Skip Navigation

Resolving conflicting assignments and precedence rules

A
BlackBerry Persona
policy can execute only the actions that are configured for the different types and levels of risk.
UEM
administrators can create and assign groups, policies, profiles, and apps using the standard management console features. These assignments are not impacted by the
BlackBerry Persona
policy, but the group assignments carried out by the policy may result in conflicting assignments that
UEM
must resolve. For more information, see How BlackBerry UEM chooses which profiles to assign in the
UEM
Administration content.
To ensure that conflicts are resolved properly, verify that the appropriate ranking is set for each resource in the
UEM
management console. For more information about how to set rankings, see the BlackBerry UEM Administration content.
Persona
uses the following precedence rules to determine which risk actions to execute when both identity risk and geozone risk actions are enabled. The rules are executed in the order listed, and processing stops as soon as a rule is satisfied.
In the scenarios below where both identity risk actions and geozone risk actions are executed, all risk actions are aggregated into a pool of actions. If this results in more than one risk action of the same type (for example, more than one group assignment), only one action of that type is executed, with priority given to the identity risk action (unless otherwise noted). For example, in a scenario where identity risk is high and geozone risk is high, and both risk actions are group assignments, only the group assignment for identity risk is executed. In the same scenario, if the identity risk action is a group assignment and the geozone risk action is “Block all BlackBerry Dynamics apps”, both actions are executed.
Critical or high identity risk
  • If a user's identity risk (behavioral, IP address, or app anomaly) is critical or high, and any level of geozone risk is processed (high, medium, low), the critical or high identity (whichever is higher) risk actions and the default high geozone risk actions are executed.
  • If a user's identity risk (behavioral, IP address, or app anomaly) is critical or  high, and the user is in a defined geozone with a custom risk action, the custom risk action for the defined geozone is not executed. Custom risk actions for defined geozones are executed only if identity risk  is medium or low or if the behavioral and app anomaly risk engines are disabled.
  • If a user's identity risk (behavioral, IP address, or app anomaly) is critical or high, and a risk action is configured for “Undefined geozone”, the risk action for the undefined geozone is not executed. The undefined geozone is considered a custom risk action, so the same rules apply.
Medium or low identity risk
  • If a user's identity risk (behavioral or IP address) is medium or low, and the user is in a defined geozone with a custom risk action, the identity risk actions and the custom risk actions for the defined geozone are executed. The custom risk actions of the same type take precedence.
  • If a user's identity risk (behavioral or IP address) is medium or low, and the user is in an “Undefined geozone” with custom risk actions, the identity risk actions and the custom risk actions for the undefined geozone are executed. The undefined geozone risk actions of the same type take precedence.
  • If a user's identity risk (behavioral or IP address) is medium or low, and the user’s geozone risk (default configuration) is high, the identity risk actions and the high geozone risk actions are executed. The high geozone risk actions of the same type take precedence.
  • If a user's identity risk (behavioral or IP address) is medium or low, and the user’s geozone risk (default configuration) is medium or low, the identity risk actions and geozone risk actions are executed.