Hi Supun, I think its better to have a composite version of these suggestions.
For ex: lets assume we have a situation where multiple policies get collided over same set of features. If that is the case, as proposed in suggestion one, we can let admin to prioritize them according to his/her wishes using a method which is suggested in 2nd option so that when there's a conflicting scenario, we can redirect them to policy priority section saying this and that features are overlapped and please prioritize them to be merged. WDYT? Regards, On Thu, Sep 8, 2016 at 12:00 PM, Supun Wanniarachchi <[email protected]> wrote: > Hi All, > > Existing CDMF device management policy enforcement implementation in EMM > supports applying only one policy upon devices based on an > administrator-defined priority order. > > For instance, assume an instance where two policies (mentioned below) are > supposed to be applied on managed devices. > > 1. Disable camera on all android devices -> Policy_B > > 2. Disable wifi on all android devices which belong to role "user-group A" > -> Policy_A > > > If we take an android device which belongs to a user in user-group A, > ideally, both the aforementioned policies should be applied on the said > device. But due to the limitations in existing policy implementation, only > the Policy_B (First policy in the priority list) will be applied as that’s > what’s been prioritized by the policy priority order. > > New Feature for Composite Device Management Policies: > > This new feature helps merge discrete policies together and get composite > effective policy without any conflicts. It should be enhanced further to be > able to merge several of such discrete policies together (i.e camera > disable, wifi disable) and enforce a composite effective policy upon > managed devices. > > But considering the above example there will be conflicting situation > happen when we are going to merge these policies. > > 1. Disable camera on all android devices -> Policy_B (Android, BYOD) > > 2. Enable camera on all devices which belong to role "user-group A" -> > Policy_E (Android, ANY) > > In this case, it’s hard to find what’s the exact operation apply to the > device when we are creating effective policy. Previously there was not > this kind of situation because only applied one policy using policy > priority order. Get rid of this issue we can do policy merging task as two > different ways(Proposed suggestion 1, Proposed suggestion 2). > > *Proposed suggestion 1*: > > [image: emm2.jpg] > > - > > Use existing priority order and get the first applicable policy if > there’s any conflict situation. > - > > Merge several of such discrete policies together and enforce a > composite effective policy to the device. > > > *Proposed suggestion 2*: > > [image: emm.jpg] > > > > - > > User can add any number of policies for different ownership, role or > user and save. Without using using existing priority order. > - > > But when we are doing “Apply changes to devices” event, it works as > above diagram. > - > > Restrict to apply two conflicting policies for one device. If there’s > any conflicts, use the Resolution Mechanism for avoid these issues. > > > Resolution Mechanism for conflicts policies > > > - > > Mainly check the feature level of each policies. (i.e > Passcode,Restriction,Wifi,VPN). Check feature by feature if there’s > any conflicts(Features has different role sets). > > > - > > Display conflicts policy details separately and allow user to change > the applicable policy of that particular role/user. > > > In PDP there’s no any conflicts for both Proposed suggestion 1 and 2. > Check whether which device get the effective policy and do policy merging > process. Finally apply that effective policy for the device. > > I think *Proposed suggestion 2* is more effective way and Please share > your thoughts on this. > > > -- > Supun Wanniarachchi > Intern > WSO2, Inc. > > *Lean . Enterprise . Middleware * > Mobile: +94 716326119 > Blog: http://blog.supun.me > [image: https://lk.linkedin.com/in/supun-wanniarachchi-21b37a97] > <https://lk.linkedin.com/in/supun-wanniarachchi-21b37a97> > > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- *Milan Perera *| Software Engineer WSO2, Inc | lean. enterprise. middleware. #20, Palm Grove, Colombo 03, Sri Lanka Mobile: +94 77 309 7088 | Work: +94 11 214 5345 Email: [email protected] <[email protected]> | Web: www.wso2.com <http://lk.linkedin.com/in/milanharinduperera> <https://wso2.com/signature>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
