Overview
Understanding how Profiles and Policies work and how they interact with devices and groups across their entire lifecycle, is the key to running a clean, scalable, and audit-ready endpoint environment in Zecurit. This guide covers everything: the conceptual difference between a Profile and a Policy, version behavior, offline device handling, association strategy, profile removal, and day-to-day best practices.
1. What Is a Profile vs. a Policy?
This is the most important concept to understand before building your configuration strategy in Zecurit.
H3: Policy : The Individual Rule
A Policy is a single, specific configuration rule for one area of endpoint behavior. Think of a policy as one instruction, one setting — that tells a device how to behave in a particular context.
Examples of individual policies:
- “Block all USB storage devices.”
- “Enable BitLocker with AES-256 encryption.”
- “Allow inbound traffic only on port 443.”
- “Set screen lock after 5 minutes of inactivity.”
- “Block the application Notepad++.”
In Zecurit, when you select a profile type (e.g., Device Control, Firewall, BitLocker) and configure its settings, you are authoring the policies that make up that profile.
Profile : A Named Collection of Policies
A Profile is a named, versioned container that holds one or more related policies and is deployed to endpoints as a single unit. Instead of pushing individual rules one by one to each device, you package your policies into a profile, give it a meaningful name, and distribute that profile to whichever devices or groups need it.
Think of it this way:
A Policy is a rule. A Profile is a rulebook.
Example: A profile called Finance-Security-Baseline might contain the following policies bundled together:
- Policy 1: Block USB storage devices.
- Policy 2: Enable BitLocker with AES-256.
- Policy 3: Firewall — allow only ports 80, 443, and 3389.
- Policy 4: Screen lock after 5 minutes.
When you associate Finance-Security-Baseline to the Finance team’s devices, all four policies are applied at once. If you later need to change the screen lock timer to 3 minutes, you edit the profile (creating a new version), and Zecurit pushes only the updated version to all associated devices automatically.
2. Profile Modification and Versioning
How Versioning Works
Every time you edit and re-publish a Configuration Profile, Zecurit automatically increments the profile’s version number. This is a core feature of profile management, it ensures you always know exactly what configuration is running on each device and can track changes over time.
Version lifecycle example:
| Action | Profile Version |
|---|---|
| Profile created and published | Version 1 |
| USB policy updated, re-published | Version 2 |
| Firewall rule added, re-published | Version 3 |
| Screen lock timer changed, re-published | Version 4 |
The current version number is visible in the Profiles list. On the device detail page, you can compare the Distributed Version (the version currently applied on the device) against the Latest Version (the most recent published version).
What Triggers a Version Increment?
A new version is created any time you:
- Change any policy setting within the profile.
- Add a new policy rule to the profile.
- Remove an existing policy rule from the profile.
- Rename or update descriptive fields and re-publish.
Saving a profile as Draft does not create a new version. Versions are only incremented when you Publish the updated profile.
Why Versioning Matters
Version tracking gives you full audit visibility: you can see which version of a profile was running on a device at any given time, which is essential for compliance reporting. If a configuration change causes unexpected behavior, the version number tells you exactly when the change was applied and to which devices.
3. What Happens to Already-Associated Devices When a Profile Is Modified?
This is one of the most important behaviors to understand when managing profiles at scale.
The Behavior: Automatic Push of New Version
When you modify and re-publish a Configuration Profile that is already associated to devices or groups, Zecurit automatically pushes the updated version to all associated devices. You do not need to re-associate the profile manually.
The updated profile is queued for delivery to every device that currently has that profile associated. Each device’s agent will download and apply the new version the next time it checks in with the Zecurit console.
Practical example:
You have a profile called
Corp-Firewall-v1(Version 1) associated with 150 devices. You add a new inbound rule to block port 8080 and republish. The profile becomes Version 2. All 150 devices will automatically receive and apply Version 2, no re-association required.
Monitoring the Update Rollout
You can monitor which devices have received the new version by checking the Devices count and individual device detail pages:
- Distributed Version = Latest Version → Device has successfully applied the updated profile.
- Distributed Version < Latest Version → Device has not yet received the update (device may be offline, or the agent is still processing).
- Execution Status = In Progress → The device received the update and is currently applying it.
- Execution Status = Failed → The device attempted to apply the update but encountered an error.
Important: The old version of the profile remains active on a device until the new version is successfully applied. This means there is no gap in policy enforcement — the device is always running either the current or previous version of the profile during the update window.
4. Offline Devices, Which Profile Version Do They Receive?
This scenario is critical to understand when managing large or distributed device fleets where some devices may be offline at the time of a profile change.
