Deploy Device Control Policies

You next step is to begin deploying your Device Control policies. We recommend the following tips when deploying your policies to avoid troubleshooting scenarios:

• Use a phased deployment approach. Take a step, verify the result, and then take another step. This deployment method helps avoid chaotic troubleshooting in environments that have many factors contributing simultaneously.
• We recommend starting the organizational deployment by enabling policies for your smallest groups of users first. Once those policies are working as intended, repeat the process with progressively larger groups.
• When applying policies to a group, only apply policies for one device class at a time. This practice leaves only the policies you created for that class in place. Check with users to confirm that policy enforcement is functioning as intended. Also check the Device Event Logs for those endpoints to validate that read or write-denied logs are functioning as intended. Users will not be aware of some device access, especially by built-in user accounts such as LocalSystem, or may not yet be aware of any issues that are present. If there are read- or write-denied events that should have been allowed, adjust your policies to allow them.
• Once the first device class policy is working properly, continue the process with the remaining device classes policies. Disable any Default Policies for that class (including default policy copies), confirm operation, check the logs, adjust policy as needed, and proceed to the next class. When complete, the Default Policies will all be disabled, and only your policies will be enforced.

To Deploy Device Control Policies:

1. Select Manage > Device Control Policies.
2. Disable the copy of the default policy related to custom policy that:
   • You tested in Test Device Control Policies.
   • Are now ready to deploy.

   In our example we are deploying a custom policy for Biometric Devices, so we are disabling the copy we made earlier, Copy of Default Policy for Biometric Devices.



Disabling both the default policy and the copy of the default policy implicitly deploys your custom policy, even though you've done nothing to explicitly activate it. This implicit deployment occurs because the default policy settings of Read/Write take priority over your custom policy's settings. See Default Policy/Custom Policy Conflict Resolution for more information.

3. Repeat step 2 for each custom policy that you've tested and now want to activate. Disable any default policies related to the custom policies that you want to deploy.
4. Validate that the policy you enabled is functioning correctly. Circle back to Confirm Policy Functionality and check the logs to validate policy function. Make any policy edits as needed.