Administration Guide

Local Navigation

Assigning IT policies and resolving IT policy conflicts

You can assign IT policies directly to a user account or to a group. By default, if you do not assign an IT policy to a user account or a group that the user is a member of, the BlackBerry® Enterprise Server Express applies the Default IT policy to the user account. If you assign an IT policy to a group that a user account is a member of, the BlackBerry Enterprise Server Express applies the group IT policy to the user account. If you assign an IT policy to the user account directly, the BlackBerry Enterprise Server Express applies this IT policy to the user account instead of the group IT policy or Default IT policy.

If a user account is a member of multiple groups that have different IT policies, the BlackBerry Enterprise Server Express must determine which IT policy to apply to the user account. You must use one of the following reconciliation options:

Method

Description

Apply one IT policy to the user account

The BlackBerry Enterprise Server Express applies one of the group IT policies to the user account. You specify rankings for the available IT policies using the BlackBerry Administration Service and the BlackBerry Enterprise Server Express applies the IT policy with the highest ranking.

If you upgrade to BlackBerry Enterprise Server Express 5.0 SP2 or later from a previous version of the BlackBerry Enterprise Server Express, this is the default method for resolving IT policy conflicts.

Apply multiple IT policies to the user account

The BlackBerry Enterprise Server Express applies all of the group IT policies to the user account, resulting in a combined IT policy that has a unique ID. The BlackBerry Enterprise Server Express resolves conflicting IT policy rules using the ranking of the available IT policies that you specified using the BlackBerry Administration Service. If an IT policy rule is different in the multiple IT policies, the BlackBerry Enterprise Server Express applies the rule setting from the IT policy that you ranked the highest.

If you install BlackBerry Enterprise Server Express 5.0 SP2 or later, this is the default method for resolving IT policy conflicts.

Option 1: Applying one IT policy to each user account

You can configure the BlackBerry® Enterprise Server Express to apply only one IT policy to a user account when a user account is a member of multiple groups that have different IT policies. In this scenario, the BlackBerry Enterprise Server Express applies the IT policy that you ranked the highest in the BlackBerry Administration Service.

If you upgrade to BlackBerry Enterprise Server Express 5.0 SP2 or later from a previous version of the BlackBerry Enterprise Server Express, this is the default method for resolving IT policy conflicts. If you install BlackBerry Enterprise Server Express 5.0 SP2 or later, the default method for resolving IT policy conflicts is to apply multiple IT policies to each user account and create a combined IT policy that has a unique ID for the user account.

Reconciliation rules for conflicting IT policies when you apply one IT policy to the user account

The BlackBerry® Enterprise Server Express can apply only one IT policy to a user account. Since you can assign IT policies to user accounts, groups, or the BlackBerry Domain, the BlackBerry Administration Service uses predefined rules to determine which IT policy it can apply to a user account.

The BlackBerry Administration Service might have to reconcile conflicting IT policies if you perform any of the following actions:

  • add an IT policy to or remove an IT policy from a user account or group
  • change an IT policy
  • change the ranking of IT policies
  • delete an IT policy

Scenario

Rule

You add a new user account to a BlackBerry Enterprise Server Express. You do not assign an IT policy directly to the user account and you do not add the user to a group.

The IT policy that you assigned to the BlackBerry Domain, or the Default IT policy that is assigned to the BlackBerry Domain, is assigned to the user account.

You assign an IT policy to a user account and a different IT policy to a group that the user account belongs to.

The IT policy that you assign to a user account takes precedence over an IT policy that you assign to a group. An IT policy that you assign to a group takes precedence over the IT policy that you assign to the BlackBerry Domain (or the Default IT policy).

A user account belongs to multiple groups. You assign multiple IT policies to the groups but do not assign an IT policy to the user account.

The BlackBerry Enterprise Server Express applies the IT policy that you ranked the highest in the BlackBerry Administration Service to the user account.

Change the method that the BlackBerry Enterprise Server Express uses to resolve conflicting IT policies

You can change the method that the BlackBerry® Enterprise Server Express uses to determine what IT policy to apply to a user account when a user account belongs to multiple groups that have different IT policies. If you change the method used to resolve conflicting IT policies, the next IT policy reconciliation process that occurs might have a significant impact on the performance of your organization's BlackBerry Enterprise Server Express environment. It is a best practice to configure this feature during low usage periods.
  1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry solution topology > BlackBerry Domain > Component view.
  2. Click BlackBerry Administration Service.
  3. At the bottom of the page, click Switch method to resolve multiple IT policies.
  4. Click Yes - Switch the method.

Rank IT policies

You must rank the IT policies that you create so that the BlackBerry® Enterprise Server Express can resolve IT policy conflicts when a user account is a member of multiple groups that have different IT policies.
  1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy.
  2. Click Manage IT policies.
  3. Click Set priority of IT policies.
  4. To move the IT policies higher or lower in the list, click the up arrow icon or down arrow icon.
  5. Click Save.

Option 2: Applying multiple IT policies to each user account

You can configure the BlackBerry® Enterprise Server Express to apply multiple IT policies to a user account when a user account is a member of multiple groups that have different IT policies. The BlackBerry Enterprise Server Express creates a combined IT policy for the user account that has a unique ID by applying the policy rules from the multiple IT policies and resolving any conflicting rule settings. The BlackBerry Enterprise Server Express resolves conflicting rule settings by applying the rule setting from the IT policy that you ranked the highest in the BlackBerry Administration Service.

