About policy-based management

Policy-based management helps you easily manage sets of applications on groups of devices. Like any other scheduled task, policies require:

  • A distribution package that you create.
  • A delivery method that supports policies, either policy or policy-supported push.
  • Policy targets for the distribution packages, such as the results of an LDAP or core database query.
  • A scheduled time at which the policy should be made available.

Policy-based management periodically reruns queries you have configured as part of the policy, applying your policies to any new managed devices. For example, perhaps you have a Department container in your LDAP directory that contains user objects. Any user whose Department object is "Marketing" uses a standard set of applications. After you set up a policy for Marketing users, new users who are added to Marketing automatically get the correct set of applications installed onto their computer.

Use the console to configure application policies, which are stored in the core database.

The task flow for policy-based management is as follows:

  1. Make sure the software distribution agents are on your devices.
  2. If you don't have a package for the application you want a policy for, create one. For more information, see About software distribution.
  3. Use the distribution packages window create a package definition for the package.
  4. Create or select an existing policy-based delivery method.
  5. Create a software distribution task in the Scheduled tasks window and select the package and delivery method from above.
  6. Select the targets for the policy. This can include any combination of individual devices, database queries, device groups, LDAP items, and LDAP queries.
  7. Schedule the task to run. When run, the distribution package will be made available for pull.
  8. The policy-based management service on the core server periodically updates the policy target list by reevaluating the LDAP/database query results. This helps ensure that the core database has a current set of targeted users/computers.
  9. A user logs on to a device, connects to the network, or otherwise starts the policy-based management agent.
  10. The core server's policy-based management service determines the applicable policies based on the device's device ID and the logged-in user or LDAP device location.
  11. The policy-based management service sends the policy information back to the policy-based management agent.
  12. Depending on how you've configured the device to handle policies, the user selects the policies to run or the policies run automatically. Only recommended or optional policies are available in the list on the device. When an unprocessed recommended policy is in the list, it's checked by default. Periodic policies appear in the list once their execution intervals have lapsed. Selected policies execute sequentially.
  13. The policy-based management agent sends the policy results to the core server, which stores the results in the core database. Policy-based management status is reported to the core server using HTTP for enhanced reliability. This status is reported in the Scheduled tasks window.