Question on policy overrides
I was reviewing https://www.youtube.com/watch?v=eKBuwQvTOHc&t=66s&ab_channel=GoreloTech
Order of operations is lowest in list first to top of the list.
If i have a policy that is global to all customers, that runs a script
Then i add a policy higher for a specific customer, is there anyway to say "dont run this script"?
Ideally i want to have all settings in 1 policy then work way down. Where as at the moment im moving the questionable script out to its own policy then having to exclude the 1 customer from it. Is that the correct way?
Order of operations is lowest in list first to top of the list.
If i have a policy that is global to all customers, that runs a script
Then i add a policy higher for a specific customer, is there anyway to say "dont run this script"?
Ideally i want to have all settings in 1 policy then work way down. Where as at the moment im moving the questionable script out to its own policy then having to exclude the 1 customer from it. Is that the correct way?
Solution
Think of it like a router ACL -- it starts from the top and when a specific asset and check/plugin/script applies, it will stop processing further policies for that exact combination. So whatever is higher in the list overrides exact matches further down.
The broadest (and most generic) policies should be at the bottom and the more client/app specific ones at the top... as these will override in the event of any conflicts.
In your example, you would have that script in a policy by itself just above the Base Workstation policy -- it should target something broad like 'Windows Workstation' and then exclude the specific client... see the screenshot:
The broadest (and most generic) policies should be at the bottom and the more client/app specific ones at the top... as these will override in the event of any conflicts.
In your example, you would have that script in a policy by itself just above the Base Workstation policy -- it should target something broad like 'Windows Workstation' and then exclude the specific client... see the screenshot:
