Multiple Enforced Profiles

Enforcing multiple Profiles on a Device can allow for highly complex behaviors.

Traditionally, a Device enforces a single Profile (configuration). Control D also allows you to enforce multiple profiles on a single device, in order to create advanced rule matching behaviors.

How it works

When creating a device, you can choose up to two profiles (three for Organization accounts) that are enforced on the device. When you query a device that enforced 2 profiles, the rule engine will look for a match in the first profile. A match means:

  • Filter was triggered that blocked something
  • Service rule was triggered that blocked, redirected or bypassed something
  • Custom rule was triggered that blocked, redirected or bypassed something
  • Default Rule was triggered that blocked or redirected something

If the first profile didn't match any rule, when the 2nd enforced profile is consulted. The rule engine will then perform the same flow as above and look for a match.

Another way to think about is multiple profiles are merged into a single one, and in case of conflicts (Profile 1 says block, Profile 2 says redirect), the first profile wins. Organization accounts have a way for a 2nd Profile to override the 1st in some cases.

Organization Accounts

If you have a Organization account, you can also leverage the Global Profile feature within any Sub-Organization. This can add a 3rd layer, meaning you can enforce up to 3 Profiles on any Device.


  1. You cannot create schedules for devices that have multiple profiles.

Use Cases

There are many powerful behaviors that you can accomplish with this feature. Some of these include:

Common Rules

You may have multiple profiles, but they probably have few/many rules that are common between all of them. If you change a rule in one, you have to go and manually change it in all other profiles. Instead, you can just have a single “Common Profile” that has all your common rules. Then your device specific profiles can have only the rules you need on those specific devices. So you can have something like this:

  • Device A: Everyone Profile → Work Profile
  • Device B: Everyone Profile → Home Profile
  • Device C: Everyone Profile → Employee Profile

“Everyone Profile” contains things you probably want on all devices (block Malware, Ads, Phishing), while device/use-case specific profiles can only contain rules for things you only need on those specific devices. This eliminates the need to duplicate or sync rules.

If you have a Organization account, and leverage sub-organizations you can make this 3 tiered:

  • Device A: Global Profile For Entire Org → Support Department Profile → User Specific Profile
  • Device B: Global Profile For Entire Org → Marketing Department Profile → User Specific Profile
  • Device C: Global Profile For Entire Org → User Specific Profile

Rule Priorities

The rule engine works as follows:

  1. Custom rules take precedence over everything
  2. Service rules are second in line, and are checked if there are no custom rules that match the DNS query
  3. Filters (which block things) are 3rd in-line and will match a domain if there is no overriding custom rule or Service rule
  4. Last in line is the Default Rule, which will, like the name suggests, match queries that aren't affected by any of the above