The following instructions assume that you are on the Configure Allowed Locations page in the Create New Location Assignment Policy Wizard (see Creating Security Policies) or that you are on the Details page for an existing Location Assignment policy (see Editing a Policy’s Details).
The Location Assignment policy lets you specify the locations against which the Endpoint Security Agent compares its network environment to determine its location. Only the locations included in the Allowed Locations list are considered.
For example, assume that you have defined four locations (Configuration tab > Locations). Locations 1 through 3 are common locations you want available to all devices, but Location 4 is required by only a few devices. You include the first three locations in this policy and exclude the fourth location. When applying this policy, the ZENworks Agent evaluates the device’s current network environment against the three defined locations to determine the location.
ZENworks utilizes a management hierarchy, or structure, that is ordered as follows:
Management Zone
Folder/Group
Device/User
Polices can be assigned at each level. Assignments flow down, which means that policy assignments made at the Management Zone apply to all devices or users in the zone. Likewise, policy assignments made to a folder or group apply to all members of the folder or group. As a result of hierarchical assignments, it is possible for a device or user to be assigned multiple policies of the same type.
The Inherit from Policy Hierarchy option determines whether or not this policy can inherit settings from other policies (of the same type) that are above it in the hierarchy. Consider the following table:
|
Hierarchy Level |
Policy (same type) |
Inherit from Policy Hierarchy |
Policy Setting 1 (Single-Value) |
Policy Setting 2 (Single Value) |
Policy Setting 3 (Multi-Value) |
|---|---|---|---|---|---|
|
Zone |
Policy_3 |
Yes |
10 |
False |
Device4,Device5 |
|
User Group 1 |
Policy_2 |
Yes |
Inherit |
Inherit |
Device2;Device3 |
|
User A |
Policy_1 |
Yes |
Inherit |
True |
Device1;Device2 |
User A is directly assigned Policy_1. Because User A is a member of User Group 1 and the Zone, User A is indirectly assigned Policy_2 and Policy_3.
All three of the policies allow for inheritance. As a result, the final policy settings are determined by using the following method:
Evaluation of policy settings begins with the lowest policy in the hierarchy (the policy closest to the user). In this case, Policy_1 is the lowest policy (because it is assigned directly to User A) and is evaluated first.
If one of the Policy_1 settings is configured as Inherit, then the setting is inherited from Policy_2; if the Policy_2 setting is configured as Inherit, then the setting is inherited from the next policy in the hierarchy, which is Policy_3.
Multi-value policy settings, such as tables, do not have an Inherit setting. With multi-value settings, all values from the assigned policies are combined.
Applying the inheritance methodology to the example in the above table, the resulting Policy_1 settings for User A are:
|
Hierarchy Level |
Policy (same type) |
Inherit from Policy Hierarchy |
Policy Setting 1 (Single-Value) |
Policy Setting 2 (Single Value) |
Policy Setting 3 (Multi-Value) |
|---|---|---|---|---|---|
|
User A |
Policy_1 |
Yes |
10 (inherited from Policy_3) |
True |
Device1;Device2 Device3 (inherited from Policy_2) Device4;Device5 (inherited from Policy_3) |
Inheritance hierarchy also applies to the precedence of user and device assigned policies in the same hierarchy level. For example, if there are multiple same-type user-assigned policies in the same hierarchy level, policy settings will only flow down to policies lower in the policy list if the Inherit from Policy Hierarchy option is applied to the policy higher in the list. In the case of both user and device assigned policies, the conflict resolution rules will also apply. Consider the following table:
|
Hierarchy Level |
Policy (same type) |
Inherit from Policy Hierarchy |
Policy Setting 1 |
Policy Setting 2 (Multi-Value) |
|---|---|---|---|---|
|
User A |
Policy 1 |
Yes |
10 |
Device1;Device2 |
|
User A |
Policy 2 |
No |
5 |
Device3;Device4 |
|
User A |
Policy 3 |
Yes |
0 |
Device3;Device5 |
In the example above, three policies are assigned to User A in the precedence order shown in the table. Because Inherit for Policy Hierarchy is disabled in Policy 2, Policy 3 settings are blocked. The table below shows how the settings are applied.
Policy Setting 1 is set to 10, because Policy 2 inherits from Policy 1, overriding 5.
Policy Setting 2 includes Device1-4, applying settings from both Policy 1 and Policy 2, but ignoring Device5 from Policy 3, because inherit is disabled in Policy 2.
|
Hierarchy Level |
Policy (same type) |
Inherit from Policy Hierarchy |
Policy Setting 1 |
Policy Setting 2 (Multi-Value) |
|---|---|---|---|---|
|
User A |
Policy 1, Policy 2 |
Yes |
10 |
Device1;Device2; Device3;Device4 |
You use the Allowed Locations list to add the locations that are allowed by this policy. By default, the Unknown location is automatically added to the policy. This enables the device to fail over to the Unknown location if the current network environment does not match any of the policy’s locations.
The following table provides instructions for managing the allowed locations:
|
Task |
Steps |
|---|---|
|
Add a location |
|
|
Modify a location’s settings |
|
|
Remove a location |
|