In some situations, assigning policies to groups of clients can complement previous scenarios. Groups can be created manually or by using the Active Directory Synchronization option.
Clients can be added to groups either manually (Static Groups) or automatically by the group properties (Parametric Groups). See chapter Group Manager for more details.
To assign a policy to a group of clients, you can use the one-time assignment option in Policy Manager (Add Clients > Add Special), or deliver policies automatically via Policy Rules.
One of the possible scenarios is as follows:
The administrator wants to assign different policies for clients belonging to different AD groups and change the client's policy automatically when the client is moved to another AD group.
1) The first step is to set Active Directory Synchronization in Group Manager according to your needs. The important thing here is to properly schedule the AD synchronization (possible options: hourly, daily, weekly, monthly).
2) After the first successful synchronization, the AD groups appear in the Static Groups section.
3) Create a new policy rule and mark ERA Groups IN and/or ERA Groups NOT IN as a rule condition.
4) Specify the AD groups that you want to add to the condition.
5) In the next step define the policy that will be applied to clients matching the rule condition(s) and press OK to save the rule.
NOTE: Steps 3 - 5 can be replaced by using the Policy Rules Wizard, which allows you to create a policy structure based on the existing group structure and map created policies to groups by creating corresponding policy rules.
This way it is possible to define a particular policy rule for each AD group. Assigning a certain policy to a certain client now depends on the client's membership in a certain AD group. Since the AD synchronization is scheduled to occur regularly, all changes in the client's AD groups membership are refreshed and taken into account when a policy rule is applied. In other words, policies are applied to clients automatically depending on their AD group. Once the rules and policies are defined thoroughly, no more intervention regarding policy application is needed from the administrator.
The main advantage of this approach is direct, automatic linking between AD group membership and policy assignment.