You can assign security policies to users, workstation devices, and the Management Zone:
User assignment: A user-assigned policy follows the user. When the user logs in through the ZENworks Agent on any device, the user-assigned policies are applied.
Device assignment: A device-assigned policy follows the device. When the ZENworks Agent connects to the Management Zone, the device-assigned policies are applied.
Security policies apply to workstation devices only. If you assign a security policy to a server device, it is not applied.
Zone assignment: A zone-assigned policy is a default policy. It is evaluated after all user-assigned and device-assigned policies of that type.
Assignments to users and workstation devices are called direct assignments. You can also assign security policies to workstation folders and groups. When a user or workstation device is a member of a folder or a group, it inherits the assigned policies. These are called inherited assignments.
Assignments to the Management Zone can be made at the Management Zone, on a workstation device folder, and on a workstation device. This enables you to assign different default policies to different devices within your Management Zone.
Simply because a policy is assigned to a workstation device, the device’s user, or the Management Zone does not mean that it will be enforced on the device. When multiple policies of the same type are applied to a workstation device through different assignments, the Endpoint Security Agent must determine a single effective policy to enforce on the device. Effective policies are discussed in How the Effective Policy is Determined.