VMware Workspace ONE Community

[HowTo] - Global restriction policy with granular exceptions


I'm playing around with a global ruleset of restrictions, but I need the option to make simple granular exceptions from that. So for example just an exception for one restriction, not for the complete ruleset.

The problem here, it's not possible to do it like in group policies in Windows, where the policy that is the closest to the object wins. In WS1 the most restrictive rule wins. That means, that a global rule cannot be overwritten by a more specific one.

Let's assume you have the following organization groups and a few settings X,Y,Z. All settings are from the restriction payload (e.g. X:disable bluetooth, Y:disable camera, Z:disable wlan).



├─ AAA
├─ BBB
├─ CCC
├─ DDD
├─ ...
├─ ZZZ



I want the settings X,Y,Z everywhere active, except X not in BBB and Y not in CCC (please keep in mind, that this is only a minimized example). Like this:



OG     <- Restrictions
Root   <- default: disable bluetooth, disable camera, disable wlan
├─ AAA <- default
├─ BBB <- default, but allow bluetooth
├─ CCC <- default, but allow camera 
├─ DDD <- default
├─ ...
├─ ZZZ <- default



Here my idea to realize that:

  • Create a smartgroup 'SG Enable Bluetooth' and assign it to OG 'BBB'
  • Create a smartgroup 'SG Enable Camera' and assign it to OG 'CCC'
  • Create 3 policies with the same restriction payload and link it all to the Root OG
    1. 'Policy Restriction default'       <- set all global default restrictions, e.g. 'disable wlan' and others, but bluetooth and camera are allowed
    2. 'Policy Restriction Bluetooth'  <- set only the setting 'disable bluetooth'
    3. 'Policy Restriction Camera'     <- set only the setting 'disable camera'
  • Set 'SG Enable Bluetooth' as exception in 'Policy Restriction Bluetooth'
  • Set 'SG Enable Camera' as exception in 'Policy Restriction Camera'

The smartgroup to enable something (e.g. 'SG Enable Camera') could also make use of a TAG instead of an organisation group, so that only the devices with a specific TAG would be affected (e.g. TAG: Camera). Just add the TAG an the device can use the camera.

So, what do you think about that idea? Did I miss something? How would you do that? I can't imagine that nobody before had such a situation.

Greetings Bob

0 Kudos
1 Reply

Sorry for the poor initial formatting.

0 Kudos