Hi All, Existing CDMF device management policy enforcement implementation in EMM supports applying only one policy upon devices based on an administrator-defined priority order.
For instance, assume an instance where two policies (mentioned below) are supposed to be applied on managed devices. 1. Disable camera on all android devices -> Policy_B 2. Disable wifi on all android devices which belong to role "user-group A" -> Policy_A If we take an android device which belongs to a user in user-group A, ideally, both the aforementioned policies should be applied on the said device. But due to the limitations in existing policy implementation, only the Policy_B (First policy in the priority list) will be applied as that’s what’s been prioritized by the policy priority order. New Feature for Composite Device Management Policies: This new feature helps merge discrete policies together and get composite effective policy without any conflicts. It should be enhanced further to be able to merge several of such discrete policies together (i.e camera disable, wifi disable) and enforce a composite effective policy upon managed devices. But considering the above example there will be conflicting situation happen when we are going to merge these policies. 1. Disable camera on all android devices -> Policy_B (Android, BYOD) 2. Enable camera on all devices which belong to role "user-group A" -> Policy_E (Android, ANY) In this case, it’s hard to find what’s the exact operation apply to the device when we are creating effective policy. Previously there was not this kind of situation because only applied one policy using policy priority order. Get rid of this issue we can do policy merging task as two different ways(Proposed suggestion 1, Proposed suggestion 2). *Proposed suggestion 1*: [image: emm2.jpg] - Use existing priority order and get the first applicable policy if there’s any conflict situation. - Merge several of such discrete policies together and enforce a composite effective policy to the device. *Proposed suggestion 2*: [image: emm.jpg] - User can add any number of policies for different ownership, role or user and save. Without using using existing priority order. - But when we are doing “Apply changes to devices” event, it works as above diagram. - Restrict to apply two conflicting policies for one device. If there’s any conflicts, use the Resolution Mechanism for avoid these issues. Resolution Mechanism for conflicts policies - Mainly check the feature level of each policies. (i.e Passcode,Restriction,Wifi,VPN). Check feature by feature if there’s any conflicts(Features has different role sets). - Display conflicts policy details separately and allow user to change the applicable policy of that particular role/user. In PDP there’s no any conflicts for both Proposed suggestion 1 and 2. Check whether which device get the effective policy and do policy merging process. Finally apply that effective policy for the device. I think *Proposed suggestion 2* is more effective way and Please share your thoughts on this. -- Supun Wanniarachchi Intern WSO2, Inc. *Lean . Enterprise . Middleware * Mobile: +94 716326119 Blog: http://blog.supun.me [image: https://lk.linkedin.com/in/supun-wanniarachchi-21b37a97] <https://lk.linkedin.com/in/supun-wanniarachchi-21b37a97>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