If you install BlackBerry Enterprise Server Express 5.0 SP2 or later, this is the default method for resolving IT policy conflicts. If you upgrade to BlackBerry Enterprise Server Express 5.0 SP2 or later from a previous version of the BlackBerry Enterprise Server Express, the default method for resolving IT policy conflicts is to assign one IT policy to each user account according to the rankings of the IT policies that you specify in the BlackBerry Administration Service.

Reconciliation rules for conflicting IT policies when you apply multiple IT policies to a user account

The BlackBerry® Enterprise Server Express can apply multiple IT policies to a user account if the user account is a member of multiple groups that have different IT policies. Since you can assign IT policies to user accounts, groups, or the BlackBerry Domain, the BlackBerry Administration Service uses predefined rules to apply an IT policy to a user account.

The BlackBerry Administration Service might have to reconcile conflicting IT policies if you perform any of the following actions:

  • add an IT policy to or remove an IT policy from a user account or group
  • change an IT policy
  • change the ranking of IT policies
  • delete an IT policy

Scenario

Rule

You add a new user account to a BlackBerry Enterprise Server Express. You do not assign an IT policy directly to the user account and you do not add the user account to a group.

The IT policy that you assigned to the BlackBerry Domain, or the default IT policy for the BlackBerry Domain, is assigned to the user account.

You assign an IT policy to a user account and different IT policies to the groups that the user account belongs to.

The IT policy that you assign to a user account takes precedence over the IT policies that you assign to the groups that the user belongs to. An IT policy that you assign to a group takes precedence over the IT policy that you assigned to the BlackBerry Domain (or the Default IT policy).

A user account belongs to multiple groups. You assign multiple IT policies to the groups but you do not assign an IT policy to the user account.

If you assign multiple IT policies to the groups that the user account belongs to, the BlackBerry Enterprise Server Express resolves the IT policy rule settings in the multiple IT policies and assigns a combined IT policy that has a unique ID to the user account. The BlackBerry Enterprise Server Express resolves conflicting settings for IT policy rules by applying the rule setting from the IT policy that you ranked the highest in the BlackBerry Administration Service.

For example, you configure the Disable Photo Camera IT policy rule to Yes in IT policy A and to No in IT policy B. If you rank IT policy A higher than IT policy B, the Yes setting is applied for this rule.

A user account belongs to two groups. You assign the first group IT policy A, which has the Allow Browser IT policy rule as blank (which means that it uses the default value of Yes). You assign the second group IT policy B, which has the Allow Browser IT policy rule set to No. You ranked IT policy A higher than IT policy B in the BlackBerry Administration Service.

When the BlackBerry Enterprise Server Express resolves conflicting rule settings, any rule settings that have been explicitly configured to a value take precedence over IT policy rule settings that are blank (these rules revert to the default value).

For example, in this scenario, the Allow Browser IT policy rule setting from IT policy B, No, is applied to the user account even though IT policy A is ranked higher than IT policy B, because the Allow Browser IT policy rule is blank in IT policy A. If the Allower Browser IT policy rule was configured to Yes in IT policy A, the Yes value would be applied to the user account.

Change the method that the BlackBerry Enterprise Server Express uses to resolve conflicting IT policies

You can change the method that the BlackBerry® Enterprise Server Express uses to determine what IT policy to apply to a user account when a user account belongs to multiple groups that have different IT policies. If you change the method used to resolve conflicting IT policies, the next IT policy reconciliation process that occurs might have a significant impact on the performance of your organization's BlackBerry Enterprise Server Express environment. It is a best practice to configure this feature during low usage periods.
  1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry solution topology > BlackBerry Domain > Component view.
  2. Click BlackBerry Administration Service.
  3. At the bottom of the page, click Switch method to resolve multiple IT policies.
  4. Click Yes - Switch the method.

Rank IT policies

You must rank the IT policies that you create so that the BlackBerry® Enterprise Server Express can resolve IT policy conflicts when a user account is a member of multiple groups that have different IT policies.
  1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy.
  2. Click Manage IT policies.
  3. Click Set priority of IT policies.
  4. To move the IT policies higher or lower in the list, click the up arrow icon or down arrow icon.
  5. Click Save.

Preview how the BlackBerry Enterprise Server Express resolves IT policy conflicts

You can preview how the BlackBerry® Enterprise Server Express resolves conflicting settings for IT policy rules for multiple IT policies that you select. You can use this feature to determine which IT policies have conflicting IT policy rules and how the BlackBerry Enterprise Server Express resolves the conflicting rules. The preview displays the conflicting IT policy rules and the resolved settings for each rule. If an IT policy rule is not conflicting in the multiple IT policies that you selected, the preview does not display the policy rule in the results.
  1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy.
  2. Click Manage IT policies.
  3. Click Preview resolved IT policies.
  4. Select two or more IT policies.
  5. Click Preview.

View the resolved IT policy rules that are assigned to a user account

If a user account belongs to multiple groups, and you assign a different IT policy to each group, the BlackBerry® Enterprise Server Express resolves conflicting IT policies or IT policy rule settings using the reconciliation method that you select in the BlackBerry Administration Service. You can view the results of the IT policy reconciliation and the settings that the BlackBerry Enterprise Server Express resolves for each rule in the BlackBerry Administration Service. If an IT policy rule is not conflicting in the multiple IT policies that were applied to the user account, the preview does not display the IT policy rule.

  1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
  2. Click Manage users.
  3. Search for a user account.
  4. In the search results, click the display name for a user account.
  5. On the Policies tab, in the Resolved IT Policy name section, click the name of the IT policy.

Was this information helpful? Send us your comments.