Skip Navigation

Resolving conflicting assignments and precedence rules

BlackBerry Intelligent Security
 policy can execute only the actions that are configured for the different types and levels of risk. 
UEM
 administrators can create and assign groups, policies, profiles, and apps using the standard management console features. These assignments are not impacted by the 
BlackBerry Intelligent Security
 policy, but the group assignments carried out by the policy may result in conflicting assignments that 
UEM
 must resolve. For more information, see How BlackBerry UEM chooses which profiles to assign in the UEM Administration content.
To ensure that conflicts are resolved properly, verify that the appropriate ranking is set for each resource in the 
UEM
 management console. For more information about how to set rankings, see the BlackBerry UEM Administration content.
BlackBerry Intelligent Security
 uses the following precedence rules to determine which risk actions to execute when both identity risk and geozone risk actions are enabled. The rules are executed in the order listed, and processing stops as soon as a rule is satisfied.
In the scenarios below where both identity risk actions and geozone risk actions are executed, all risk actions are aggregated into a pool of actions. If this results in more than one risk action of the same type (for example, more than one group assignment), only one action of that type is executed, with priority given to the identity risk action (unless otherwise noted). For example, in a scenario where identity risk is high and geozone risk is high, and both risk actions are group assignments, only the group assignment for identity risk is executed. In the same scenario, if the identity risk action is a group assignment and the geozone risk action is “Block all BlackBerry Dynamics apps”, both actions are executed.
High identity risk
  • If a user's identity risk (behavioral engine) is high, and any level of geozone risk is processed (high, medium, low), the high identity risk actions and the default high geozone risk actions are executed.
  • If a user's identity risk (behavioral engine) is high, and the user is in a defined geozone with a custom risk action, the custom risk action for the defined geozone is not executed. Custom risk actions for defined geozones are executed only if identity risk is medium or low or if the behavioral risk engine is disabled.
  • If a user's identity risk (behavioral engine) is high, and a risk action is configured for “Undefined geozone”, the risk action for the undefined geozone is not executed. The undefined geozone is considered a custom risk action, so the same rules apply.
Medium or low identity risk
  • If a user's identity risk (behavioral engine) is medium or low, and the user is in a defined geozone with a custom risk action, the identity risk actions and the custom risk actions for the defined geozone are executed. The custom risk actions of the same type take precedence.
  • If a user's identity risk (behavioral engine) is medium or low, and the user is in an “Undefined geozone” with custom risk actions, the identity risk actions and the custom risk actions for the undefined geozone are executed. The undefined geozone risk actions of the same type take precedence.
  • If a user's identity risk (behavioral engine) is medium or low, and the user’s geozone risk (default configuration) is high, the identity risk actions and the high geozone risk actions are executed. The high geozone risk actions of the same type take precedence.
  • If a user's identity risk (behavioral engine) is medium or low, and the user’s geozone risk (default configuration) is medium or low, the identity risk actions and geozone risk actions are executed.