Administration Guide

Local Navigation

Assigning IT policies and resolving IT policy conflicts

You can assign IT policies directly to a user account or to a group. By default, if you do not assign an IT policy to a user account or a group that the user is a member of, the BlackBerry® Enterprise Server applies the Default IT policy to the user account. If you assign an IT policy to a group that a user account is a member of, the BlackBerry Enterprise Server applies the group IT policy to the user account. If you assign an IT policy to the user account directly, the BlackBerry Enterprise Server applies this IT policy to the user account instead of the group IT policy or Default IT policy.

If a user account is a member of multiple groups that have different IT policies, the BlackBerry Enterprise Server must determine which IT policy to apply to the user account. You must use one of the following reconciliation options:

Method

Description

Apply one IT policy to the user account

The BlackBerry Enterprise Server applies one of the group IT policies to the user account. You specify rankings for the available IT policies using the BlackBerry Administration Service and the BlackBerry Enterprise Server applies the IT policy with the highest ranking.

If you upgrade to BlackBerry Enterprise Server 5.0 SP2 or later from a previous version of the BlackBerry Enterprise Server, this is the default method for resolving IT policy conflicts.

Apply multiple IT policies to the user account

The BlackBerry Enterprise Server applies all of the group IT policies to the user account, resulting in a combined IT policy that has a unique ID. The BlackBerry Enterprise Server resolves conflicting IT policy rules using the ranking of the available IT policies that you specified using the BlackBerry Administration Service. If an IT policy rule is different in the multiple IT policies, the BlackBerry Enterprise Server applies the rule setting from the IT policy that you ranked the highest.

If you install BlackBerry Enterprise Server 5.0 SP2 or later, this is the default method for resolving IT policy conflicts.

Option 1: Applying one IT policy to each user account

You can configure the BlackBerry® Enterprise Server to apply only one IT policy to a user account when a user account is a member of multiple groups that have different IT policies. In this scenario, the BlackBerry Enterprise Server applies the IT policy that you ranked the highest in the BlackBerry Administration Service.

If you upgrade to BlackBerry Enterprise Server 5.0 SP2 or later from a previous version of the BlackBerry Enterprise Server, this is the default method for resolving IT policy conflicts. If you install BlackBerry Enterprise Server 5.0 SP2 or later, the default method for resolving IT policy conflicts is to apply multiple IT policies to each user account and create a combined IT policy that has a unique ID for the user account.

Back To Top

Reconciliation rules for conflicting IT policies when you apply one IT policy to the user account

The BlackBerry® Enterprise Server can apply only one IT policy to a user account. Since you can assign IT policies to user accounts, groups, or the BlackBerry Domain, the BlackBerry Administration Service uses predefined rules to determine which IT policy it can apply to a user account.

The BlackBerry Administration Service might have to reconcile conflicting IT policies if you perform any of the following actions:

  • add an IT policy to or remove an IT policy from a user account or group
  • change an IT policy
  • change the ranking of IT policies
  • delete an IT policy

Scenario

Rule

You add a new user account to a BlackBerry Enterprise Server. You do not assign an IT policy directly to the user account and you do not add the user to a group.

The IT policy that you assigned to the BlackBerry Domain, or the Default IT policy that is assigned to the BlackBerry Domain, is assigned to the user account.

You assign an IT policy to a user account and a different IT policy to a group that the user account belongs to.

The IT policy that you assign to a user account takes precedence over an IT policy that you assign to a group. An IT policy that you assign to a group takes precedence over the IT policy that you assign to the BlackBerry Domain (or the Default IT policy).

A user account belongs to multiple groups. You assign multiple IT policies to the groups but do not assign an IT policy to the user account.

The BlackBerry Enterprise Server applies the IT policy that you ranked the highest in the BlackBerry Administration Service to the user account.

Back To Top

Change the method that the BlackBerry Enterprise Server uses to resolve conflicting IT policies

You can change the method that the BlackBerry® Enterprise Server uses to determine what IT policy to apply to a user account when a user account belongs to multiple groups that have different IT policies. If you change the method used to resolve conflicting IT policies, the next IT policy reconciliation process that occurs might have a significant impact on the performance of your organization's BlackBerry Enterprise Server environment. It is a best practice to configure this feature during low usage periods.
  1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry solution topology > BlackBerry Domain > Component view.
  2. Click BlackBerry Administration Service.
  3. At the bottom of the page, click Switch method to resolve multiple IT policies.
  4. Click Yes - Switch the method.
Back To Top

Rank IT policies

You must rank the IT policies that you create so that the BlackBerry® Enterprise Server can resolve IT policy conflicts when a user account is a member of multiple groups that have different IT policies.
  1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy.
  2. Click Manage IT policies.
  3. Click Set priority of IT policies.
  4. To move the IT policies higher or lower in the list, click the up arrow icon or down arrow icon.
  5. Click Save.
Back To Top

Option 2: Applying multiple IT policies to each user account

You can configure the BlackBerry® Enterprise Server to apply multiple IT policies to a user account when a user account is a member of multiple groups that have different IT policies. The BlackBerry Enterprise Server creates a combined IT policy for the user account that has a unique ID by applying the policy rules from the multiple IT policies and resolving any conflicting rule settings. The BlackBerry Enterprise Server resolves conflicting rule settings by applying the rule setting from the IT policy that you ranked the highest in the BlackBerry Administration Service.

