In the WatchGuard Endpoint Security web UI, Service Providers and Subscriber accounts can create and assign security settings profiles to the computers and devices they manage. They might also receive settings that you create and assign to the All group in Service Provider Endpoint Manager.
Settings profiles that you assign to an account in Endpoint Manager appear as read-only in the endpoint security web UI. The profile includes a green label to differentiate it from profiles created in the endpoint security web UI.
Ownership of the settings profile (that is, who can edit and delete it) is based on who created the settings profile and where.
When you assign settings to one or multiple accounts in Endpoint Manager, you are the owner of the settings. These settings are automatically assigned to the All group in the endpoint security web UI. You can delete these profiles in Endpoint Manager. In the web UI, settings profile disappears and the group inherits the settings from the All group or other parent group.
The web UI user cannot edit the settings or delete the profile. The web UI user can only edit the recipients. If the web UI user edits the recipients, then the settings profile becomes co-owned. For more information on the co-ownership of settings profiles, see Settings Profile Created and Sent from Service Provider Endpoint Manager.
If any sub-groups or computers in the All group have settings that were manually assigned in the web UI, the new settings from Endpoint Manager do not overwrite them.
Settings created by a Service Provider account in the endpoint security web UI are owned by the creator. You cannot see these settings in Endpoint Manager.
When you create a settings profile in Endpoint Manager and send it to a managed account, it appears in the endpoint security web UI with a green label to differentiate it from profiles created in the endpoint security web UI. If the endpoint security user then edits the recipients of the profile, the settings become co-owned.
You can centrally edit the settings profile in Endpoint Manager. The web UI user cannot edit the settings or delete the profile. The recipients that the web UI user added or deleted in the endpoint security web UI do not change. For this reason, you cannot centrally delete a co-owned settings profile. If you edit the settings in Endpoint Manager, the settings are resent and reassigned to the All group, as well as any other recipients added by the user in the endpoint security web UI.
Changes made in Endpoint Manager by a Service Provider to the settings assigned to a managed account automatically reflect in the endpoint security web UI. The changes propagate to the target devices in real-time or within 15 minutes when real-time communication is disabled. For more information, see Disable Real-time Communication.
When you assign a security settings profile to an account or account group, the settings are applied to the All group and inherited by sub-groups if they exist. If any of the sub-groups, computers, or devices have manually assigned settings, an exception occurs and WatchGuard Endpoint Security does not assign the settings profile from Endpoint Manager.
In Endpoint Manager, you can see these exceptions on the Settings page. If the list of accounts shows a black number in the colored line, this part of the account list is collapsed and some accounts have exceptions to the settings profile you assigned in Endpoint Manager. Double-click the number to show the accounts with exceptions.
You must open the WatchGuard Endpoint Security web UI for the account to view the manually applied settings.