Delegated administration support is extended to manage policies in a device space. The Space administrator can add, edit, delete, modify policy priority, and distribute policies from their spaces.
Creating custom policies in a device space
Creating custom policies in a device space is similar to creating policies in a global space. The policies created in a device space is usable only in that space. The policies created in a subspace by the Space administrator cannot be used in the global space.
To manage policies in a device space, the Space administrator should have Manage Policy role and the Global administrator should have enabled the Space administrator to create a specific policy in his custom space by checking Allow Creation in Space for that specific policy in the Admin > Device Space > Select the Space > Actions > Assign Policy Restriction page. The following figure displays the Assign Policy Restriction and Override Global Policy option.
Figure 1. Assign Policy Restriction And Override Global Policy
The priorities of the newly created policies in a space is based on the Override or No Override rule. The policy override control option lets the device Space administrator Override Global Policies. The Global Space administrator can select any of the following override options:
- Override Global Policies - If the Global administrator selects this option for a particular space and policy type, then all the space policies of that type will have higher priority than the policies of same type from global space.
- Do Not Override Global Policies - If the Global administrator does not select the Override Global Policies option, then the space policies of the selected type will have lesser priority than the global policies of same type.
Policy Priorities in Device Space
In a device space, the priorities of all the space and global policies are listed. The default policy created in global space has the lowest priority in all the spaces and is disabled for changing the priority. In a global space, filtering by space shows only policies related to that space without the priority column.
Device Space administrator can only modify priority of the policies that are created in the device space. In Modify Policy Priorities view, Space administrators can view all the global policy and space policy priorities but can only modify priority of the policies that are created in their device space.
To modify policy priority:
Click Policies & Configs > Policies.
From the Policy Type drop down list, select a policy type. For example, Privacy.
Click on Modify Priority option, the Modify Policy Priorities window opens.
Drag and Drop the policy rows to change the priority.
Managing policies supported in Device Space
A device Space administrator can view the policies in their own space and the global space. The Global administrator can view policies in the global space and any device space.
To filter policies by space:
In the Admin Portal go to Policies & Configs > Policies
Click the Filter by Space drop-down list.
Select the Space to display the policies in the space.
Please keep in mind:
A new Space column has been added to the policies page to display the Device Space name associated with the selected policy. The Space column is only shown when there is a Device Space other than the Global space in the Core.
The delegated administrator supports Policy Management from Device Space. The device Space administrator can add, update, delete, and distribute policies from his device space. Policy management from a device space works when:
- Manage Policy role is enabled for their space.
- Policy restriction for that policy type is enabled by the Global administrator for device space. Admin → Device Spaces> Actions > Assign Policy Restriction option. The Global administrator enables the Space administrator to create a specific policy in their custom space by checking Allow Creation in Space for that specific policy using the Assign Policy Restrictions option.
The Assign Policy Restrictions action appears only when there is a custom space configured in the system
The Add New drop-down list Policies & Configs> Policies, supports the following policy types that are managed in a device space:
Support for the following actions is available for the device Space administrator:
- Apply to Label
- Remove from Label
- The Save As action is available in a subspace only when the device Space administrator has the Manage Policy role enabled and the option to create that Policy Type is available for that space.
- Modify Policy Priority
When a Global administrator changes the policy restrictions of a space, the following sequence of events takes place:
- Disable option to create a policy type in space: When Allow Creation in Space is disabled for a particular policy type in a space, then all policies of that type in that space will be deleted from the Ivanti EPMM and policies would be re-evaluated and updated accordingly in the device.
- Change restriction from override to do not override: If the Global administrator changes the restriction from override to do not override then, the priorities of space polices will be lower than the global policies for that policy type in space, and based on the reevaluation, appropriate policy would be re-pushed to the device.
- Change restriction from do not override to override: If the Global administrator changes the restriction from do not override to override then, the priorities of space policies will be higher than the global policies for that policy type in space, and based on the reevaluation, appropriate policy would be re-pushed to the device.