IBM Security MaaS360

 View Only

Policy delivery flow in maas360 simplified!

By Chiranth C posted Thu July 15, 2021 08:35 AM

  

Have you been looking for an easier way to find out what policy is assigned to a device at any given point in time?  We’ve put together a few frequently asked scenario’s to help explain how to apply the best policy priority within MaaS360. While there are several ways to change a policy on an MDM device, we will walk through the options.  Before you begin, it’s important to first understand the objective and key workflows:

Default Policy Change

A default MDM policy for every platform is set for all new customers. This will flow down to the device once it is enrolled into the MaaS 360 portal. To change that default policy, follow these steps:  

 

SECURITY > Policies > (Chose a policy of that platform) Set as Default.

 

A customer can have only one policy set as default for every platform. There can be no customer without any default MDM policy. Once a new policy is set as the default, a policy evaluation will happen.  All the devices within the same platform that have a default policy set, will receive this new default policy.

 

As we are now on the policy page, let us explore few more scenarios where policy evaluation could happen.

Policy Publish

Policies can be edited, and changes can be adjusted based on the client requirement. Every time you edit a policy there will be an incremental policy version. When policy evaluations happen, the devices with an edited policy, will receive the latest version of the policy.  

Enrollment
Enrollment is the first step in registering any device into the MaaS360 portal. As previously mentioned, devices that are enrolled will automatically receive the Default MDM policy of its respective platform.

DEFAULT_POLCY

However, there is a way to override the default policy, which could be done during enrollment.

 The step to do this is:

Add Device > Advanced > Platform & MDM Policy > Select Platform > Select Policy.

ENROLLMENT_POLICY

During enrollment, the device has an opportunity to receive a higher priority policy.  It can be any policy among group-level/location-level/rule-level policies. The default policy is set to be the lowest priority now in the hierarchy, followed by an explicit assignment. Explicit assignments can be done during enrollment as well as from Device View.

Device View Assignment

Policy change on the device can be done from a device view by following these steps:

DEVICES > Inventory > More > Change Policy

or

DEVICES > Inventory > View > More > Change Policy

This will give you a pop-up page where policy can be selected from the drop-down.

DEVICE_VIEW_ASSIGNMENT

 

Let’s look at the priority point of view.

Device view change policies will be reflected on the device, unless it has been assigned a policy of higher priority. A device having a group-level/location-level/rule-level policy, will stay in its respective assigned policy. Let’s take a closer look to better understand the concept of hierarchy and group-level assignments.

 Group-level Assignment

Group assignment by itself has two choices: Static and Dynamic.  A group-level assignment can be made to both a device group as well as a user group when applying this action:

 

DEVICES/USERS > Groups > More > Change Policy > Select a Policy Set.

 

You will then see an "Auto assign to new devices" check box which allocates whether it's a static or a dynamic assignment. The info icon below gives you more detail about the checkbox.

GROUP_POLICY

 

  1. Static Assignment – Is a one-time assignment of the policy. All the devices which are part of the group during the assignment, will receive that policy. This is treated as a device view assignment and pushed out in bulk.
  2. Dynamic Assignment - This is an automated way of assigning a policy from the group level. Any device which will be part of the group would get the dynamic policy. This includes both existing as well as any new device that becomes part of this group.
  • Dynamic is of a higher priority to the Device view assignment.

Devices that are part of multiple groups have a higher precedence policy.

During group level assignment, devices which have location-level/rule-level policies will still stay within their respective assigned policy, since location-level/rule-level assignment is of a higher priority to a group-level assignment. Policy precedence plays a significant role in group-level assignment, let us explore more on that.

 Precedence Change

A device can be part of multiple groups. Each group can have different dynamic policies assigned. If that is the case, then the precedence of policy decides which policy a device should get.
The highest precedence policy will always flow down to the device.

Change in precedence of policy can also be done on policy page following these steps -

SECURITY > Policies > Precedence

PRECEDENCE_POLICY

 

Within this table,  you can drag and drop the policy set according to the order of precedence needed. The top is the highest level while the bottom selection is the lowest.  This action can be applied to all platforms supported by the customer either all at once or one platform at a time.

 

Let’s continue exploring location-level assignments now.

Location Policy

When it comes to location, policy assignments can flow differently in two situations:

  1. When a change policy is done from the location page.
  2. When the location status is changed from check-in > check-out or check-out > check-in.

 

Devices that report a location into the portal will be in checked-in or checked-out based on the location created. If the device is in a checked-in state and Assign Policies action is initiated from the location page then it falls under 1st scenario.

 

This can be done by navigating to -

SECURITY > Locations > Assign Policies > Select Policy > Select Device Group.

LOCATION_POLICY

 

Location policy assignment also depends on the group to which a device belongs. Any device which has a location policy, is part of the group selected on the location page.

 

In the 2nd scenario, location status decides the policy on the device. The device gets a location policy whenever it receives the checked-in state. And when it goes to checked-out state from the location then it gets checkout policy. In this situation, a checkout policy is of lower precedence to location. It could be either of group-level or device view or default policy. 

 

Here are a few examples:

  • The device is part of a group for which the policy is assigned.
    • On check-in, the device would get a location policy.
    • On check-out, the device would get a group policy.
  • The device has a device view policy.
    • On check-in, the device would get a location policy.
    • On check-out, the device would get a device view policy.
  • The device is on default policy.
    • On check-in, the device would get a location policy.
    • On check-out, the device would get the default policy.

Now let us see how rule plays a role in policy assignment flow.

Rule Policy

Enforcement Action is the place where action configuration can be done. These actions configurations would take place on the device based on the duration set once the device goes out of compliance. One such action is Change Policy. A device that goes out of compliance would get this rule policy. Rule level policy has the highest priority in the system.
Devices that come back in compliance would get either, location-level or group-level or device view or default policy.

RULE_POLICY


As we come to the end of this discussion, let’s review the policy priority.

 

Priority over would look like this -

RULE > LOCATION > GROUP LEVEL > EXPLICIT OR DEVICE VIEW > DEFAULT

RULE being highest and DEFAULT being lowest.

 

We hope this blog has helped to explain and simplify the policy delivery flow capabilities within MaaS360. As always, we encourage you to post comments and questions to this blog or start a discussion post on the Community.

0 comments
23 views

Permalink