How to Apply Policies

An administrator can apply restrictions and default settings to user accounts. A policy can be assigned during user account creation or applied to existing users.

On top of that, policy restrictions can also be applied to administrators of the Comet Server. This is covered fully in this guide

Available policy settings

Summary section

The Summary section shows a quick view of enforced settings.

Storage Vaults

Prevent Storage Vault actions

Activating these options makes the following actions unavailable to both admin and end users. This is handy if you want to prevent end users from executing certain actions.

Restrict Storage Vault types

You may also restrict the available Storage Vault types available to end users. Users can still add, edit, or delete selected Storage Vaults.

Protected Items

Prevent Protected Item actions

You may prevent end users from executing certain actions on Protected Items. Aside from ensuring that end users do not delete or edit Protected Items that may affect backups, this also prevents end users from adding Protected Items that would incur a booster charge (see our pricing page for fees that apply).

Default Protected Item

You can either apply Default Protected Items to new devices only, or you may apply them to previously registered devices by selecting “Update existing devices”. Default Protected Itemcan only be edited in the policy template.

Prior to Comet 23.6.x, changes will not be applied retroactively to Protected Items created by this policy. Once applied, they are unlinked from the policy.

Restrict Protected Item type

You may also restrict access to certain Protected Item types – take note that this applies to both end users and admin. Unselected Protected Items are un-editable to end users and to admin. Only selected Protected Item types can be created. Existing Protected Items can be edited or deleted regardless of this setting.

For example, in this Policy, only the Files and Folders option is ticked, which means that’s the only Protected Item that can be added, deleted, or edited by Admin (you) and the end user.

In the Comet Backup Client, all Protected Items except for Files and Folders will be unavailable:

Default Settings

‘Skip if already running’ setting on backup schedules

System default – The System default here is Optional, OFF
Optional, default on – System default is ON, but can be turned OFF
Optional, default off – System default is OFF, bit can be turned ON
Always ON – Cannot be turned OFF unless the Policy is changed
Always OFF – Cannot be turned ON unless the Policy is changed

‘Allow administrator to reset password’ setting on user accounts

System default – The System default here is Optional, ON
Optional, default on – System default is ON, but can be turned OFF
Optional, default off – System default is OFF, bit can be turned ON
Always ON – Cannot be turned OFF unless the Policy is changed
Always OFF – Cannot be turned ON unless the Policy is changed. If you choose this option and would then like to reverse it, you will first have to change the Policy option to either Always or Optional ON, and then the end user will have to re-enable it within the app.

This option is greyed out in the User Profile:

The end user can allow it in the Comet Backup Client interface after you re-activate it in the Policy:

‘Allow administrator to view file names remotely’ setting on devices:

System default – The System default here is Optional, ON
Optional, default on – System default is ON, but can be turned OFF
Optional, default off – System default is OFF, bit can be turned ON
Always ON – Cannot be turned OFF unless the Policy is changed
Always OFF – Cannot be turned ON unless the Policy is changed. Same as the previous setting, in order to reverse this option, you will have to change the Policy option to either Always or Optional ON, and then the end user will have to re-enable it within the client.

System default – The System default here is Optional, ON
Optional, default on – System default is ON, but can be turned OFF
Optional, default off – System default is OFF, bit can be turned ON
Always ON – Cannot be turned OFF unless the Policy is changed
Always OFF – Cannot be turned ON unless the Policy is changed

Random job delay

To spread out CPU load when backups run at the same time, a 'Random job delay' can be utilized. This adds a random delay (in minutes) to a scheduled backup job before it finally executes, thus spreading out the start time of the affected job/s (maximum 300 minutes/5 hours).

When a lot of schedule jobs start at exactly the same time, this can cause a high CPU load for the server and this can help to spread it out.

Other restrictions

There are other restrictions under Default settings that can be configured as shown here. These are especially helpful if you want the end user to be completely hands-off and not have access to their backup settings.

Mandatory file and folder exclusions

This allows you to automatically exclude certain files and folders. This is handy for excluding files that cause errors and disruptions to backups. These apply to all File and Folder backups run under this policy.

Default email reports

You can set up a default job report template for all Users through Policies. For more information on reporting options with Comet, please refer to our full guide on how to set up email reporting with Comet.

To enforce the Default email reports, you will have to add an email address in the User profile under Reporting.

This email report will be named, ‘Policy default’. If another email report is configured in the Profile tab, the Policy default will be added to it instead of overwriting it, and two email reports will then be sent.

Default Backup Schedules

Please refer to our full guide on available backup schedule settings.

Default backup schedules are applied to all new Protected Items and are not applied retroactively to existing Protected Items.

If a policy applied to a user has a default Protected Item with a schedule, plus a separate default backup schedule, the default Protected Item will then have two backup schedules.

