A Policy is a set of global settings that can be assigned to individual users. Policies regulate a variety of different attributes, most notably: default backups, user access, and exclusion lists. Policies can be viewed, edited, and created from the web dashboard from Accounts --> Policies. A thorough breakdown of each section and the options are listed below.
General Settings & Actions
Description: The name of the policy (Ex. "Residential Client Policy")
Default Policy: A policy can be specified as the default for all new users by clicking Actions --> "Default for New Users." (Note: Any changes to the policy will revert the default option and will need to be re-enabled). This is especially useful for automated deployment (ex. via Syncro) to eliminate the need to define a list of settings or a default backup once a user has been created and installed.
Copy Policy: A policy can be copied and duplicated via a few short steps. This is useful when creating many different policies with largely the same settings, but with a few adjustments to key parameters. To duplicate a policy:
1. Copy the source policy. This can be done from the main Policy page or within an individual policy
2. Click "Add Policy"
3. Click the Actions dropdown menu and select "Paste"
Delete Policy: To delete a policy, simply click the "Delete" button from the main Policy page, or from the edit page by clicking the Actions dropdown menu and selecting "Delete." Any users that were assigned the removed policy will convert to a "Custom" single-user policy with the same settings as the original policy.
Prevent creating new Storage Vaults: Restrict the user from creating additional Storage Vault or data locations. This will not affect the administrator's ability to create new vaults.
- ...via Request: Only prevent Storage Vault creation when the action requires a request to the pre-configured Vaults (ex. Magnus Box Cloud Vault)
- ...via Custom: Only prevent Storage Vault creation when the Vault is a new connection restricted to the Vaults specified in the Restriction portion of the Policy (ex. onsite hard drive Vault)
Prevent editing existing Storage Vaults: Inactivates the user's ability to edit existing Storage Vaults, such as their description or destination. This does not prevent the user from deleting a Vault.
Prevent deleting existing Storage Vaults: Prevents the user from deleting a Storage Vault. This is a particularly helpful option because once a Storage Vault is deleted, all backups and associated data are irretrievable.
Hide cloud storage branding in Storage Vaults: By default, a small company icon is displayed next to each Cloud Vault (a local vault does not have an icon) in the endpoint software. Enabling this option will hide the company icon and default to a cloud image, as pictured below.
Restrict available Storage Vault types: Limits the user's account to only the selected Storage Vault types in the following list. By default (and most commonly), the Storage Vault selection is limited to the "Local Path" and "Comet Server" options. Note: this will also limit the list of options when creating new Storage Vaults, even if the request is initiated by an administrator.
- Amazon S3 / Google Cloud Storage / Wasabi / S3-compatible: Allows a user to create a Storage Vault pointing to an external storage provider, such as Amazon, Google Cloud, Wasabi, or any other S3-compatible storage provider. This type of Vault will require the Access Key, Secret Key, Bucket ID, and sub-directory for the data destination.
- SFTP: Allows the creation of a Storage Vault that uses the SFTP (SSH File Transfer Protocol) to upload files and transfer data. The SFTP Vault requires an address, SSH credentials (username, password, port), and optionally the data destination directory.
- Local Path: Enables a user to create a Storage Vault on a locally connected device (including an external hard drive or network attached storage). By default, this option only requires a file path, but if a network path is detected (ex. "\\192.168..."), a section for the username and password credentials will be displayed on the web dashboard (not currently offered on the endpoint software).
- Comet Server: Storage Server that points to a special type of application-optimized to deal with backup data in an S3 context. Magnus Box hosts five different Comet Servers (at the time this was written), one of which will be tied to each partner server by default. The use of "custom" Comet Servers is discouraged since Magnus Box offers configured servers for ease of use and is unable to offer full support for self-hosted Comet Servers.
- FTP: Enables the creation of a Storage Vault from an FTP (file transfer protocol) server. This is largely similar to the SFTP option, except that FTP relies heavily on standard networking protocols as opposed to SSH protocols. This Storage Vault configuration requires an address, port, authentication credentials, and backup directory location.
- Azure Blob Storage: Integration with Microsoft Azure can be utilized via this option for a Storage Vault creation method. It requires the Azure realm, account name and key, container, and optional sub-directory.
- Spanned: Allows the user to create a Storage Vault composed of other enabled storage locations. For example, a Spanned Storage Vault could point to a local hard drive (Local Path) and the Magnus Box Cloud Vault (Comet Server). By default, data is distributed evenly among all of the storage targets to maximize storage space and read/write efficiency. This option's main use-case is when combining a local backup with a cloud backup; once the local backup runs out of data capacity, Magnus Box will divert data to the cloud location.
