deviceTRUST 23.1.400 for Windows, Ubuntu, macOS and iOS is now available.
×

Policy Loading

deviceTRUST policy can be distributed either as part of a Group Policy Object (GPO) or as a File-Based Policy. The deviceTRUST Agent merges the policies first from the GPOs and then from the File-Based Policies.

Active Directory GPOs

Policies written to either GPOs or Local Policy are merged into a single policy by the OS and loaded by the deviceTRUST Agent before any File-Based Policies.

The following merge order is used to process each GPO. This behavior is built into the OS and cannot be modified by deviceTRUST:

  • The Local Policy
  • GPOs linked to the site.
  • GPOs linked to the domain.
  • GPOs linked to organizational units (OUs) are applied. For nested OUs, GPOs linked to parent OUs are applied before GPOs linked to child OUs.

The Merging Policy Items rules are followed when merging Contexts, Actions, Messages and Settings across multiple policies.

File-Based Policies

File-Based Policy files are loaded from %ProgramData%\deviceTRUST\Policy after loading any GPOs. By default the deviceTRUST Agent will load all policy files it finds in this location. This behavior can be overridden and changed within the File-Based Policy Settings to either only load policies imported by dtcmd IMPORT, or to never load policies from disk (which must be defined within a GPO).

The folder containing the File-Based Policy files is secured by the agent with read access to Local Users, and full access to Local Administrators.

When File-Based Policy is enabled, files are loaded in reverse alphabetical order. This ensures that when policy files are named beginning with a timestamp, the newest policy files take precendent over the older policy files. As an example, the file names listed below would be loaded in the following order:

  • 2023-12-12_DenyAccessNonCompliantDevices.dtpol
  • 2023-12-10_DenyAccessUnauthorizedUSB.dtpol
  • 2023-11-01_MappedDriveSettings.dtpol

The Merging Policy Items rules are followed when merging Contexts, Actions, Messages and Settings across multiple policies.

Merging Policy Items

When Contexts, Actions, Messages and Settings are merged from multiple policies, either from Active Directory GPOs, Local Policy or File-Based Policies, the following rules apply:

  • Where a Context with the same name has already been included, subsequent contexts with this name are ignored.
  • Where an Action with the same name has already been included, subsequent actions with this name are ignored.
  • Where a Message with the same name has already been included, subsequent messages with this name are ignored.
  • Where a Setting has already been included, subsequent settings of the same type are ignored.
  • Where a Use Case has already been included, subsequent use cases of the same type are ignored.