Configure Automated Policy Assignment

Automated policy assignment (APA) automatically manages and assigns policies to devices in your environment based on configurable rules. For more information, refer to the Frequently Asked Questions (FAQ) section.

Configuring automated policy assignment involves the following:

Before configuring APA, set up a device group in Ivanti Neurons and ensure the following:

  • Devices and device groups are managed in Neurons Devices view. For more information about grouping devices, refer to Devices.
  • A device may belong to zero or more groups.
  • Only public device groups can be selected for APA. These can be dynamic or static.
  • Configure your device groups to categorize similar device types so a policy can be applied to the device group to simplify ongoing maintenance.

Set up Assignment Rules

To set up assignment rules, follow these steps:

  1. Navigate to Agents > Agent Deployment.
    The Agent Deployment page appears and displays the Automated policy assignment tab by default.
  2. Click Configure to enable this feature.
    This displays the APA configuration page. This step appears only when setting up APA for the first time.
  3. Click Edit to define rules and policies to be assigned to each device or device group.
  4. Select a policy from the Choose default policy assignment drop-down list under the Default policy section.
    The selected policy will be assigned to the device group. To learn more about creating a policy, refer to Agent Policies.

    The selected policy will automatically apply to all agent endpoints connected to your tenant by default, and use Automated policy assignment. Set up exceptions for specific devices or device groups to exclude them from this policy.

    The Default policy drop-down list will not list policies with infrastructure capabilities such as Active Discovery, Connector Server, Deployment, or Preferred Server Sync. You need secure credentials to use these capabilities, so deploy them to specific devices that are part of the Ivanti Neurons infrastructure devices.

  5. Click Save.

    The changes may take up to 24 hours to be applied to the endpoints due to the evaluation processes.

Migrate Existing Policy Assignments

Any existing policy assignments configured on agent endpoints before Automated policy assignment was enabled will be automatically migrated to device exceptions when automated policy assignment is configured. It is recommended to replace device exceptions with device group exceptions over time. This simplifies endpoint management for a large number of devices.

It is recommended to keep device exceptions for agent endpoints that have policies that contain infrastructure capabilities, as the Default policy or device group exceptions cannot manage them.

Configure Device exceptions

This section allows you to configure exceptions to override the default policy set up for individual devices that are connected to your tenant. To configure device exceptions, follow these steps:

  1. On the Automated policy assignment tab, navigate to Device exceptions section.
    Ensure that you are in edit mode. If not, click Edit.
  2. Click Add device exception.
    The Add device exception pane appears and lists endpoints connected to the tenant.
  3. Select a policy from the Agent Policy drop-down list.
    This drop-down list will include policies with infrastructure capabilities as well.
  4. Select the endpoints from the devices list, or use the search box to search for devices connected to your tenant, and then click Add.
    Alternatively, select the devices and click Remove to exclude endpoints.

    The included devices for exceptions are indicated using a green tick under the Included column.

  5. Click Confirm.
    The changes are displayed under the Device exceptions section.

    Each device can only belong to one exception at a time. If you try to add a device to a different exception, the UI will show what will be added and removed before you select Save to confirm.

    6. The devices listed under the Device exceptions section do not follow a priority order. Exceptions based on device name take priority over both the default policy and exceptions for device groups.

Configure Device group exceptions

This section allows you to configure exceptions to override the default policy set up for a group of devices connected to your tenant. To configure group device exceptions, follow these steps:

  1. On the Automated policy assignment tab, navigate to Device group exceptions section.
    Ensure that you are in edit mode. If not, click Edit.
  2. Click Add device group exception.
    The Add device group exception pane appears and lists device groups connected to the tenant under the Available device group section.
  3. Select a policy from the Agent Policy drop-down list.
  4. Select the device groups from the Available device group section, or use the search box to search for device groups connected to your tenant, and then click Add.
    The included device groups are moved to the Included device group section.
    Alternatively, in the Included device group section, select the group and click Remove to exclude endpoints. Or, click Remove All to remove all device groups from the exception list.
  5. Click Confirm.
    The changes are displayed under the Device group exceptions section.

    A device group can be a member of one or more device group exceptions. Device group exceptions only override the default policy, while individual device exceptions take priority over device group exceptions.

  6. In the Device group exceptions section, you can rearrange device groups to prioritize them. To prioritize them, drag and move a group up or down using the handles on the left-hand side.
  7. Click Save on the top-right corner of the screen to update the changes.

Once you save the APA configuration, the rules are evaluated as follows:

  • The updated automated policy assignment rules and changes are saved in the system configuration, but they are not implemented immediately.
  • Policy rules are evaluated and implemented based on the system's schedule, usually every 24 hours, due to a cool-down period intended to prevent frequent or unnecessary policy reassignments.
  • New or updated rules are saved and will take effect during the next evaluation cycle.
  • Any changes that would result it a device policy reassignment are subject to the cool-down period. The actions will be processed only after the cool-down period has elapsed for each device.

(Optional) Deploy Configuration Immediately

To apply changes outside the regular evaluation cycle or in specific situations, select the Run now option on the top-right corner of the screen to override the standard 24-hour evaluation period. This action will trigger the automated policy assignment process bypassing the regular evaluation cycle. However, even when you use Run now, policy assignments for devices will not take effect until the evaluation process is complete.

The system will queue a run request if there is a pending or running request, or if the last evaluation was completed recently. If an evaluation is currently in progress, the current run will finish first, and then the new request will run after the first request.

Deploy to Agents

Once the APA configuration is complete, you can deploy the agent to the endpoints using the Neurons push install and Manual install methods. These methods can utilize automated policy assignment to simplify endpoint management.

To deploy automated policy assignment to agent endpoints using the Neurons push install or Manual install method, refer to the Agent Deployment topic.

(Optional) Reassign Agent Policy

You can now reassign policies to a large number of devices with the configured automated policy assignment as part of agent management. For more information about other agent management features, refer to Agent Management.

When you reassign an agent policy with automated policy assignment configuration, the existing device exceptions will be removed, and their policies will be assigned automatically with the new policy when the policy evaluation process is complete.

To reassign endpoints with configured automated policy assignment, follow these steps:

  1. Select the check box next to the agent endpoint that you want to reassign a policy.
  2. Select Actions > Reassign Policy.
    The Reassign Policy panel appears.
  3. Select Use automated policy assignment from the drop-down list.
  4. Click Save.
    The Reassign Policy panel closes.
  5. On the Agent Management page, the status updates to Reassign policy requested. Hover over the status to see who requested the policy change, on what date, and the name of the policy that was assigned.

Delete Exceptions

To delete the individual device or device group exceptions follow these steps:

  1. On the Automated policy assignment tab, ensure that you are in the edit mode. If not, click Edit.

  2. Delete the exceptions as follows:

    • Delete device exceptions: On the Device exceptions section, select a device from the list (Edit device exceptions pane appears). Then, click Delete device exception.

    • Delete device group exceptions: On the Device group exceptions section, select a device from the list (Edit device group exceptions pane appears). Then, click Delete device group exception.

  3. Click Save.

Frequently Asked Questions (FAQ)

Start by creating a sensible default policy. This will apply to all agent endpoints on your network unless you specify exceptions. Review your device types and locations to see where specific exceptions might be needed.

Use the Automated Policy Assignment feature to add exceptions for device groups or individual devices. Exceptions for individual devices always take priority over group exceptions. If a device belongs to several device groups, you can manually set the priority order.

When a new endpoint is created and set up to use Automated Policy Assignment, it automatically gets the default policy. This happens unless it fits an exception you’ve defined. This means you don’t need to configure anything manually.

Yes, migrations are straightforward. If you are already using Ivanti agents, your current configurations continue to work as expected, as device exceptions will automatically be created for these under Automated Policy Assignment.

Look at its attributes (such as type or location) and check if it matches any exceptions or multiple groups. Review the exception priority order. You may need to adjust which exception should apply.

Define your default policy and review the priority of your exceptions. If exceptions conflict, double-check how priorities are set to avoid unintentional policy application.

Yes, Automated Policy Assignment reduces the risk of missed or incorrect configurations, keeping your endpoints consistently protected and compliant with less manual effort.