An endpoint may be eligible for multiple endpoint policies. When an endpoint is eligible for multiple endpoint policies, the following factors determine which endpoint policy EMS applies to the endpoint:
- EMS only applies endpoint policies to endpoints if they are enabled on the Endpoint Policy & Components Manage Policies page.
- If an endpoint is eligible for multiple enabled endpoint policies, EMS determines which policy to apply using the following order:
- If there is a policy directly assigned to the user (configured in the Users field for the endpoint policy), EMS assigns that policy to the endpoint.
- If there are policies assigned to the group container and/or user group, EMS assigns the policy with the highest priority level to the endpoint.
- If there are inherited policies for group container and/or user group (policies assigned to a parent container or group), EMS assigns the policy with the highest priority level to the endpoint.
To change endpoint policy priority levels:
- Go to Endpoint Policy & Components Manage Policies.
- Click Change Priority.
- Click and hold the policy name, then drag to the desired position.
- Click Save Priority.
In the examples, there are three endpoint policies:
In this example, all three policies are enabled. The All Groups/Seattle/HR subgroup is eligible for both the Seattle_general and Seattle_HR policies. In this scenario, EMS applies the first eligible endpoint policy, Seattle_general, to the All Groups/Seattle/HR subgroup.
In this example, the Seattle_general endpoint policy has been disabled. The All Groups/Seattle/HR group is still eligible for both policies. Since the Seattle_general policy is disabled, EMS applies Seattle_HR to the All Groups/Seattle/HR group.
Consider that you then make the following changes:
- Enable Seattle_general
- Move policies so that they have the following priorities:
- SF_general: 1
- Seattle_HR: 2
- Seattle_general: 3
In this example, the All Groups/Seattle/HR group is eligible for two policies: Seattle_HR and Seattle_general. Since Seattle_HR comes before Seattle_general in the priority list, EMS applies Seattle_HR to All Groups/Seattle/HR.
Even though SF_general is set to priority 1, EMS does not apply it to All Groups/Seattle/HR, since All Groups/Seattle/HR is not eligible for that policy.