Once a default backup schedule is applied to a Protected Item, it will be unlinked from the Policy and will have to be manually edited or removed within the Protected Item configuration.

You can either choose to store backups to:

A specific Storage Vault, if available
The Latest Storage Vault, or to
All Storage Vaults

Retention

We have a separate retention guide that covers all options and possible retention configurations with Comet.

To apply a retention policy, click on ‘Keep all backups forever’, otherwise, this, as the default setting, will apply.

Tick ‘Enforce this retention policy for all Storage Vaults’ to override Retention policies you may have applied on Storage Vaults. This is useful if you want users to be able to modify their Protected Items, but not their retention policies.

‘Prevent overriding retention policies on Protected Items’ is useful for ransomware protection, as a bad actor with user credentials could otherwise set the retention policy on a Protected Item to “keep nothing” and let historical backups be deleted by retention.

Tick ‘Allow users to set the Object Lock duration’ if you would like the end user to set the Object Lock duration on the Comet client or user web interface on Storage Vaults.

How to create a policy

Policies can be created in two different ways:

Via the Policies tab This allows you to create a policy template and apply it across different users or make it a default policy to be applied to new users.
Via Policies under the Users tab Customize policy based on individual user’s requirements.

Creating a policy template

A Policy template can create to be applied to different users.

In your Comet Server, head to the Policies tab and select ‘Add Policy’.
Configure the policy settings based on your use case.
Save your newly created template by clicking ‘Create Policy’.

Creating custom policies per user

It is also possible to create customer policies per user. These policy settings cannot be automatically applied to other users as a template, but can be copied and pasted to another user’s custom policy if required.

In your Comet Server, head to the Users tab. Identify the user you’d like to create a custom policy for and click on the username.
Click on ‘Policies’ and ensure the policy name is “(Custom)”.
Configure policy settings based on your use case. Click on ‘Save changes’ when you are satisfied with the settings.

Applying a policy template to an existing user

In your Comet Server, go to the Users tab. Identify the user to whom you want to apply the policy and click on the username.
Click on ‘Policies’, then click on the drop-down menu and select the policy you want to apply to the user. Click on ‘Save changes’ when done.

Applying a policy template to a new user

When creating a new user, click on the drop-down next to ‘Apply Policy’. Select the policy and continue with the new user creation.

Setting a default policy

A policy template can be set as a default, which will be the default policy applied to a new user upon creation.

This can be done in the Policies tab. Click on the triple dot on the far right of the template you have chosen to be the default policy for new users, and click on ‘Make default’.

Additional note: Default policy will not automatically be applied to existing users.

Sample policy recipes

Use case 1

I am a sysadmin of an IT team with a few hundred Windows laptops to backup. I want to apply the same backup settings to all end points.

My requirements:

File and folder backup and a bare metal backup for all end users.
The end users do not need to access the software.
I want to receive all reports of the backups.

Suggested policy settings:

Set up default Protected Items (Files and Folders & Disk Image) with configured backup schedules.
Tick, Prevent opening the application interface under Default settings.
Set up default reports.
Set up retention rules per requirement to delete unnecessary backups and optimize storage.

Use Case 2

I am an MSP. I would like to offer Comet as a backup service to my customers. I would like my customers to be able to access the Comet Backup Client but I would like to restrict certain features from them.

My requirements:

File and folder backup for all end users (except the Download folder).
The end users should not see the storage branding, nor can they alter any storage settings.
The end users should not be able to configure backup and storage settings, but must be able to restore their backups from the Comet client interface.

Suggested policy settings:

Set up default a Protected Item (Files and Folders) with a configured backup schedule.
Apply a File and folder exclusion (e.g., Download folder).
Hide cloud storage branding, prevent end users from adding new, as well as editing and deleting existing storage vault.
Prevent end users from adding new, as well as editing and deleting existing Protected Items.
Set up retention rules per requirement to delete unnecessary backups and optimize storage.

Available policy settings​

Summary section​

Storage Vaults​

Prevent Storage Vault actions​

Restrict Storage Vault types​

Protected Items​

Prevent Protected Item actions​

Default Protected Item​

Restrict Protected Item type​

Default Settings​

‘Skip if already running’ setting on backup schedules​

‘Allow administrator to reset password’ setting on user accounts​

‘Allow administrator to view file names remotely’ setting on devices:​

‘Require user to change password at next login’ setting on user accounts:​

Random job delay​

Other restrictions​

Mandatory file and folder exclusions​

Default email reports​

Default Backup Schedules​

Retention​

How to create a policy​

Creating a policy template​

Creating custom policies per user​

Applying a policy template to an existing user​

Applying a policy template to a new user​

Setting a default policy​

Sample policy recipes​