KB006: Configure Security Agent Policies (Beta Feature)
Article ID: KB006
Last Updated: June 21, 2025
Applies To: HySecure Gateway 7.1 and above
Category: Endpoint Security & Compliance
Feature Status: Beta
Overview
This guide explains how to configure Security and Encryption Agent support in Endpoint Security policies. This feature validates that required security and encryption agents are installed on user devices during login, ensuring only compliant endpoints can access resources.
Prerequisites
- HySecure Gateway 7.1 or higher
- Security Officer or Administrator access to the HySecure Management Console
Benefits
- Endpoint Compliance: Ensure only devices with required security tools can connect.
- Risk Reduction: Prevent non-compliant or unsecured endpoints from accessing resources.
- Real-Time Validation: Verify agent status and real-time protection during login.
Supported Agents
Security Agents
| Agent | Description | Real-Time Protection |
|---|---|---|
| Forcepoint | Forcepoint security agent | Supported |
| Zscaler | Zscaler security agent | Supported |
Encryption Agents
| Agent | Description | Real-Time Protection |
|---|---|---|
| BitLocker | Microsoft BitLocker | Supported |
| McAfee | McAfee Encryption agent | Supported |
Procedure Part 1: Configure Security Agent-Based Policy
Step 1: Create Security Agent Host Scan Policy
-
Access Management Console
- Log in to the HySecure Management Console as a Security Officer or Administrator.
-
Navigate to Host Scan Policies
-
Go to Policies > Endpoint Security Policies > Host Scan Policies.
-
Click Add.
-
-
Configure Basic Policy Settings
-
Enter the appropriate Policy Name.
-
Provide Description.
-
Select Policy Type as Security Agent.
-
Step 2: Create Security Agent Sub-Policy
-
Add Security Agent Policy
- Click Add Security Agent Policy to create a sub-policy.
-
Configure Security Agent Details
-
Enter Policy Name for the sub-policy.
-
Select an Agent based on requirements:
Agent Options:
- Forcepoint: Allow access only from devices with the Forcepoint security agent.
- Zscaler: Allow access only from devices with the Zscaler security agent.
-
-
Configure Real-Time Protection
-
Select the checkbox Real Time Protection enabled to validate if real-time protection is enabled.
-
If enabled: Devices with an installed security agent but disabled real-time protection will fail the security scan.
-
If disabled: Only agent presence is validated, not real-time protection status.
-
Step 3: Link Security Agent Policy to Device Profile
-
Navigate to Device Profiles
-
Go to Policies > Endpoint Security Policies > Device Profiles.
-
Create a new device profile or edit an existing one.
-
-
Link Host Scan Policy
-
Select the created Security Agent Host Scan Policy.
-
Associate with the device profile for Endpoint Security validation.
-
Procedure Part 2: Configure Encryption Agent-Based Policy
Step 1: Create Encryption Agent Host Scan Policy
-
Access Management Console
- Log in to the HySecure Management Console as a Security Officer or Administrator.
-
Navigate to Host Scan Policies
-
Go to Policies > Endpoint Security Policies > Host Scan Policies.
-
Click Add.
-
-
Configure Basic Policy Settings
-
Enter the appropriate Policy Name.
-
Provide Description.
-
Select Policy Type as Encryption Agent.
-
Step 2: Create Encryption Agent Sub-Policy
-
Add Encryption Agent Policy
- Click Add Encryption Agent Policy to create a sub-policy.
-
Configure Encryption Agent Details
-
Enter Policy Name for the sub-policy.
-
Select an Agent based on requirements:
Agent Options:
-
Any Encryption Agent: Allow access from devices with any encryption agent installed.
-
BitLocker: Allow access only from devices with BitLocker encryption.
-
McAfee: Allow access only from devices with the McAfee Encryption agent.
-
-
-
Configure Real-Time Protection
-
Select the checkbox Real Time Protection enabled to validate encryption agent status.
-
If enabled: Devices with an installed encryption agent but disabled real-time protection will fail the security scan.
-
If disabled: Only agent presence is validated.
-
Step 3: Link Encryption Agent Policy to Device Profile
-
Navigate to Device Profiles
-
Go to Policies > Endpoint Security Policies > Device Profiles.
-
Create a new device profile or edit an existing one.
-
-
Link Host Scan Policy
-
Select the created Encryption Agent Host Scan Policy.
-
Associate with the device profile for Endpoint Security validation.
-
Policy Configuration Examples
Example 1: Require Any Security Agent
Policy Type: Security Agent
Agent: Any Security Agent
Real-Time Protection: Enabled
Use Case: Ensure devices have some form of security protection
Example 2: Mandate Specific Encryption
Policy Type: Encryption Agent
Agent: BitLocker
Real-Time Protection: Enabled
Use Case: Corporate compliance requiring BitLocker encryption
Example 3: Flexible Security with Monitoring
Policy Type: Security Agent
Agent: Any Security Agent
Real-Time Protection: Disabled
Use Case: Monitor security agent deployment without blocking access
Monitoring and Logging
Log Information
Endpoint Security Logs Include:
- Agent detection results
- Real-time protection status
- Policy enforcement decisions
- User and device information
- Timestamp and policy details
Accessing Logs
-
Navigate to Reports
- Go to Logs > Endpoint Security Logs.
-
Filter Agent-Related Events
-
Filter by policy type (Security Agent/Encryption Agent).
-
Search by specific agent names.
-
Review compliance trends.
-
Important Notes
Beta Feature Considerations
Current Status:
- This feature is in the Beta release.
- May have limitations or occasional issues.
- Feedback welcomed for improvement.
Production Use:
- Test thoroughly before production deployment.
- Monitor logs for unexpected behavior.
- Have fallback policies if needed.
Agent Compatibility
Supported Platforms:
- Windows-based security and encryption agents.
- Agent-specific detection methods.
- Version compatibility varies by agent.
Detection Limitations:
- Some agents may not be detected properly.
- Agent updates may affect detection.
Troubleshooting
Common Issues:
Agent Not Detected:
- Verify the agent is properly installed and running.
- Check agent version compatibility.
- Review endpoint security scan logs.
Real-Time Protection Issues:
- Agent installed, but protection shows as disabled.
- Verify agent configuration and status.
- Check agent-specific protection settings.
Policy Not Enforcing:
- Check policy configuration accuracy.
- Confirm endpoint security is enabled.