Configure AD (Active Directory) Polices
ScoutDNS supports policy by user groups as synced from Active Directory. This can be helpful when admins desire policy decisions to follow the user regardless of the device and device profile in use. This guide walks through how ScoutDNS performs the AD sync as well as how policy decisions are made.
Client Device Based Sync
ScoutDNS does not require direct access to any domain controllers nor is there any requirement for a virtual machine or sync application. The ScoutDNS agents themselves are able to collect domain, user, and group information directly from each client device. This information is then made available during configuration of the Persona which is the object we use to set user and group based policy rules. Overall, this method greatly reduces the complexity on admins while also reducing risk.
Allow User Policies in Device Profiles
As AD policies are based on roaming clients, we must first configure Device Profiles and deploy roaming clients to the users we want to manage policy for. If you have not yet deployed roaming clients, start here. You will need to switch on the Enable User Policies switch which allows ScoutDNS to collect AD information and tells the profile that group-based policies should override the Device Profile policy. Keep in mind that the device Profile default policy will be primary for any user who is member of a group that does not yet have an assigned policy via the Persona.
Keep in mind that the device Profile default policy will be primary for any user who is member of a group that does not yet have an assigned policy via the Persona.
Create Persona
Now that we have configured Device Profiles to allow user based polices, we will need to create a Persona which defines how ScoutDNS applies group-based policies.
New Persona
Navigate to the Users Tab and select the Configure sub tab.
On the far right select New Persona. You will need to name the persona in the settings tab.
Bind Domain
Next select the Active Directory subtab. This is where we will bind a domain to the persona. A single persona can only bind one domain, and each domain can only be bound once to a single Persona. An account can have multiple personas with different domains.
Define Group Policy and Priority
Once you have chosen the domain to bind, you can now view all groups discovered by the roaming clients. In order for a group to be discovered, a user that is part of that group will need to have logged into a roaming client at least once. Choose all groups you wish to base polices on and add to the right side of the column. Here you can set a policy for any selected group. In addition to setting policy, you can choose the order or priority of groups and policy that will be decided should a user be a member of more than one group with different policies. 1 is considered the highest priority.
Simply save the persona and ScoutDNS will now apply policy accordingly.
Any Security Groups can be selected to apply policy to.
Link Persona to Organization
For accounts with the Organization management tab, you will want to link the Persona to the proper Organization so that the User tab and associated reporting data are in line with the correct organization. This works the same as linking a Site (for network-based deployments) and Profiles (for roaming clients). Just as with the other objects mentioned here, you can auto link a Persona to any organization by creating the Persona from within a selected Organization view.
Don't forget to link the Persona to the correct Organization
If you are looking to assign policy based on Entra ID groups instead of Active Directory, note that Entra ID support is coming soon.
Related Articles
Roaming Clients / Device Agents - Setup, Configure, and Manage
ScoutDNS provides device agents for organizations what wish to cover devices with DNS layer protection on and off the network. The ScoutDNS device agent is an extremely lightweight application best installed on managed devices where administrative ...Add System Users - Role Based Access
ScoutDNS supports Role Based Access allowing multiple operators within a single account to access the system. Roles There are three possible roles in any account. Super Admin: One per account. Can create and remove and users. Has access to create, ...Configure Custom Block Pages
Admins have the ability to edit the default block page and to create multiple custom block pages to present to end users. Block pages are rendered in our block page service engine. You can assign custom block pages to WANs under Sites, and Roaming ...Relay - Setup and Configure
ScoutDNS supports a Relay configuration which allows operators to install a lightweight service inside their network. The relay is a local forwarding resolver service that processes queries inside the operator network while relaying public queries to ...Prevent DNS Work-Around for Users
Some users on your network may try to bypass ScoutDNS resolvers by changing the DNS servers in their device network settings when allowed. This can result in undesired content access on network assets along with increased security risk. The good news ...