I had to open an SR to find out what was going on when we associated a USB connectivity policy that had a Win8 OS requirement. There are strict rules on which USB devices can be connected to the network. The migration from XP to Win8 included stopping all non-HID USB devices from working, except for the devices that are approved. We discussed in detail the policy hierarchies before implementation. We tested using folders/groups/workstations/users, but not global since we were testing.

I made a USB connectivity policy that included an OS=Win8 requirement, disabled all but HID devices, and set it as the global policy. There are separate USB allow policies for the approved devices for the approved workstation/user.The USB deny policy then hit all workstations - the 700+ XP and the 3000+ Win8 - and disabled USB devices on the XP workstations. We found out what was happening as the ZCM agents refreshed. Needless to say, both the Help Desk people and the users were very unhappy. Removing the policy as a global policy and telling users to refresh their agent worked, but it wasn't the optimal result we had expected.

An SR, after escalation to engineering, determined that this was working as designed and that requirements on a policy do not matter when the policy is a global policy. I would not have had this problem if there had been a popup message warning me that any requirements on a policy would be ignored when the policy is set as a global policy.

Please add some warning when setting global policies when a requirement is detected. Let us know that the requirement is ignored.

Comments