- OpenStack Swift: Allows the creation of a Storage Vault pointing to an OpenStack Swift server. This is an open-source data storage system compatible with the Swift protocol. This configuration requires the authentication endpoint, username, API key, and container.
- Backblaze B2 Cloud Storage: Enables the user to create a Storage Vault pointing to a Backblaze Cloud Server. This can be accomplished on a per-bucket basis (with application keys) or across an entire B2 instance (master application key). This Vault requires the Key ID, application or master key, bucket name, and optional sub-directory.
Prevent creating new Protected Items: Prevents the user from adding new backups. This completely hides the "Add Protected Item" from both the web interface and the endpoint software interface.
Prevent editing Protected Items: Disables the user's ability to edit existing backup settings. The button is still present on the endpoint software, but it is disabled. From the web portal, it is not obvious to a user that this function has been disabled (the backup name is just text instead of a link). Magnus Box recommends enabling this setting for partners that grant end users access to the platform. This will not prevent a user from deleting a backup configuration.
Prevent deleting Protected Items: Prevents the user from deleting a Protected Item. Like the "Prevent editing" option, this darkens and disables the "Delete" button on the endpoint software and completely removes the button from the web interface.
Default Protected Item: Specifies a default backup to apply for each device tied to the user. There is currently no way to filter by operating system; to work around this, a policy for each operating system (Windows, Linux, and Mac) can be created with different default backups. A schedule can be specified here, or in the Default Schedule section later in the Policy. Note: the default Protected Item will only be applied during the first installation of Magnus Box. In other words, only new devices added to a user's profile will use the default backup. Assigning a policy with default backups will not change the settings for existing devices.
Restrict available Protected Item types: Limits the types of backups offered for the given user. This can be helpful to simplify the interface if a client is only running two or three backup types (Ex. Disk Image, Files & Folders, mySQL). This will completely hide the options on the endpoint software, and it will disable the options for Administrators when creating new backups for the user. Each sub-checkmark indicates which backup types are allowed.
'Skip if already running' setting on backup schedules: Specifies if backup schedules should be skipped if a previous job is still in progress. By default, this function is disabled and must manually be enabled from the Schedule tab on the Protected Item Interface. Magnus Box recommends enabling this function to maximize data de-duplication efficiency and prevent any overlap of backup jobs. There are options to specify the default for this setting, as well as set it permanently for the user's backups.
'Allow administrator to reset password' setting on user accounts: When creating a new user, this option can be defined, which allows the Administrator to reset the password of the user at their discretion. This option can also be changed from the "Profile" tab in the Users page. If disabled, it cannot be re-enabled from the web dashboard and must be changed on the endpoint software. When disabled, the "Reset password" function (in the Actions tab of the User page) will prompt for the existing password; if enabled, the current password is not required. Magnus Box recommends this feature to make the management of clients easier and more flexible in the event a password change is needed.
'Allow administrator to view file names' setting on devices: Specifies whether Administrators can remotely browse the file-tree of the endpoint. Situations which depend on this access include: configuring or editing a Protected item via the remote file-tree browse option; browse filenames in past backup jobs ("Files" tab in the backup report); select the restore path using the remote file-tree browsing capability. Magnus Box highly recommends that this feature is enabled to expedite both Partner processes, as well as our support technicians' ability to diagnose and fix backup errors. This can take up to five minutes to take effect, and it will remove the remote file-tree browse button from the Protected Item interface. The "Files" tab in the backup report will remain visible, but no devices with this enabled will be displayed.
'Require user to change password at next login' setting on user accounts: Dictates if the user should reset their password the next time they log in (either into the endpoint software or web interface). This Policy setting only affects the option when creating new users and cannot be set to always be enabled. Once a user resets their password, the toggle button will automatically slide to the "Off" position. Additionally, this will not affect any currently existing users, even if this setting is updated or a new Policy is applied.
Prevent manually deleting backup snapshots from a Storage Vault: Prevents the user from deleting individual backup snapshots. This functionality is currently limited to the endpoint software and can only be performed if the end user has 1) access to the endpoint software (i.e. it's not locked) and 2) the ability to restore from the endpoint software.
Prevent changing user account password: Prevents the end user from changing their password. This will still allow Administrators to reset a user account's password. This completely hides the Password field from the web interface and hides the "Change" button from the endpoint interface.
Prevent changing user account name: Prevents the end user from changing the Account Name field. This is still displayed on the web interface and endpoint software but is not editable.
