Policy Loading
deviceTRUST policy can be distributed either as part of a Group Policy Object (GPO) or as a File-Based Policy. Since multiple policy sources are supported, the deviceTRUST Agent merges the policies from all sources in the following order:
- Active Directory GPOs
- File-Based Policy
File-Based Policies
File-Based Policy files are loaded from %ProgramData%\deviceTRUST\Policy. By default the deviceTRUST Agent will load all policy files it finds in this location. This behavior can be overridden and changed within the File-Based Policy Settings to either only load policies imported by dtcmd IMPORT, or to never load policies from disk (which must be defined within a GPO).
The folder containing the File-Based Policy files is secured by the agent with read access to Local Users, and full access to Local Administrators.
When File-Based Policy is enabled, files are loaded in reverse alphabetical order. This ensures that when policy files are named beginning with a timestamp, the newest policy files take precendent over the older policy files. As an example, the file names listed below would be loaded in the following order:
- 2023-12-12_DenyAccessNonCompliantDevices.dtpol
- 2023-12-10_DenyAccessUnauthorizedUSB.dtpol
- 2023-11-01_MappedDriveSettings.dtpol
Merging Multiple Policies
The deviceTRUST Agent first loads policy from the Active Directory GPO and then merges any File-Based Policy found within the deviceTRUST policy folder. The following rules apply when loading policy from multiple sources:
- Where a Context with the same name has already been included, subsequent contexts with this name are ignored.
- Where an Action with the same name has already been included, subsequent actions with this name are ignored.
- Where a Message with the same name has already been included, subsequent messages with this name are ignored.
- Where a Setting has already been included, subsequent settings of the same type are ignored.
- Where a Use Case has already been included, subsequent use cases of the same type are ignored.