Default Policy/Custom Policy Conflict Resolution

As mentioned in Device Class Policies, Device Control includes a default policy for each device class. You should not edit these polices because they are intended for use when troubleshooting your custom policies. However, it's important to know how these default policies interact with custom policies when they are both applied simultaneously.

Here's what you need to know:

• By default, all default policies are configured to allow read and write permissions. These lenient setting allow your users to use their devices freely while you set up more stringent policies.
• If you enforce your custom policies and default policies simultaneously, the Read/Write permissions set in the default policies will almost always take priority over the permissions set in the custom policies. Read/Write permissions always take priority over read permissions.
  
  See the graphic below to see how different permissions are resolved when there are conflicting settings.

This priority resolution is the reason you need to disable default policies (and their copies) when deploying custom policies to your organization.

• The only exception to Read/Write permissions as the priority permission is when you explicitly configure your custom policy to remove all user permissions.

Device Control Policy Conflict Resolution