Overview
The Create Profile workflow lets IT administrators define a new configuration policy for any supported endpoint type. Profiles are modular, each profile is built around a single policy type (e.g., Firewall, BitLocker, Device Control), giving you precise, targeted control without bundling unrelated settings.
Typical Use Cases:
- Enforce BitLocker encryption on all company laptops before they leave the office.
- Block USB storage devices on endpoints in the finance department.
- Push a standardized Windows Update maintenance window across all workstations.
- Deploy a PowerShell script to disable legacy protocols on new machines.
Step-by-Step: Creating a Configuration Profile
Step 1 : Navigate to Create Profile
- Log in to the Zecurit console at app.zecurit.com.
- In the left sidebar, click Manage.
- Under Configurations, click Create Profile.
- The Profile Creation screen will open, displaying all available profile types.
Step 2 : Select the Target Platform
At the top of the Profile Creation page, select the operating system platform for which you are creating the profile:
- Windows – For Windows 10, Windows 11, and Windows Server endpoints.
- MAC – For macOS devices managed by Zecurit.
- Linux – For Linux distributions enrolled in your Zecurit console.
Note: Some profile types (e.g., BitLocker, Windows Update Policy) are available only on Windows. Platform-specific options will display based on your selection.
Step 3 : Select the Profile Type
Click on the tile corresponding to the type of configuration you want to create. The available profile types for Windows are:
| Profile Type | Purpose |
|---|---|
| BitLocker | Enforce disk encryption on endpoints |
| Device Control | Manage USB, Bluetooth, and peripheral access |
| Application Control | Allow or block specific applications |
| Power Management | Define power and sleep schedules |
| Deploy Script | Execute scripts on managed endpoints |
| Deploy Software | Automate software deployment |
| Firewall | Configure and enforce firewall rules |
| User Management | Manage local users and groups |
| Windows Update Policy | Control Windows Update behavior |
Step 4 : Configure Profile Settings
After selecting a profile type, you will be taken to the configuration form for that policy. Fill in the required settings. Each profile type has its own configuration fields. For example:
Example: Creating a Firewall Profile
- Enter a Profile Name (e.g., “Corp-Firewall-Policy-v1”).
- Set the Firewall State to Enabled.
- Add Inbound Rules – specify allowed ports, protocols, and source IP ranges.
- Add Outbound Rules – define permitted outbound traffic.
- Set the action for unmatched traffic (Block or Allow).
- Add a description for internal documentation purposes.
Example: Creating a BitLocker Profile
- Enter a Profile Name (e.g., “Finance-BitLocker-Enforcement”).
- Select encryption method (e.g., AES 256-bit).
- Define the recovery key storage option (Active Directory, local, or Zecurit escrow).
- Set startup authentication requirements (PIN, USB key, or TPM-only).
- Configure encryption scope (OS drive, fixed drives, removable drives).
Step 5 : Save as Draft or Publish
Once your configuration settings are complete, you have two options:
- Save as Draft – Saves the profile without distributing it. Use this when the profile is still being reviewed or requires approval before deployment. Draft profiles appear in the Profiles list with a “Draft” status badge.
- Publish – Finalizes and makes the profile available for distribution to devices or groups. Published profiles are versioned, and each subsequent edit creates a new version number.
Best Practice: Always save as Draft first and have a second administrator review the profile before publishing, especially for security-critical policies like Firewall or BitLocker.
Step 6 : Verify in the Profiles List
After saving:
- Navigate to Manage → Configurations → Profiles.
- Locate your newly created profile in the list.
- Verify the Platform, Version, Profile Status (Draft or Published), and Created Time.
Profile Versioning
Every time you edit and republish a profile, Zecurit increments the version number. The version number is visible in both the Profiles list and within individual device profile association details. This allows you to:
- Track the history of changes to a profile.
- Confirm which version of a profile is currently active on a given device.
- Roll back by republishing an older profile configuration if needed.
Use Case Examples
Use Case 1 : New Employee Onboarding Security Baseline
Scenario: A company wants to ensure all new Windows laptops are configured with encryption, USB restrictions, and a hardened firewall before the device reaches the employee’s desk.
Steps:
- Create a BitLocker profile named “Onboarding-BitLocker” to enforce AES-256 encryption.
- Create a Device Control profile named “Onboarding-USB-Block” to block all removable storage.
- Create a Firewall profile named “Onboarding-Firewall” with only required ports open.
- Publish all three profiles.
- Associate all three profiles to the “New Devices” group (see the Association guide below).
Use Case 2 : Department-Specific Application Policy
Scenario: The finance team should only be allowed to run approved financial software. All other applications should be blocked.
Steps:
- Create an Application Control profile named “Finance-AppControl”.
- Add whitelisted applications: Microsoft Excel, SAP Client, approved finance tools.
- Set the default action to “Block Unlisted Applications.”
- Publish the profile and associate it with the “Finance” device group.
Use Case 3 : Scheduled Script Execution for Compliance Audit
Scenario: IT needs to run a PowerShell script every Monday morning to collect compliance data from all endpoints.
Steps:
- Create a Deploy Script profile named “Weekly-Compliance-Audit”.
- Upload the PowerShell (.ps1) script.
- Set the execution schedule to “Weekly – Monday – 8:00 AM.”
- Publish and associate with the “All Windows Devices” group.