A.5 Location Assignment Policy

The following instructions assume that you are on the Configure Allowed Locations page in the Create New Location Assignment Policy Wizard (see Section 9.0, Creating Security Policies) or that you are on the Details page for an existing Location Assignment policy (see Section 13.0, Editing a Policy’s Details).

The Location Assignment policy lets you specify the locations against which the Endpoint Security Agent compares its network environment to determine its location. Only the locations included in the Allowed Locations list are considered.

For example, assume that you have defined four locations (Configuration tab > Locations). Locations 1 through 3 are common locations you want available to all devices, but Location 4 is required by only a few devices. You include the first three locations in this policy and exclude the fourth location. When applying this policy, the Adaptive Agent evaluates the device’s current network environment against the three defined locations to determine the location.

A.5.1 Inherit from Policy Hierarchy

ZENworks utilizes a management hierarchy, or structure, that is ordered as follows:

  1. Management Zone

  2. Folder/Group

  3. Device/User

Policies can be assigned at each level. Assignments flow down, which means that policy assignments made at the Management Zone apply to all devices or users in the zone. Likewise, policy assignments made to a folder or group apply to all members of the folder or group. As a result of hierarchical assignments, it is possible for a device or user to be assigned multiple policies of the same type.

The Inherit from Policy Hierarchy option determines whether or not this Security Settings policy can inherit settings from Security Settings policies that are higher in the hierarchy. Consider the following table:

Hierarchy Level

Policy

Inheritance Example 1

Inheritance Example 2

Inheritance Example 3

Zone

LocAssignment_1

Yes

Yes

Yes

User Group 1

LocAssignment_2

Yes

No

Yes

User A

LocAssignment_3

Yes

Yes

No

User A is a member of User Group 1 and the Zone. As such, User A is assigned the LocAssignment_1 and LocAssignment_2 policies as well as the directly assigned LocAssignment_3 policy.

Inheritance Example 1: All three of the policies allow for inheritance. Evaluation of policy settings begins with the lowest policy in the hierarchy. In this case, LocAssignment_3 is the lowest policy (because it is assigned directly to User A) and is evaluated first.

If one of the LocAssignment_3 policy settings is configured as Inherit, then the setting is inherited from LocAssignment_2; if the LocAssignment_2 setting is configured as Inherit, then the setting is inherited from the next policy in the hierarchy, which is LocAssignment_1.

Multi-value policy settings, such as tables, do not have an Inherit setting. With multi-value settings, all values from the assigned policies are combined. In this example, any multi-value settings would combine the values from all three policies.

Inheritance Example 2: LocAssignment_2 does not allow for inheritance from the policy hierarchy. This means that LocAssignment_3 and LocAssignment_2 are used when determining User A’s Application Control policy settings. The LocAssignment_1 policy is ignored.

Inheritance Example 3: LocAssignment_3 does not allow for inheritance from the policy hierarchy. This means that only LocAssignment_3 is used. The two higher policies (LocAssignment_2 and LocAssignment_3) are not used.

A.5.2 Allowed Locations

You use the Allowed Locations list to add the locations that are allowed by this policy. By default, the Unknown location is automatically added to the policy. This enables the device to fail over to the Unknown location if the current network environment does not match any of the policy’s locations.

The following table provides instructions for managing the allowed locations:

Task

Steps

Add a location

  1. Click Add to display the Select Locations dialog box.

  2. Click the locations you want to add to the list.

    You can add only existing locations. Locations are created on the Locations page (Configuration tab > Locations)

  3. Click OK to add the locations.

Modify a location’s settings

  1. Select the check box next to the location > click Edit.

  2. Modify the settings as desired:

    Allow Manual Change: Select Yes to let the user change to the location and change from the location. For example, assume the policy includes three locations. This setting is enabled for Location1 and Location2, but not for Location3. If the agent determines the current location to be Location1, the user can manually change to Location2 but not to Location3. This is because Location1 and Location2 both allow manual changes, but Location3 does not. If the agent determines that the location is Location3, the user cannot change the location.

    Select Inherit to inherit this setting value from other Location Assignment policies assigned higher in the policy hierarchy.

    Show Location in Agent List: Select Yes to include the location in the list of locations displayed when the user right-clicks the agent’s Z-icon.

    Select Inherit to inherit this setting value from other Location Assignment policies assigned higher in the policy hierarchy.

    Use Location Message: Display a custom message when the agent switches to this location. This message can provide instructions for the user, give details about policy restrictions under this location, or include a hyperlink to more information.

  3. Click OK.

Remove a location

  1. Select the check box next to the location name, then click Remove.

  2. Click OK to confirm removal of the location.