Hi Supun, Let's assume in a Organization there are teams called Team A and Leadership.
There is a policy enforced to the team A that to disable cameras in their devices, and some application polices to install Team A related apps to their devices, but leadership team does not have that camera disable restriction. Let's assume the person called B who lead the Team A should also a member of Leadership team. So camera block policy should not be applied to his device. if proposed suggestion 2 is implemented and trying to assign the policy to B, it asks admin to change the polices either in Team A or Leadership to resolve conflicts. I don't think it is the right solution. On Thu, Sep 8, 2016 at 12:00 PM, Supun Wanniarachchi <[email protected]> wrote: > Hi All, > > Existing CDMF device management policy enforcement implementation in EMM > supports applying only one policy upon devices based on an > administrator-defined priority order. > > For instance, assume an instance where two policies (mentioned below) are > supposed to be applied on managed devices. > > 1. Disable camera on all android devices -> Policy_B > > 2. Disable wifi on all android devices which belong to role "user-group A" > -> Policy_A > > > If we take an android device which belongs to a user in user-group A, > ideally, both the aforementioned policies should be applied on the said > device. But due to the limitations in existing policy implementation, only > the Policy_B (First policy in the priority list) will be applied as that’s > what’s been prioritized by the policy priority order. > > New Feature for Composite Device Management Policies: > > This new feature helps merge discrete policies together and get composite > effective policy without any conflicts. It should be enhanced further to be > able to merge several of such discrete policies together (i.e camera > disable, wifi disable) and enforce a composite effective policy upon > managed devices. > > But considering the above example there will be conflicting situation > happen when we are going to merge these policies. > > 1. Disable camera on all android devices -> Policy_B (Android, BYOD) > > 2. Enable camera on all devices which belong to role "user-group A" -> > Policy_E (Android, ANY) > > In this case, it’s hard to find what’s the exact operation apply to the > device when we are creating effective policy. Previously there was not > this kind of situation because only applied one policy using policy > priority order. Get rid of this issue we can do policy merging task as two > different ways(Proposed suggestion 1, Proposed suggestion 2). > > *Proposed suggestion 1*: > > [image: emm2.jpg] > > - > > Use existing priority order and get the first applicable policy if > there’s any conflict situation. > - > > Merge several of such discrete policies together and enforce a > composite effective policy to the device. > > > *Proposed suggestion 2*: > > [image: emm.jpg] > > > > - > > User can add any number of policies for different ownership, role or > user and save. Without using using existing priority order. > - > > But when we are doing “Apply changes to devices” event, it works as > above diagram. > - > > Restrict to apply two conflicting policies for one device. If there’s > any conflicts, use the Resolution Mechanism for avoid these issues. > > > Resolution Mechanism for conflicts policies > > > - > > Mainly check the feature level of each policies. (i.e > Passcode,Restriction,Wifi,VPN). Check feature by feature if there’s > any conflicts(Features has different role sets). > > > - > > Display conflicts policy details separately and allow user to change > the applicable policy of that particular role/user. > > > In PDP there’s no any conflicts for both Proposed suggestion 1 and 2. > Check whether which device get the effective policy and do policy merging > process. Finally apply that effective policy for the device. > > I think *Proposed suggestion 2* is more effective way and Please share > your thoughts on this. > > > -- > Supun Wanniarachchi > Intern > WSO2, Inc. > > *Lean . Enterprise . Middleware * > Mobile: +94 716326119 > Blog: http://blog.supun.me > [image: https://lk.linkedin.com/in/supun-wanniarachchi-21b37a97] > <https://lk.linkedin.com/in/supun-wanniarachchi-21b37a97> > > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Regards, Chatura Dilan Perera *Associate Tech Lead** - WSO2 Inc.* www.dilan.me
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
