A policy is applied to a device or a user only if the policy is directly or indirectly associated to that device or user.
The Browser Bookmarks policy, Dynamic Local User policy, Printer policy, Remote Management policy, Windows Group policy, and ZENworks Explorer Configuration policy can be applied to a device or a user:
The Local File Rights and SNMP policies can be applied only to a device.
The Roaming Profile policy can be applied only to a user.
A policy can be associated to groups and containers.
In ZENworks Control Center, devices and users can be organized by using containers and groups. A device or user can be a member of multiple groups. The containers can be nested within other containers. If a policy is associated to a group of users, it applies to all users in that group. If a policy is associated to a user container, it applies to all users in the entire subtree rooted at that container. The same behavior applies to device groups and containers.
A policy can be associated to query groups.
In ZENworks Control Center, the devices can also be members of query groups. Query groups are similar to ordinary groups except that the membership is determined by a query defined by the administrator. All devices that satisfy the query become members of that device group. The query is evaluated periodically and the membership is updated with the results. An administrator can configure the periodicity of the evaluation. An administrator can also force an immediate refresh of a query group. Query groups act just like other groups where policies are concerned.
Policies are chronologically ordered by default.
When multiple policies are associated to a device, user, group, or container, the associations are chronologically ordered by default. The administrator can change the ordering.
If a device or user belongs to multiple groups, the groups are ordered. Consequently, the policies associated to those groups are also ordered. The administrator can change the ordering of groups for a device or user at any time.
In addition, the policies in a policy group are ordered.
Policies have a precedence configured to determine the policy that is effective for a device or a user.
Many policies of the same type can be applied to a user or a device through direct association and inheritance. For example, if a Browser Bookmark policy is associated to a user and another Browser Bookmark policy is associated to a container containing that user, the policy directly associated to that user overrides the policy associated to the container.
Policies support management by exception.
You can define a global policy for your enterprise and associate it to the top-level container containing all your user objects. You can then override configuration items in the global policy by defining a new policy and associating it to specific users or user groups. These users receive their configuration from the new policy. All other users receive their configuration from the global policy.
Policies support system requirements.
You can specify the system requirements of a device or user in a policy. The policy is applied to a device or user only if the device or user meets the system requirements.
For example, the SNMP policy is applied by default on all devices having the SNMP service installed.
ZENworks Configuration Management supports singular and plural policies.
Singular Policy: If multiple policies of the same policy type are assigned to a device or a user and the policy type is a Singular policy, then only the nearest associated policy meeting the system requirements is applied. If the policy type is associated to both user and device, then two different policies can be assigned to user and device.
The SNMP policy, Dynamic Local User policy, Remote Management policy, Roaming Profile policy, Power Management policy, and ZENworks Explorer Configuration policy are singular policies.
Plural Policy: If multiple policies of the same policy type are assigned to a device or a user and the policy type is a Plural type, then all policies meeting the associated system requirement are applied.
The Browser Bookmarks policy, Local File Rights policy, Windows Group policy, and Printer policy are plural policies. However, the security settings in the Windows Group policy are not plural.
Policies can be disabled.
When you create a policy in ZENworks Configuration Management, the policy is enabled by default. You can disable it if you do not want to apply it on a user or a device.
ZENworks Configuration Management allows you to resolve policy conflicts.
The set of effective policies is a subset of the set of assigned policies. The set of effective policies for a device or user is calculated by applying precedence rules, multiplicity rules, and system requirements filters on the set of assigned policies. Effective policies are calculated separately for devices and users. The Policy Conflict Resolution setting determines how user and device policies interact for a specific user and device combination.
Effective policies are calculated separately for devices and users. When a user logs in to a device, policies associated to both the user and the device must be applied. Policy Conflict Resolution settings are used only when policies of the same type are associated to both the device and the user. This setting determines the precedence order among the policies associated to the user and those associated to the device. The Policy Conflict Resolution settings are applied after the effective policies are calculated.
Policy Conflict Resolution settings are defined when associating a policy to a device. The settings cannot be defined for associations to users. For each policy type, the Policy Conflict Resolution setting defined in the closest effective policy of that type is applied for all policies of that type.
A Policy Resolution Conflict setting can have one of the following values:
User Precedence: User-associated policy will override the device-associated policy. Select this option to apply policies that are associated to the users first, and then to the devices.
Device Precedence: Device-associated policy will override the user-associated policy. Select this option to apply policies that are associated to the devices first, and then to the users.
User Only: Applies only the policies associated to the user and ignores the policies associated to the device.
Device Only: Applies only the policies associated to the device and ignore the policies associated to the user.
NOTE:The Policy Conflict Resolution setting is taken from the device-associated policy with the highest precedence.