Global Profile
Assign a common Profile to your sub-organizations and avoid policy duplication
This feature builds on top of Multiple Enforced Profiles functionality and allows Organization account users to set a Profile for the entire organization. This Profile will apply to all devices created inside this Sub-Organization.
How it works
Create or edit an existing Sub-Organization and choose a Global profile from the down-down menu.
Such a profile should (ideally) be common to many sub-organizations, so you can keep your "default policy" all in one place. Such a Profile/policy can:
- Block Malware as you probably want to do this inside of all Sub-Organizations
- Block common Services that none of your customers should access (ie. TikTok)
- Have special custom rules that are relevant to all Sub-Organizations
- Create a common Custom Block Page
Now, when you create a Device inside a Sub-Organization, and select a Profile that's specific to this Sub-Organization, the Global Profile will be automatically inherited, and enforced at the same time as your Organization specific profile.
Be mindful, the same Global Profile cannot be selected as a Device specific Profile inside a sub-organization, as it's already enforced. You must choose another Sub-Organization specific or Shared Profile.
Rule Priorities
The rule engine works as follows:
- Custom rules take precedence over everything.
- Service rules are second in line, and are checked if there are no custom rules that match the DNS query.
- Filters (which block things) are 3rd in-line and will match a domain if there is no overriding custom rule or Service rule
- Last in line is the Default Rule, which will, like the name suggests, match queries that aren't affected by any of the above
Conflicts and Overrides
By default, if there is a conflict for the same Filter, Services, Custom Rule, or Profile Option, the Global Profile will win. For example, if Gambling is blocked in the Global Profile, but allowed in the Sub-Organization Profile, Gambling sites will still be blocked. Same is true for Services, if TikTok service was explicitly allowed (Bypassed) in the Global Profile, but blocked in the Sub-organization profile, it will still be allowed.
You may not want this, in which case you can override the Global Profile, and have the Sub-Organization rule selection take precedence. In the Gambling Filter scenario presented earlier, you would see something like this when you view the Sub-Organization Profile.
Notice the yellow warning next to the Gambling filter. This suggests that this scope is blocked in the Global Profile. If you toggle this filter OFF, it will turn red, meaning it's overriding the Global Profile.
Now, all devices in this Sub-Organization, that enforce this Sub-Organization Profile, will be allowed to access Gambling sites.
Updated 2 months ago