If you install BlackBerry Enterprise Server 5.0 SP2 or later, this is the default method for resolving IT policy conflicts. If you upgrade to BlackBerry Enterprise Server 5.0 SP2 or later from a previous version of the BlackBerry Enterprise Server, the default method for resolving IT policy conflicts is to assign one IT policy to each user account according to the rankings of the IT policies that you specify in the BlackBerry Administration Service.

Back To Top

Reconciliation rules for conflicting IT policies when you apply multiple IT policies to a user account

The BlackBerry® Enterprise Server can apply multiple IT policies to a user account if the user account is a member of multiple groups that have different IT policies. Since you can assign IT policies to user accounts, groups, or the BlackBerry Domain, the BlackBerry Administration Service uses predefined rules to apply an IT policy to a user account.

The BlackBerry Administration Service might have to reconcile conflicting IT policies if you perform any of the following actions:

  • add an IT policy to or remove an IT policy from a user account or group
  • change an IT policy
  • change the ranking of IT policies
  • delete an IT policy

Scenario

Rule

You add a new user account to a BlackBerry Enterprise Server. You do not assign an IT policy directly to the user account and you do not add the user account to a group.

The Default IT policy (applied at the BlackBerry Domain level) is assigned to the user account.

You assign an IT policy to a user account and different IT policies to the groups that the user account belongs to.

The IT policy that you assign to a user account takes precedence over the IT policies that you assign to the groups that the user belongs to. An IT policy that you assign to a group takes precedence over the Default IT policy (applied at the BlackBerry Domain level).

A user account belongs to multiple groups. You assign multiple IT policies to the groups but you do not assign an IT policy to the user account.

If you assign multiple IT policies to the groups that the user account belongs to, the BlackBerry Enterprise Server resolves the IT policy rule settings in the multiple IT policies and assigns a combined IT policy that has a unique ID to the user account. The BlackBerry Enterprise Server resolves conflicting settings for IT policy rules by applying the rule setting from the IT policy that you ranked the highest in the BlackBerry Administration Service.

For example, you configure the Disable Photo Camera IT policy rule to Yes in IT policy A and to No in IT policy B. If you rank IT policy A higher than IT policy B, the Yes setting is applied for this rule.

A user account belongs to two groups. You assign the first group IT policy A, which has the Allow Browser IT policy rule as blank (which means that it uses the default value of Yes). You assign the second group IT policy B, which has the Allow Browser IT policy rule set to No. You ranked IT policy A higher than IT policy B in the BlackBerry Administration Service.

When the BlackBerry Enterprise Server resolves conflicting rule settings, any rule settings that have been explicitly configured to a value take precedence over IT policy rule settings that are blank (these rules revert to the default value).

For example, in this scenario, the Allow Browser IT policy rule setting from IT policy B, No, is applied to the user account even though IT policy A is ranked higher than IT policy B, because the Allow Browser IT policy rule is blank in IT policy A. If the Allow Browser IT policy rule was configured to Yes in IT policy A, the Yes value would be applied to the user account.

Back To Top

Change the method that the BlackBerry Enterprise Server uses to resolve conflicting IT policies

You can change the method that the BlackBerry® Enterprise Server uses to determine what IT policy to apply to a user account when a user account belongs to multiple groups that have different IT policies. If you change the method used to resolve conflicting IT policies, the next IT policy reconciliation process that occurs might have a significant impact on the performance of your organization's BlackBerry Enterprise Server environment. It is a best practice to configure this feature during low usage periods.
  1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry solution topology > BlackBerry Domain > Component view.
  2. Click BlackBerry Administration Service.
  3. At the bottom of the page, click Switch method to resolve multiple IT policies.
  4. Click Yes - Switch the method.
Back To Top

Rank IT policies

You must rank the IT policies that you create so that the BlackBerry® Enterprise Server can resolve IT policy conflicts when a user account is a member of multiple groups that have different IT policies.
  1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy.
  2. Click Manage IT policies.
  3. Click Set priority of IT policies.
  4. To move the IT policies higher or lower in the list, click the up arrow icon or down arrow icon.
  5. Click Save.
Back To Top

Preview how the BlackBerry Enterprise Server resolves IT policy conflicts

You can preview how the BlackBerry® Enterprise Server resolves conflicting settings for IT policy rules for multiple IT policies that you select. You can use this feature to determine which IT policies have conflicting IT policy rules and how the BlackBerry Enterprise Server resolves the conflicting rules. The preview displays the conflicting IT policy rules and the resolved settings for each rule. If an IT policy rule is not conflicting in the multiple IT policies that you selected, the preview does not display the policy rule in the results.
  1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy.
  2. Click Manage IT policies.
  3. Click Preview resolved IT policies.
  4. Select two or more IT policies.
  5. Click Preview.
Back To Top

View the resolved IT policy rules that are assigned to a user account

If a user account belongs to multiple groups, and you assign a different IT policy to each group, the BlackBerry® Enterprise Server resolves conflicting IT policies or IT policy rule settings using the reconciliation method that you select in the BlackBerry Administration Service. You can view the results of the IT policy reconciliation and the settings that the BlackBerry Enterprise Server resolves for each rule in the BlackBerry Administration Service. If an IT policy rule is not conflicting in the multiple IT policies that were applied to the user account, the preview does not display the IT policy rule.

  1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
  2. Click Manage users.
  3. Search for a user account.
  4. In the search results, click the display name for a user account.
  5. On the Policies tab, in the Resolved IT Policy name section, click the name of the IT policy.
Back To Top

Was this information helpful? Send us your comments.