Cortado Support

My Tickets Visit www.cortado.com
Welcome
Login

Special conditions when assigning multiple policies

After you create your policies for Android or iOS, you can assign them to either users, groups or devices. If multiple policies have been created and are assigned to users, devices or groups, it raises the question as to which of the policies will be applied.

As a basis, the following applies per platform (Android or iOS):

  1. If different policies are assigned to the same user (this applies also to groups or devices), the policy with the more restrictive content is always applied.
  2. Policies that are assigned to a user will override policies assigned to a group of which that user is a member.
  3. Policies assigned to a device will override policies assigned to the user of that device or to a group (of which the user is a member).

assign users, groups, devices

For clarification, here are three scenarios that explain the different rules. In our examples, User 11, who uses a Pixel 4a Android device, is a member of the Sales group.

User 11 in Sales group

1. Assigning different policies to the same user (group or device)

2. Assigning different policies to users and groups

3. Assigning different policies to devices, users and groups

1. Assigning different policies to the same user (group or device)

In this case, all policies assigned to the user or device will apply. 

The policy with the more restrictive content is always applied.

Example:

Under Administration→ Policies, the plus button (arrow in illus.) is used to create a new policy.

add policy

The example sets a password policy with high password complexity (upper and middle arrows in the illus.). Apart from that, there are no other changes made to the settings in this window. The use of the status bar remains allowed by default (lower arrow in illus.).

password policy

A second policy is also created for User 11. To do so, click on the plus button again (see above). This time, there are no changes made to the default settings of the password policy (upper arrow in the illus.). Instead, the use of the status bar is no longer allowed in this policy (lower arrow in the illus.).

status bar policy

So we've now created one policy which has the Enforce Password option enabled and a second policy in which it is disabled. In addition, we have one policy where the use of the status bar is allowed and a second policy where it is not. Both policies are assigned directly to User 11 (arrows in illus.).

assign policies to user

Result:

Only the more restrictive policy applies. Firstly, a high complexity password is now enforced for User 11. And secondly, the use of the status bar is no longer allowed. This can be observed in the Cortado app on User 11's Android device.

cortado app policies overview

2. Assigning different policies to users and groups

If some policies are assigned to a user directly and other policies assigned to the group of which the user is a member, the following applies:

Policies that are assigned directly to users overwrite any existing group policies.

Example:

User 11 has already had two policies assigned directly (see above). Now, by clicking on the plus button (see above) a further policy is created, which serves to enforce the installation of OS updates (arrows in illus.). Apart from that, no other changes are made to the settings in this window.

create OS updates policy

This new policy is then assigned to the Sales group of which User 11 is a member (arrows in illus.).

assign OS update policy to user 11

Result:

As can be seen under Administration→ Users in the Policies tab, this group policy is not applied to User 11 (arrow in illus.), because policies that are assigned directly to users override group policies.

grayed out group policy

3. Assigning different policies to devices, users and groups

If policies are assigned directly to a device and additional policies are also assigned to the user of that device, or to groups of which that user is a member, then the following applies:

Policies assigned directly to a device override existing policies assigned to the user or groups.

Example: 

Now, with a click on the plus button (see above) a new policy is created. For this policy, the checkbox allow the use of developer options (arrow in illus.) is enabled.  Apart from that, there are no other changes made to the settings in this window.

create developer options policy

This fourth policy in our example is now assigned directly to User 11's Android device (Pixel 4a) (arrows in illus.).

assign developer options policy

Result: 

As can be seen under Administration→ Devices in the policies tab, for User 11’s Pixel 4a (left arrow in illus.), only the policies that have been directly assigned to the device are applied (right arrow in illus.). Any other policies, whether assigned directly to User 11 or to a group of which User 11 is a member, do not apply.

developer options policy assigned to device



Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.