After you create your policies for Android or iOS, you can assign them to either users, groups or devices. If multiple policies have been created and are assigned to users, devices or groups, it raises the question as to which of the policies will be applied.
As a basis, the following applies per platform (Android or iOS):
- If different policies are assigned to the same user (this applies also to groups or devices), the policy with the more restrictive content is always applied.
- Policies that are assigned to a user will override policies assigned to a group of which that user is a member.
- Policies assigned to a device will override policies assigned to the user of that device or to a group (of which the user is a member).
For clarification, here are three scenarios that explain the different rules. In our examples, User 11, who uses a Pixel 4a Android device, is a member of the Sales group.
1. Assigning different policies to the same user (group or device)
2. Assigning different policies to users and groups
3. Assigning different policies to devices, users and groups
1. Assigning different policies to the same user (group or device)
In this case, all policies assigned to the user or device will apply.
The policy with the more restrictive content is always applied.
Example:
Under Administration→ Policies, the plus button (arrow in illus.) is used to create a new policy.
The example sets a password policy with high password complexity (upper and middle arrows in the illus.). Apart from that, there are no other changes made to the settings in this window. The use of the status bar remains allowed by default (lower arrow in illus.).
A second policy is also created for User 11. To do so, click on the plus button again (see above). This time, there are no changes made to the default settings of the password policy (upper arrow in the illus.). Instead, the use of the status bar is no longer allowed in this policy (lower arrow in the illus.).
So we've now created one policy which has the Enforce Password option enabled and a second policy in which it is disabled. In addition, we have one policy where the use of the status bar is allowed and a second policy where it is not. Both policies are assigned directly to User 11 (arrows in illus.).
Result:
Only the more restrictive policy applies. Firstly, a high complexity password is now enforced for User 11. And secondly, the use of the status bar is no longer allowed. This can be observed in the Cortado app on User 11's Android device.
2. Assigning different policies to users and groups
If some policies are assigned to a user directly and other policies assigned to the group of which the user is a member, the following applies:
Policies that are assigned directly to users overwrite any existing group policies.
Example:
User 11 has already had two policies assigned directly (see above). Now, by clicking on the plus button (see above) a further policy is created, which serves to enforce the installation of OS updates (arrows in illus.). Apart from that, no other changes are made to the settings in this window.
This new policy is then assigned to the Sales group of which User 11 is a member (arrows in illus.).
Result:
As can be seen under Administration→ Users in the Policies tab, this group policy is not applied to User 11 (arrow in illus.), because policies that are assigned directly to users override group policies.
3. Assigning different policies to devices, users and groups
If policies are assigned directly to a device and additional policies are also assigned to the user of that device, or to groups of which that user is a member, then the following applies:
Policies assigned directly to a device override existing policies assigned to the user or groups.
Example:
Now, with a click on the plus button (see above) a new policy is created. For this policy, the checkbox allow the use of developer options (arrow in illus.) is enabled. Apart from that, there are no other changes made to the settings in this window.
This fourth policy in our example is now assigned directly to User 11's Android device (Pixel 4a) (arrows in illus.).
Result:
As can be seen under Administration→ Devices in the policies tab, for User 11’s Pixel 4a (left arrow in illus.), only the policies that have been directly assigned to the device are applied (right arrow in illus.). Any other policies, whether assigned directly to User 11 or to a group of which User 11 is a member, do not apply.