Prevent changing email settings: Restricts the user from changing the email report settings from the endpoint software. Modifying email settings is only currently accessible via the endpoint software (for the end user), but when this option is enabled, the email settings are completely hidden from the endpoint interface. This is particularly useful if a Partner is sending emails to the end user and their own support address.
Prevent opening the application interface: Prevents the user from opening the application / endpoint software interface. This also hides the "Show interface..." option in the Mac toolbar. This is applied regardless of if the endpoint software is locked, and it will immediately close the application (if it's open) as soon as the Policy is updated and saved. If this is enabled, the following sub-options are redundant since they all pertain to endpoint interface access and options.
- Prevent devices from viewing each others' names: Masks the names of other devices assigned to the given user account from the endpoint software (in the Settings tab). Devices are still shown, but with a generic "Device" name. This does not affect restore functionality. The device names are still shown on the web dashboard for the user when configuring new backups.
- Hide the Import feature: Removes the "Import..." option from the Settings tab in the endpoint software interface.
- Hide the software version and codename: Removes the Software entry in the endpoint software, completely hiding the version and build name. This may be useful as an additional step to prevent Partners from finding Magnus Box or Comet as vendors, as an Internet search of the build name and the word "backup" can lead to the vendors' respective websites.
Always require password to open the application interface: Acts as an override for the "Unlock automatically at startup" option, always requiring the user's credentials to open the endpoint interface. Unlike the "Unlock automatically at startup" option, this Policy setting does not offer a grace-period to access the interface. In other words, closing the endpoint software and immediately attempting to re-open will prompt for a password, whereas the "Unlock automatically at startup" allows access if the password was recently entered. Magnus Box recommends this setting to prevent end users from modifying or deleting Protected Items and other backup settings.
Prevent logging in to the web interface: Prevents the user from accessing the web dashboard. The endpoint software can still be accessed. When attempting to log in to the web dashboard with this option enabled, the user receives an "Invalid authentication" error message (which may be misleading when trying to troubleshoot login issues).
Mandatory file and folder exclusions
Allows specification of files or directories to exclude for all backups on the user account. The exclusion can be a pre-programmed file path, or a regex expression to target certain types of files. Additionally, wildcards (*) can be used to make the exclusions more generic. Each exclusion item can be filtered by operating system (Windows (all), Windows 32-bit, Windows 64-bit, macOS, Linux).
This is helpful for files that aren't vital client data or files that can be regenerated through normal program operations. A common example is cache files, which are used mainly to optimize performance but don't store any user settings. Another example might include OneDrive or Dropbox folders if those files are being uploaded to the cloud or backed up in a different fashion. A recommended exclusion list can be found on our Magnus Box Exclusion List support article.
Default email reports
Specifies the default email report setting: when they will be sent and what each report will contain. The email report can be sent immediately after a job completes, or as a summary table at scheduled times throughout the day or week. Additionally, the backups included in the report can be filtered by a number of different parameters. This setting does not accept a default email address since the email is specified on a per-user basis.
This section allows the policy to specify a default schedule for all newly created Protected Items. This will only apply to new backups that are created after the Policy is saved or applied, and it will not alter the schedule for existing backups or the Default Protected Item (see above section). If the Policy is a Custom Policy assigned to a single user, the available Storage Vaults will be listed. If the Policy is being defined as a global Policy (in Accounts --> Policies), the Storage Vaults will not be listed. In this scenario, Magnus Box recommends "The Latest Storage Vault" option, which will choose the most recently-created Storage Vault for the schedule. In most cases, this will be the requested Cloud Storage Vault created when a new user is added.
Default retention policy: Specifies a Policy default retention policy. This can reduce the need to use the Retention tab in the Protected Item configuration dialog. By default, the retention policy is set to keep all backups forever since Magnus Box does not charge for data usage or storage. This will not update retention settings on existing backups unless the "Prevent Protected Items from overriding the Storage Vault retention policy" option is enabled (see below).
Enforce this retention policy for all Storage Vaults: This will apply the default retention policy to all Storage Vaults on this user account. For the most part, this is redundant since the default retention policy is automatically applied to each Storage Vault.
Prevent Protected Items from overriding the Storage Vault retention policy: Prevents backups from specifying a different retention policy outside of the default retention policy. This will override any existing backups and their current retention settings. This will still show the Retention tab on the Protected Item configuration dialog, but it will hide the "Revert" and "Edit" buttons on the web interface. On the endpoint software, these buttons are still visible, but they are disabled and not clickable.