Home » IT policies » Assigning IT policies and resolving IT policy conflicts » Option 2: Applying multiple IT policies to each user account

Reconciliation rules for conflicting IT policies when you apply multiple IT policies to a user account

The BlackBerry Enterprise Server can apply multiple IT policies to a user account if the user account is a member of multiple groups that have different IT policies. Since you can assign IT policies to user accounts, groups, or the BlackBerry Domain, the BlackBerry Administration Service uses predefined rules to apply an IT policy to a user account.

The BlackBerry Administration Service might have to reconcile conflicting IT policies if you perform any of the following actions:

add an IT policy to or remove an IT policy from a user account or group
change an IT policy
change the ranking of IT policies
delete an IT policy

Scenario	Rule
You add a new user account to a BlackBerry Enterprise Server. You do not assign an IT policy directly to the user account and you do not add the user account to a group.	The Default IT policy (applied at the BlackBerry Domain level) is assigned to the user account.
You assign an IT policy to a user account and different IT policies to the groups that the user account belongs to.	The IT policy that you assign to a user account takes precedence over the IT policies that you assign to the groups that the user belongs to. An IT policy that you assign to a group takes precedence over the Default IT policy (applied at the BlackBerry Domain level).
A user account belongs to multiple groups. You assign multiple IT policies to the groups but you do not assign an IT policy to the user account.	If you assign multiple IT policies to the groups that the user account belongs to, the BlackBerry Enterprise Server resolves the IT policy rule settings in the multiple IT policies and assigns a combined IT policy that has a unique ID to the user account. The BlackBerry Enterprise Server resolves conflicting settings for IT policy rules by applying the rule setting from the IT policy that you ranked the highest in the BlackBerry Administration Service. For example, you configure the Disable Photo Camera IT policy rule to Yes in IT policy A and to No in IT policy B. If you rank IT policy A higher than IT policy B, the Yes setting is applied for this rule.
A user account belongs to two groups. You assign the first group IT policy A, which has the Allow Browser IT policy rule as blank (which means that it uses the default value of Yes). You assign the second group IT policy B, which has the Allow Browser IT policy rule set to No. You ranked IT policy A higher than IT policy B in the BlackBerry Administration Service.	When the BlackBerry Enterprise Server resolves conflicting rule settings, any rule settings that have been explicitly configured to a value take precedence over IT policy rule settings that are blank (these rules revert to the default value). For example, in this scenario, the Allow Browser IT policy rule setting from IT policy B, No, is applied to the user account even though IT policy A is ranked higher than IT policy B, because the Allow Browser IT policy rule is blank in IT policy A. If the Allow Browser IT policy rule was configured to Yes in IT policy A, the Yes value would be applied to the user account.