Aug 31 2022 11:19 PM
Hello all,
We have two different device groups to which we want to deploy slightly different configuration profiles in endpoint. These configuration profiles are mostly about the device restrictions - password module. Basically, the password requirements are the same, but for practical reasons we need to implement different screen lock times for the two groups. Logically, it would make sense to create a profile with the common settings and deploy it to both groups, and then two additional profiles where the only setting is the different screen lock inactivity periods. This way any change made on the password requirement should affect both groups at the same time. I'm not sure anyway if this is considered best practice, or if it'd be better to store two complete password restrictions profiles for both groups. As it is right now (with the common settings in one profile and the two screen lock times in different additional profiles) I'm not experiencing any conflict, so it seems the rules are correctly deployed, but I'm not so sure if this is the way Endpoint would handle this scenario in the best way possible. Any suggestion?
Sep 01 2022 12:08 AM
Sep 01 2022 09:07 AM
Solution
The approach you describe sounds okay, since you're doing it with deliberate intent per the group requirements around screen lock/password. A new admin might not see the correlation right off the bat and wonder why there's multiple policies, until it's explained or documented properly; that's the only aspect which might be unclear until the policy settings are examined to identify the differences. As long as changes aren't made to the ones "Not Configured" which would introduce a conflict, it's fine.
In contrast, doing two fully complete policy sets solves for the above problem in that it's clearer at first glance and no overlap, but at the tradeoff of being a bit redundant. I would choose this approach if the expectation is that some other admin will be managing/maintaining it in the future, because they might not be aware of the subtle logic behind the other approach. But if it's just you, either is valid.
Please like or mark this thread as answered if it's helpful, thanks!
Sep 08 2022 02:52 AM
Dec 11 2023 07:36 PM
Sep 01 2022 09:07 AM
Solution
The approach you describe sounds okay, since you're doing it with deliberate intent per the group requirements around screen lock/password. A new admin might not see the correlation right off the bat and wonder why there's multiple policies, until it's explained or documented properly; that's the only aspect which might be unclear until the policy settings are examined to identify the differences. As long as changes aren't made to the ones "Not Configured" which would introduce a conflict, it's fine.
In contrast, doing two fully complete policy sets solves for the above problem in that it's clearer at first glance and no overlap, but at the tradeoff of being a bit redundant. I would choose this approach if the expectation is that some other admin will be managing/maintaining it in the future, because they might not be aware of the subtle logic behind the other approach. But if it's just you, either is valid.
Please like or mark this thread as answered if it's helpful, thanks!