5.4 Location Assignment Policy

The following instructions assume that you are on the Configure Allowed Locations page in the Create New Location Assignment Policy Wizard (see Creating Security Policies) or that you are on the Details page for an existing Location Assignment policy (see Editing a Policy’s Details).

The Location Assignment policy lets you specify the locations against which the Endpoint Security Agent compares its network environment to determine its location. Only the locations included in the Allowed Locations list are considered.

For example, assume that you have defined four locations (Configuration tab > Locations). Locations 1 through 3 are common locations you want available to all devices, but Location 4 is required by only a few devices. You include the first three locations in this policy and exclude the fourth location. When applying this policy, the ZENworks Agent evaluates the device’s current network environment against the three defined locations to determine the location.

5.4.1 Inherit from Policy Hierarchy

ZENworks utilizes a management hierarchy, or structure, that is ordered as follows:

  1. Management Zone

  2. Folder/Group

  3. Device/User

Polices can be assigned at each level. Assignments flow down, which means that policy assignments made at the Management Zone apply to all devices or users in the zone. Likewise, policy assignments made to a folder or group apply to all members of the folder or group. As a result of hierarchical assignments, it is possible for a device or user to be assigned multiple policies of the same type.

The Inherit from Policy Hierarchy option determines whether or not this policy can inherit settings from other policies (of the same type) that are above it in the hierarchy. Consider the following table:

Hierarchy Level

Policy (same type)

Inherit from Policy Hierarchy

Policy Setting 1 (Single-Value)

Policy Setting 2 (Single Value)

Policy Setting 3 (Multi-Value)

Zone

Policy_3

Yes

10

False

Device4,Device5

User Group 1

Policy_2

Yes

Inherit

Inherit

Device2;Device3

User A

Policy_1

Yes

Inherit

True

Device1;Device2

User A is directly assigned Policy_1. Because User A is a member of User Group 1 and the Zone, User A is indirectly assigned Policy_2 and Policy_3.

All three of the policies allow for inheritance. As a result, the final policy settings are determined by using the following method:

  1. Evaluation of policy settings begins with the lowest policy in the hierarchy (the policy closest to the user). In this case, Policy_1 is the lowest policy (because it is assigned directly to User A) and is evaluated first.

  2. If one of the Policy_1 settings is configured as Inherit, then the setting is inherited from Policy_2; if the Policy_2 setting is configured as Inherit, then the setting is inherited from the next policy in the hierarchy, which is Policy_3.

  3. Multi-value policy settings, such as tables, do not have an Inherit setting. With multi-value settings, all values from the assigned policies are combined.

Applying the inheritance methodology to the example in the above table, the resulting Policy_1 settings for User A are:

Hierarchy Level

Policy (same type)

Inherit from Policy Hierarchy

Policy Setting 1 (Single-Value)

Policy Setting 2 (Single Value)

Policy Setting 3 (Multi-Value)

User A

Policy_1

Yes

10 (inherited from Policy_3)

True

Device1;Device2

Device3 (inherited from Policy_2)

Device4;Device5 (inherited from Policy_3)

Inheritance hierarchy also applies to the precedence of user and device assigned policies in the same hierarchy level. For example, if there are multiple same-type user-assigned policies in the same hierarchy level, policy settings will only flow down to policies lower in the policy list if the Inherit from Policy Hierarchy option is applied to the policy higher in the list. In the case of both user and device assigned policies, the conflict resolution rules will also apply. Consider the following table:

Hierarchy Level

Policy (same type)

Inherit from Policy Hierarchy

Policy Setting 1

Policy Setting 2 (Multi-Value)

User A

Policy 1

Yes

10

Device1;Device2

User A

Policy 2

No

5

Device3;Device4

User A

Policy 3

Yes

0

Device3;Device5

In the example above, three policies are assigned to User A in the precedence order shown in the table. Because Inherit for Policy Hierarchy is disabled in Policy 2, Policy 3 settings are blocked. The table below shows how the settings are applied.

  1. Policy Setting 1 is set to 10, because Policy 2 inherits from Policy 1, overriding 5.

  2. Policy Setting 2 includes Device1-4, applying settings from both Policy 1 and Policy 2, but ignoring Device5 from Policy 3, because inherit is disabled in Policy 2.

Hierarchy Level

Policy (same type)

Inherit from Policy Hierarchy

Policy Setting 1

Policy Setting 2 (Multi-Value)

User A

Policy 1, Policy 2

Yes

10

Device1;Device2; Device3;Device4

5.4.2 Manage Allowed Locations

You use the Allowed Locations list to add the locations that are allowed by this policy. By default, the Unknown location is automatically added to the policy. This enables the device to fail over to the Unknown location if the current network environment does not match any of the policy’s locations.

The following table provides instructions for managing the allowed locations:

Task

Steps

Add a location

  1. Click Add to display the Select Locations dialog box.

  2. Click the locations you want to add to the list.

    You can add only existing locations. Locations are created on the Locations page (Configuration tab > Locations)

  3. Click OK to add the locations.

Modify a location’s settings

  1. Select the check box next to the location > click Edit.

  2. Modify the settings as desired:

    Allow Manual Change: Select Yes to let the user change to the location and change from the location. For example, assume the policy includes three locations. This setting is enabled for Location1 and Location2, but not for Location3. If the agent determines the current location to be Location1, the user can manually change to Location2 but not to Location3. This is because Location1 and Location2 both allow manual changes, but Location3 does not. If the agent determines that the location is Location3, the user cannot change the location.

    Select Inherit to inherit this setting value from other Location Assignment policies assigned higher in the policy hierarchy.

    Show Location in Agent List: Select Yes to include the location in the list of locations displayed when the user right-clicks the agent’s ZENworks icon.

    Select Inherit to inherit this setting value from other Location Assignment policies assigned higher in the policy hierarchy.

    Use Location Message: Display a custom message when the agent switches to this location. This message can provide instructions for the user, give details about policy restrictions under this location, or include a hyperlink to more information.

  3. Click OK.

Remove a location

  1. Select the check box next to the location name, then click Remove.

  2. Click OK to confirm removal of the location.