You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.

17: Are PolicyPak Cloud policies processed on User or Computer side (and why do I only sometimes see User or Computer side ILT?)

There are really “two levels” of Policy type in PolicyPak Cloud:

  • Top level policies, which are created in-cloud and linked over to a Company Group. The Top level policies are always a specific type, say, PolicyPak Admin Templates Manager, PolicyPak Least Privilege Manager or PolicyPak Browser Router, etc.
  • Internal policies which are created as you add new items inside a top level policy.

The distinction can be seen below. Items in RED are “Top-Level Policies” and Items in Purple are “Internal Policies” to the specific Top-Level policy type.

So the processing of all Top Level Policies is always done on the Computer side, meaning, all users on the computer will be affected by all policies (initially.).

This is because all Cloud policies are downloaded to \programdata\policypak\Xmldata\cloud folder, like what’s seen here.

Then in the case for some policies, you can perform some settings user side only, others computer side only, and others you can switch.

PolicyPak Admin Templates Manager is a good example. After you look at the entries, you will get the following example settings.

The result of the downloaded XML looks like this; where the Top-Level policy will GENERALLY always come in on Computer (Machine) side. And the Internal policy is what is set in the configuration or what the CSE might be hardcoded to.

Therefore, to see and understand what ILT types will be available, it comes down to how the CSE operates. Some CSEs will operate in either USER or COMPUTER modes.
In general those which operate in EITHER (PolicyPak Admin Templates Manager, PolicyPak Least Privilege Manager, etc.) the Internal policies will have ILT which is geared toward a USER.
In this way you can deliver the main policy to the COMPUTER, then filter by WHICH USER(s) or WHICH GROUP(s) you want to limit the policy to affect.

One exception to the rules above… Note the small difference between a policy which is created ONLY using PolicyPak Cloud editor. The Top-Level policy will show Machine like what’s seen here.

But if a policy is uploaded from on-prem MMC, specifically the USER side, the XML will look like this.

This does not affect the operation of the policy in any way. The policy is still downloaded by PolicyPak Cloud to \programdata\policypak\Xmldata\cloud, processed by a licensed CSE, the policy affects all users (by default), and then any ILT on the user-side (if any) will then be processed, thus limiting the scope of where the policy is affected.

  • 1217
  • 05-Aug-2022