Policies are applied to a device through device assignments, user assignments, and zone assignments. Through the application of ordering rules, all of the assigned policies are combined into one list in order of precedence, from most important (highest priority) to least important (lowest priority). There are several steps involved in ordering:
The order of precedence for device-assigned policies and user-assigned policies is determined by where the assignment occurs in the ZENworks management hierarchy, using the following order of precedence:
Object
Group
Folder
A policy assigned to the object (device or user) precedes a policy assigned to the object’s group or folder. Likewise, a policy assigned to an object’s group precedes a policy assigned to the object’s folder.
The order of precedence also takes into account that each level of the hierarchy includes multiple sublevels. For example, if a device resides in a subfolder of the Workstations root folder, it might inherit assignments from both folders. Likewise, the device might be a member of multiple groups. The following table expands the levels to show the complete order of precedence:
Level |
Order of Precedence |
Example |
Details |
---|---|---|---|
Object |
|
|
The order of precedence for policies assigned to an object is determined by the object’s Assigned Policies list in ZENworks Control Center. A policy at the top of the list has a higher priority than the same-type policies lower in the list. In the example, Policy B precedes Policy A. |
Group |
|
|
The order of precedence for policies assigned to an object’s groups is dependent on two factors: 1) the group locations in the folder hierarchy and 2) the policy ordering within the groups. The first factor is the group locations:
In the example, the resulting group order is 4, 1, 3. The second factor is the policy ordering within the group, which is determined by the group’s Assigned Policies list. A policy at the top of the list has a higher priority than the same-type policies lower in the list. In the example, the resulting policy order is D, C, F, G, J. |
Folder |
|
|
The order of precedence for policies assigned to a folder corresponds to the order in the folder’s Policy Assignments list. In the example, Policy I has a higher precedence than Policy J. The precedence of an object’s folders is determined by the folder hierarchy. The object’s folder has precedence over folders located in folders higher in the folder hierarchy. |
Using the example in the above table, the order of precedence for the policies assigned to the object (device or user) is:
Policy B
Policy A
Policy D
Policy C
Policy F
Policy G
Policy J
Policy I
Policy H
Policy K
Policy R
Policy S
For policies assigned to the Management Zone, the order of precedence is determined by the position of the policies in the assignment list. The precedence is from the top to the bottom of the list. For example, if Policy A and Policy B are the same type and Policy B is higher in the list, the order of precedence is Policy B, Policy A.
After the ordered lists are created for each type of assignment (device-assigned, user-assigned, and zone-assigned), the three ordered lists for a single policy type look similar to the following example:
User Assignments |
Device Assignments |
Zone Assignments |
---|---|---|
|
|
|
The goal of ordering is to have one ordered list per location, so the next step is to combine the three lists. By default, the zone-assignments list is always included as the last (lowest priority) list. The order of the user-assignments list and the device-assignments list is determined by the conflict resolution rules configured on the device assignments. There are four conflict resolution rules:
User Last: The user-assigned policies are applied after the device-assigned policies. This means that the user-assigned policies have a higher priority than the device-assigned policies, because the last assigned policy takes precedence.
Device Last: The device-assigned policies are applied after the user-assigned policies. This means that the device-assigned policies have a higher priority than the user assigned policies, because the last assigned policy takes precedence.
User Only: The user-assigned policies are applied and the device-assigned policies are ignored. However, if there are no user-assigned policies, the device-assigned policies are applied.
Device Only: The device-assigned policies are applied and the user-assigned policies are ignored.
When there are multiple device assignments, the conflict resolution rule on the highest-priority device assignment is used. In the table above, Policy H is the highest-priority device assignment. Therefore, the Device Last rule is used and the result is the following ordered list:
Policy H (Device Assignment)
Policy B (Device Assignment)
Policy R (Device Assignment)
Policy D (Device Assignment)
Policy E (User Assignment)
Policy A (User Assignment)
Policy I (User Assignment)
Policy Q (Zone Assignment)
At this point in the ordering process, the ordered list includes both location-based policies and global policies. Some policies might be applied in one location, others in another location, and some might be applied globally regardless of location.
Because the Endpoint Security Agent applies only the security policies assigned to the device’s current security location, it requires separate ordered lists for each available location (as defined in the Location Assignment policy) and for the global “location.” This results in lists similar to the following:
Location 1 |
Location 2 |
Location 3 |
Global |
---|---|---|---|
1. Policy H 2. Policy D 3. Policy I |
1. Policy B 2. Policy D 3. Policy A 4. Policy I |
1. Policy R 2, Policy E |
1. Policy Q |
Some policies might apply to multiple locations, such as Policy D that is included in the ordered lists for Location 2 and Location 3.
Creating the ordered lists for each location is the last step in the ordering process. With ordering complete, inheritance can be applied.