4.0 User, Device, and Zone Policy Assignments

You can assign security policies to users, workstation devices, and the Management Zone:

Assignments to users and workstation devices are called direct assignments. You can also assign security policies to workstation folders and groups. When a user or workstation device is a member of a folder or a group, it inherits the assigned policies. These are called inherited assignments.

Assignments to the Management Zone can be made at the Management Zone, on a workstation device folder, and on a workstation device. This enables you to assign different default policies to different devices within your Management Zone.

Simply because a policy is assigned to a workstation device, the device’s user, or the Management Zone does not mean that it will be enforced on the device. When multiple policies of the same type are applied to a workstation device through different assignments, the Endpoint Security Agent must determine a single effective policy to enforce on the device. Effective policies are discussed in Section 5.0, Effective Policies.