Multiple Enforced Profiles

Enforcing multiple Profiles on a Device can allow for highly complex behaviors.

Suggest Edits

Traditionally, a Device enforces a single Profile (configuration). Control D also allows you to enforce multiple profiles on a single device, in order to create advanced rule matching behaviors.

How it works

When creating a device, you can choose up to two profiles that are enforced on the device. When you query a device that enforced 2 profiles, the rule engine will look for a match in the first profile. A match means:

  • Filter was triggered that blocked something
  • Service rule was triggered that blocked, redirected or bypassed something
  • Custom rule was triggered that blocked, redirected or bypassed something
  • Default Rule was triggered that blocked or redirected something

If the first profile didn't match any rule, and Default Rule is set to BYPASS mode, meaning it will resolve the requested domain from authoritative DNS, this is when the 2nd enforced profile is consulted. The rule engine will then perform the same flow as above and look for a match.

Limitations

  1. The first linked profile must be set to Default Rule → BYPASS. In all other cases (block or redirect), the rule engine will never consult your 2nd profile as the Default Rule will match every query.
  2. Profile Options are matched and enabled if they occur in either of the 2 linked profiles. For example, if DNS Rebind protection is enabled in either profile, it will be enabled.
  3. You cannot create schedules for devices that have multiple profiles.

Use Cases

There are many powerful behaviors that you can accomplish with this feature. Some of these include:

Global Rules

You may have multiple profiles, but they probably have few/many rules that are common between all of them. If you change a rule in one, you have to go and manually change it in all other profiles. Instead, you can just have a single “Global Profile” that has all your common rules. Then your device specific profiles can have only the rules you need on those specific devices. So you can have something like this:

  • Device A: Global Profile → Work Profile
  • Device B: Global Profile → Home Profile
  • Device C: Global Profile → Kids Profile

“Global Profile” contains things you probably want on all devices (block Malware, Ads, Phishing), while device/use-case specific profiles can only contain rules for things you only need on those specific devices. This eliminates the need to duplicate or sync rules.

Rule Priorities

The rule engine within a single profile works as follows:

  1. Custom rules take precedence over everything
  2. Service rules are second in line, and are checked if there are no custom rules that match the DNS query
  3. Filters (which block things) are 3rd in-line and will match a domain if there is no overriding custom rule or Service rule
  4. Last in line is the Default Rule, which will, like the name suggests, match queries that aren't affected by any of the above

If you wanted to have a Service Rule supersede a Custom Rule, you cannot do this within a single profile, as custom rules always get matched first. However you can accomplish this by adding a second profile, where your Service rule exists in the first profile, and a custom rule in the 2nd profile. This way, the Service rule will always be looked at first, and if nothing matches, then the custom rules from your 2nd profile will be looked at next (provided no custom rules in your first profile matched anything).

Updated about 2 months ago