Policy Loops
What
Smart Groups provide extensive power to Fileset management. By way of preset criteria, devices enter and leave groups appropriately. However, it is possible for this to go wrong and get unexpected experiences. Policy Loops are an example of such behaviour.
When/Why
Time to explain, with examples.
Example 1
Image a PKG macOS installer Fileset for an app called CLU.app, version 1.0
This is associated to all devices based upon two criteria:
- Device OS is macOS
- Device does not have CLU.app version 1.0 installed
Once the software is installed, the devices no longer belong to the group, since version 1.0 I now installed.
A new version of the software is released, version 1.1. A new association is created with a differing group, with Criteria:
- Device OS is macOS
- Device does not have CLU.app version 1.1 installed
Perhaps the apparent issue is already obvious.
- Devices running version 1.0 will be included in the new Smart Group at the next refresh time.
- The Fileset will activate and the software will transfer from version 1.0 to 1.1
- Devices will leave this new group for version 1.1
Clearly, all should be done now, until the next new version is released. However, there is an issue.
When devices check back that version 1.1. is installed, at the next Smart Group refresh, devices will be added back into the group for version 1.0, since this version is no longer installed. If this older version PKG is allowed to instal over the newer version, the software will be downgraded back to version 1.0.
But hang on. If 1.0 is now installed, the device will be added back into the Smart Group for version 1.1 at next refresh, with the consequence of installing 1.1. again.
This is an example of a Policy Loop. The device will continually be adding itself in and out of groups, installing and removing software as it goes.
Example 2
Here is another example, but with just one group.
Same principle, but this time with a file level self-healing Fileset of this same application for Windows. This time CLU.exe, version 1.0
The criteria for the Smart Group association this time has been set as:
- Device OS is Windows
- Device does not have this software installed
Windows devices without this software will enter the Smart Group, receive the Fileset, adding the exe and any other supporting files to the designated folder. Subsequently, the device will check back in, reporting the software is now installed. At next Smart Group refresh, the device no longer meets criteria and the device leaves the Smart Group.
This is now where the issue occurs. As a self-healing Fileset, the software will be removed on disassociation of the Fileset. The user will lose the software, but at next refresh, the device will re-enter the group, causing the software to instal once more.
Again, this will continue to occur, with the software constantly being removed and re-added.
For each of these examples, should certain features not be used, for example, self-healing in the latter example. Absolutely not. Self-healing is a key aspect to FileWave Fileset deployment. Instead, care should be taken, when considering the criteria of Smart Groups, to be sure that Policy Loops do not occur.