Detection and prevention mode selected.

  • The feature provides further functionality that can be enabled from the Antimalware > Settings and Antimalware > Security Servers pages, in the the policy applied to the endpoint.

Web Traffic Scan

You can enable the feature from the Network Protection > Web Protection > Web Traffic Scan setting.

Network Protection > Web Traffic Scan

Included in core protection.

Requires the following option to be enabled in the policy applied to the endpoint: Network Protection > General > Intercept Encrypted Traffic & Scan HTTPS.

Setting up GravityZone user accounts for managed companies

Depending on the need of the managed company, you might need to create multiple accounts for it's users. Each account can be give access to a number of feature and products, depending on the role of the user in the company.

For more information, refer to:

  • User roles, for a list of all possible user roles. These include a list of pre-defined user permissions, with custom tailored rights build around traditional company roles, and the Custom role, which can be manually configured with specific user rights.

  • User rights, for a complete list of user rights. This information will help you better understand the rights that can be given to a specific user, and are helpful in manually customizing a specific user's rights.

Creating a new user

To add a user account in Control Center, follow the steps below:

  1. Log in to the GravityZone console with a Partner account.

  2. Go to the Accounts page from the left side menu.

  3. Click the Add account button in the upper left side of the page.

    A configuration window will be displayed.

  4. Under the Details section, fill in the following details:

    • Email - the user's email address used to log in to Control Center.

      Note

      The email address must be unique.

      Reports and important security notifications are sent to this address. Email notifications are sent automatically whenever important risk conditions are detected in the network.

    • Full name - the full name of the account owner.

    • Company - select the company you want the user to belong to.

    • Timezone - select the timezone of the account. The console will display time information according to the selected timezone.

    • Language - select the console display language.

    gz_accounts_add_details_cl_pr_271561_en.png
  5. Configure the policy settings under the Login Security section:

    • Set maximum password age to 90 days - enable or disable the password expiration policy.

      When enabled, the password associated to the account expires 90 days after it is created. The user needs to change the password before this time passes, or they will be locked out of GravityZone.

    • Lockout accounts after 5 login attempts with invalid passwords - when enabled, locks the account after 5 login attempts are made using an incorrect password.

    gz_accounts_add_login_security_271561_en.png

    Note

    If an account is locked, the user will have to reset their password. Alternatively, this action can also be taken by an administrator.

  6. Under the Role privileges section, configure the following settings:

    Tip

    If you are creating a user for a company that wants to run their own reports, select the Security Analyst role and make sure you select the company name from the Companies field.

    • Role - select the role you want to assign to the user. The role determines what rights the user will have.

      Note

      For more information on user roles, refer to User Roles.

    • Rights - select what rights you want the user to have.

      Each user role has a predefined configuration of rights. You can assign the user a specific combination of rights by selecting Custom under Role.

      Note

      For more information on user rights, refer to User rights.

    gz_accounts_add_role_privileges_pt_271561_en.png
  7. Under Select targets, select the companies and network groups the user will have access to. You can restrict user access to specific network areas or to specific companies.

    gz_accounts_add_select_targets_271561_pr_en.png
  8. Click Create to add the user.

    Note

    The password for each user account is automatically generated once the account has been created, and sent to the user's email address along with the other account details.

    You can change the password after the account has been created. Click the account name in the Accounts page to edit its password. Once the password has been modified, the user is immediately notified via email.

    Users can change their login password from Control Center, accessing the My account page.

The new account will appear in the user accounts list.

gz_accounts_add_result_271561_pt_en.png

Deleting a user

Important

When deleting a user, all associated policies, installation packages, generated API keys and scheduled reports are also deleted.

Check that you have copies or are no longer using these resources before deleting a user.

  1. Log in to the GravityZone console with a Partner account.

  2. Go to the Accounts page from the left side menu.

  3. Select the company the user belongs to using the Company filter above the main grid.

  4. Select the users you want to delete.

  5. Click Delete.