The Behavior: Always the Latest Version
When a device comes back online after being offline, it always receives the latest published version of any associated profiles, not the version that was current when it went offline.
Scenario walkthrough:
Corp-Firewallis at Version 1 and associated to a group of 200 devices.- Device
laptop-007goes offline (e.g., employee travel).- While
laptop-007is offline, you updateCorp-Firewalltwice: to Version 2, then to Version 3.- When
laptop-007comes back online, it does not receive Version 2 and then Version 3 sequentially.- Instead, it directly receives and applies Version 3 — the current latest version.
This means Zecurit ensures offline devices are immediately brought up to the latest policy state as soon as they reconnect, without requiring any manual intervention or re-association.
What About New Devices Added to a Group After a Profile Update?
If a new device is added to a group that already has profiles associated, the new device receives the current latest version of each associated profile automatically upon enrollment, not the version that was associated at the time the profile was originally linked to the group.
Practical implication: Your group always acts as a living association, any device that joins the group, whether immediately or months later, will receive the most up-to-date profile version.
Version Drift Monitoring
Because offline devices will lag behind in version until they reconnect, it is normal to see version drift in a large fleet. Use the device detail page to identify which devices are behind:
- Filter by Execution Status = In Progress or Failed to find devices that need attention.
- Sort by Distributed Version to identify devices still running older profile versions.
- Devices that remain on older versions for extended periods may indicate connectivity issues with the Zecurit agent.
5. When to Associate Profiles to Groups vs. Individual Devices
Choosing the right level of association, group or device, is one of the most impactful decisions for managing your endpoint configuration at scale.
Associate to Groups When
Group-level association should be your default approach for most scenarios. Use groups when:
- The same policy applies to all devices within a team, department, or location.
- You want new devices added to the group to automatically inherit the profile without any manual steps.
- You want to manage policies centrally, one change to the group automatically covers all members.
- You are managing a large fleet and need consistency at scale.
Group association use cases:
- All devices in the “Finance” group must always have USB blocked → Associate the
Finance-DeviceControlprofile to the Finance group. - All laptops must always be encrypted → Associate the
Corp-BitLockerprofile to the “All Laptops” group. - All remote workers need a specific VPN firewall rule → Associate
Remote-Firewallto the “Remote Workers” group.
Key benefit: When a new employee joins the Finance team and their device is enrolled into the Finance group, they automatically receive all associated profiles, zero additional administrator action required.
Associate to Individual Devices When
Device-level association is the right choice when:
- A specific device needs a profile that is an exception to its group’s standard configuration.
- You are testing a new or updated profile on a single device before rolling it out group-wide.
- A device has a unique role that doesn’t fit neatly into an existing group (e.g., a shared kiosk, a server, a lab machine).
- You need to apply a temporary or one-off policy to a single endpoint.
Device association use cases:
- A CEO’s laptop needs a custom Application Control profile that differs from the rest of the executive group.
- A test device is used to validate a new Firewall profile before it’s associated to 500 devices.
- A single server in the data center requires a specific User Management profile not applicable to any other device.
Mixing Group and Device Associations
A device can have profiles associated both from its group and directly at the device level simultaneously. All associated profiles are applied. Be mindful of potential conflicts — for example, if a group-level profile allows an application and a device-level profile blocks it, the outcome depends on how Zecurit resolves conflicting rules. Always audit a device’s full profile list when applying device-level overrides.
Association Strategy Quick Reference
| Situation | Associate to Group | Associate to Device |
|---|---|---|
| Standard policy for a department | ✅ | |
| Exception policy for one device | ✅ | |
| Testing a new profile | ✅ | |
| Onboarding new devices automatically | ✅ | |
| Unique role or shared device | ✅ | |
| Fleet-wide baseline policy | ✅ |
6. How to Remove an Associated Profile from Devices or Groups
There are situations where you need to remove a profile that has already been associated — for example, when a policy is no longer applicable, a device changes departments, or a profile is being replaced by an updated one.
Removing a Profile from an Individual Device
- Navigate to Manage → Groups and Devices → Devices.
- Click the name of the device from which you want to remove the profile.
- In the device detail view, go to the Profiles tab.
- Locate the profile you want to remove.
- Click the action menu (three-dot icon) next to the profile.
- Select Remove or Dissociate to detach the profile from the device.
- The profile settings will be unenforced on the device at the next agent check-in. The device’s execution status for that profile will no longer appear.
Note: Removing a profile from a device does not automatically undo the configurations already applied. For example, if a Firewall profile was enforcing specific rules, those rules may persist until the device’s OS-level settings are reset or overridden by another profile. Plan profile removal carefully, especially for security-critical policies.
