Configuring Exemption Policies for Configuration Manager Network Access Protection
When you are using Network Access Protection with Configuration Manager 2007, the first matching network policy on the Network Policy Server will be applied to connecting clients. This means that exceptions and exemptions require their own policies that match only them, with different settings than standard policy settings.
Examples
The following lists some sample scenarios with guidance on how exemptions can be achieved for Configuration Manager Network Access Protection (NAP):
Specified people will never have limited network access.
Desktop computers will have full network access for a limited time if non-compliant whereas laptop computers will have limited access if non-compliant.
During the hours that a local helpdesk is not available, non-compliant computers will have full network access for a limited time rather than limited access.
Specified machines will not be checked for their Configuration Manager health state. This would be applicable if the Configuration Manager client should not be installed on selected computers.
Specified people will never have limited network access
Create a new network policy that has the following configuration:
On the Overview tab, select Policy enabled.
On the Overview tab, select the access permission of Grant Access. Grant access if the connection request matches this policy.
On the Conditions tab, add the condition of Windows Groups, click Add Groups, select the group that contains all the people who should always have full network access without remediation, as if compliant. Click the group you have just selected, click OK, and then click OK to close the Windows Groups dialog
On the Conditions tab, add the condition of Health Policies, select the Compliant health policy created earlier, and then click OK.
On the Constraints tab, for DHCP and IPsec enforcement only click Perform machine health check only. Note that this setting should not be selected if you are using VPN or 802.1X as your enforcement mechanism.
On the Settings tab, click NAP Enforcement under the section Network Access Protection, click Allow full network access, and then click OK.
Order this policy before the Configuration Manager network policy that references the compliant health policy and does not have a Windows Groups condition.
Desktop computers will have full network access for a limited time if non-compliant whereas laptop computers will have limited access if non-compliant
Create a non-compliant network policy for desktop networked computers:
On the Overview tab, select Policy enabled.
On the Overview tab, select the access permission of Grant Access. Grant access if the connection request matches this policy.
On the Conditions tab, add the condition of Machine Groups, click Add Groups, select the group that contains all the computers that should have full network access for a limited time if non-compliant. Click the group you have just selected, click OK, and then click OK to close the Machine Groups dialog box.
On the Conditions tab, add the condition of Health Policies, select the Non-Compliant health policy created earlier, and then click OK.
On the Constraints tab, for DHCP and IPsec enforcement only click Perform machine health check only. Note that this setting should not be selected if you are using VPN or 802.1X as your enforcement mechanism.
On the Settings tab, click NAP Enforcement under the section Network Access Protection, and then click Allow full network access for a limited time, and then use the Date and Time options to set when computers should have restricted network access if their health state remains non-compliant.
On the Settings tab, click NAP Enforcement, click Configure in the section Remediation Server Group and Troubleshooting URL, and in the Remediation Servers and Troubleshooting URL dialog box specify the following, and then click OK:
In the section Remediation Server Group, select the remediation server group you created earlier, which contains infrastructure servers such as DNS servers.
In the section Troubleshooting URL, type in the link to a Web page accessible from the restricted network you want users to see when they are in remediation.
Create a non-compliant network policy for laptop computers:
On the Overview tab, select Policy enabled.
On the Overview tab, select the access permission of Grant Access. Grant access if the connection request matches this policy.
On the Conditions tab, add the condition of Machine Groups, click Add Groups, select the group that contains all the laptop computers that should have restricted network access if non-compliant. Click the group you have just selected, click OK, and then click OK to close the Machine Groups dialog box.
On the Conditions tab, add the condition of Health Policies, select the Non-Compliant health policy created earlier, and then click OK.
On the Constraints tab, for DHCP and IPsec enforcement only, click Perform machine health check only. Note that this setting should not be selected if you are using VPN or 802.1X as your enforcement mechanism.
On the Settings tab, click NAP Enforcement under the section Network Access Protection, and then click Allow limited access.
On the Settings tab, click NAP Enforcement, click Configure in the section Remediation Server Group and Troubleshooting URL, and in the Remediation Servers and Troubleshooting URL dialog box specify the following, and then click OK:
In the section Remediation Server Group, select the remediation server group you created earlier, which contains infrastructure servers such as DNS servers.
In the section Troubleshooting URL, type in the link to a Web page accessible from the restricted network you want users to see when they are in remediation.
Order the non-compliant network policy for laptop computers before the non-compliant network policy for desktop computers.
During the hours that a local helpdesk is not available, non-compliant computers will have full network access for a limited time rather than limited access.
Create a non-compliant network policy for full network access for a limited time from 2 a.m. to 4 a.m. only:
On the Overview tab, select Policy enabled.
On the Overview tab, select the access permission of Grant Access. Grant access if the connection request matches this policy.
On the Conditions tab, add the condition of Day and Time Restrictions, select 2am-4am, click Permitted, and then click OK.
On the Conditions tab, add the condition of Health Policies, select the Non-Compliant health policy created earlier, and then click OK.
On the Constraints tab, for DHCP and IPsec enforcement only click Perform machine health check only. Note that this setting should not be selected if you are using VPN or 802.1X as your enforcement mechanism.
On the Settings tab, click NAP Enforcement under the section Network Access Protection, and then click Allow full network access for a limited time, and then use the Date and Time options to set when computers should have restricted network access if their health state remains non-compliant.
On the Settings tab, click NAP Enforcement, click Configure in the section Remediation Server Group and Troubleshooting URL, and in the Remediation Servers and Troubleshooting URL dialog box specify the following, and then click OK:
In the section Remediation Server Group, select the remediation server group you created earlier, which contains infrastructure servers such as DNS servers.
In the section Troubleshooting URL, type in the link to a Web page accessible from the restricted network you want users to see when they are in remediation.
Make sure this policy is ordered before the non-compliant policy that has no condition for day and time restrictions.
Specified machines will not be checked for their Configuration Manager health state. This would be applicable if the Configuration Manager client should not be installed on selected computers.
Create a new health policy that does not reference the Configuration Manager System Health Validator, but does include the other System Health Validators you are using.
Create a new network policy:
On the Overview tab, select Policy enabled.
On the Overview tab, select the access permission of Grant Access. Grant access if the connection request matches this policy.
On the Conditions tab, add the condition of Machine Groups, click Add Groups, select the Windows group that contains all the computers that must not have the Configuration Manager client installed. Click the group you have just selected, click OK, and then click OK to close the Machine Groups dialog box.
On the Conditions tab, add the condition of Health Policies, select the new health policy that does not reference the Configuration Manager System Health Validator, and then click OK.
On the Constraints tab, for DHCP and IPsec enforcement only, click Perform machine health check only. Note that this setting should not be selected if you are using VPN or 802.1X as your enforcement mechanism.
On the Settings tab, click NAP Enforcement under the section Network Access Protection, click Allow full network access, and then click OK.
Order this network policy before any other that references the Configuration Manager health policies.
See Also
Concepts
Determine Your Policy Strategy for Network Access Protection
Other Resources
Configuring the Network Policy Server for Configuration Manager
Overview of Network Access Protection