Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Solution Framework
  3. Provisioning

Category filter

How to Resolve Policy Conflicts and “Policy Flipping” in Your Fleet?

Jump To

When managing a massive fleet of devices, it is incredibly common for a single device to belong to multiple groups simultaneously (e.g., Windows Laptops, Marketing Department, and High-Security Executives). But what happens when these groups push contradictory settings to the same device—like one policy allowing the camera and another blocking it?

In Hexnode UEM, the Policy Conflict Resolver acts as the definitive “supreme court” for your devices. It evaluates overlapping payloads and prioritizes them to ensure the device state remains deterministic, predictable, and highly secure. Here is your comprehensive guide to understanding how Hexnode calculates the final effective policy on a device.

How the Resolution Logic Works

When multiple policies target the exact same setting on a device, Hexnode uses a deterministic logic path to evaluate the payloads and output a Final Effective Policy.

1. Are the policies targeting the same setting?

  • No: The policies are Additive. Both settings are applied to the device without issue.
  • Yes: A conflict exists. Hexnode then looks at the Type of conflict.

2. Conflict Evaluation Rules:

  • Restrictions (e.g., Camera, App Store): Most Restrictive Wins. Security takes precedence, so the stricter rule overrides the lenient one.
  • Configurations (e.g., Wallpapers, Kiosk Layouts): Last Applied Policy Wins (LIFO). The most recently pushed configuration overwrites the older one.
  • Security/Passcode: Highest Complexity Wins. The policy demanding the highest level of security (e.g., longest passcode) takes effect.

The Conflict Truth Table

Use this matrix to predict how a device will behave before you deploy overlapping policies.

Feature Type Policy A (Group Level) Policy B (User Level) The Winner (Effective State)
Restrictions Allow Camera Block Camera Block Camera (Most Restrictive)
Passcode 4 Digits 6 Digits + Alphanumeric 6 Digits + Alphanumeric (Highest Complexity)
Wi-Fi SSID: “Office_Guest” SSID: “Office_Corp” Both (Configuration is Additive)
Wallpapers Image_Blue.png Image_Red.png Image_Red.png (Last Policy Applied)
App Store Prohibited Required VPP App App Installs allowed for that specific VPP ID only

Strategic Execution: The “Safety Rail” Principle

To prevent “Policy Flipping”—a frustrating scenario where a device constantly toggles back and forth between two conflicting states—Hexnode utilizes a State-Locked Enforcement loop:

  • SENSE: The Hexnode agent reports a local device setting that differs from the expected Effective Policy.
  • THINK: The Resolver checks the calculated Policy Priority List.
  • ACT: If a “Lower Priority” policy attempts to change a “Higher Priority” restriction, the command is ignored.

Hexnode maintains the secure state and logs a Policy Conflict Alert in the Action History.

Troubleshooting Failure Modes

If a device isn’t behaving as expected, check your incident logs for these diagnostic error codes to quickly resolve the issue:

Configuration errors Resolution Path
Oscillation Detected: Two policies are fighting for control of a single toggle. Audit your Dynamic Groups to ensure the device isn’t rapidly jumping between groups.
Payload Mismatch: An OS-level restriction is blocking a UEM-level configuration. Check if the user has applied a manual local lock (like Apple’s “Screen Time” or Parental Controls).
Lapsed Priority: A legacy policy is overriding a new one due to a sync delay. Trigger a Clear All Policies and Re-apply command from the Hexnode portal.

Governance: Taking Manual Control

While the automated conflict resolver handles the vast majority of scenarios flawlessly, administrators still retain ultimate control:

  • Priority Manual Override: Admins can designate specific policies as “Absolute Priorities.” These act as global overrides, bypassing standard resolution logic to always supersede any other group or user-level setting.
  • The Audit Trail: Whenever you are in doubt about why a device is behaving a certain way, navigate to the Policy Summary tab on that specific device’s page. The Calculated Policy view will show you exactly which policy “won” the conflict for every individual setting.
Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Solution Framework