Removing a Profile from a Group
- Navigate to Manage → Groups and Devices → Groups.
- Click the group name from which you want to remove the profile.
- Open the group’s Profiles or Associated Profiles tab.
- Locate the profile you want to remove.
- Click the action menu and select Remove or Dissociate.
- The profile will be removed from all devices in the group. Devices will stop receiving updates for this profile at their next check-in.
Important: Removing a profile from a group dissociates it from all devices in that group simultaneously. If some devices in the group should retain the profile (e.g., specific machines with a unique need), re-associate the profile directly to those individual devices before removing it from the group.
Replacing a Profile with an Updated Version
The recommended way to “update” an associated profile is not to remove and re-associate, but to simply edit and re-publish the existing profile. This creates a new version and automatically pushes the update to all associated devices. Only remove and re-associate when you are switching from one profile to a completely different one.
7. Common Best Practices for Configuration Profile Management
Use a Clear and Consistent Naming Convention
Profile names should be self-explanatory to any administrator who picks them up. Establish a naming standard before creating your first profile and enforce it across your team.
Recommended format: [Scope/Department]-[PolicyType]-[Purpose or Baseline]
Examples:
Corp-Firewall-Baseline— Firewall policy for all corporate devices.Finance-DeviceControl-USBBlock— USB blocking for the Finance group.Remote-BitLocker-AES256— BitLocker enforcement for remote workers.IT-WindowsUpdate-MaintenanceWindow— Update schedule for IT-managed machines.
Avoid vague names like user1, new3333, test, or pin — these are difficult to manage, audit, or hand off to another administrator.
Always Stage in Draft Before Publishing
Use the Draft status as a mandatory review step before any profile goes live. Before publishing:
- Have a second administrator review the settings.
- Test on a small pilot group (3–5 devices) before fleet-wide rollout.
- Document the profile’s purpose and the date of each change in the description field.
A misconfigured Firewall profile or a badly configured BitLocker profile can cause serious disruption. The Draft stage is your safety net.
Keep Each Profile Focused on One Policy Domain
Avoid creating large monolithic profiles that bundle many unrelated settings together. Instead, create focused, single-domain profiles:
- One profile for Firewall.
- One profile for BitLocker.
- One profile for Device Control.
- One profile for Application Control.
This modularity means you can update the Firewall policy without touching the BitLocker profile, reducing risk. It also makes troubleshooting easier — if a device has a Firewall issue, you know exactly which profile to look at.
Design Your Group Structure Before Creating Profiles
Your group structure directly determines how efficiently you can manage profiles. Before creating profiles, map out your device groups:
- Baseline groups – All devices (for company-wide policies like BitLocker and basic Firewall rules).
- Department groups – Finance, HR, Engineering, Sales (for department-specific policies).
- Role groups – Executives, Developers, Kiosk Devices, Remote Workers (for role-specific policies).
- Location groups – Office, Remote, Branch (for location-specific policies).
A well-structured group hierarchy means you can associate one profile to a group and confidently know it reaches exactly the right devices.
Monitor Version Drift as a Routine Task
Make checking for version drift a part of your regular IT operations rhythm — weekly or bi-weekly. In the device detail view, look for devices where Distributed Version is lower than Latest Version. Persistent version drift may indicate:
- Devices that are chronically offline or have connectivity issues.
- Agent errors that are preventing profile application.
- Execution failures that need to be investigated and resolved.
Devices running old profile versions are not in the desired security state. Treat version drift as a compliance gap.
Use a Test Group for All New and Modified Profiles
Before associating any new or significantly updated profile to production groups, create a dedicated Test Group in Zecurit with 3–5 representative devices. Associate the profile to the test group first, monitor the Execution Status, and only roll out to production groups after confirming successful execution.
This is especially critical for Firewall and Application Control profiles, where misconfiguration can block critical applications or network access.
Audit Associated Profiles on Devices Regularly
Over time, devices can accumulate associated profiles — some of which may be outdated, duplicated, or conflicting. Schedule a quarterly audit of your device and group associations to:
- Remove profiles that are no longer applicable.
- Identify and resolve conflicting profiles applied to the same device.
- Confirm that all devices in a group have the expected profiles and no more.
Archive Instead of Delete
When a profile is no longer needed, do not delete it immediately. Instead:
- Set the profile back to Draft status to prevent it from being associated to new devices.
- Remove it from any current device or group associations.
- Retain the profile record in Zecurit for historical audit purposes.
- Add a note in the description field indicating the decommission date and reason.
Many compliance frameworks require you to demonstrate what configurations were in place at a specific point in time. Retaining archived profiles helps satisfy those requirements.