DeviceLock Enterprise Server Policies : Overview : How Policies Are Processed and Applied
  
How Policies Are Processed and Applied
You can use policies to define configurations for lists of endpoint client computers. Policies are a collection of policy objects. Each policy object contains four main elements: a name, a list of computers to which this policy object is applied, configuration settings specified in a DeviceLock Service settings file (.dls), and a priority used to resolve conflicting policy settings among different policy objects. If there are policy setting conflicts between two policy objects, the policy object with a higher assigned priority wins, and its settings are applied. The priority value can range from 0 to 100, with 0 being the lowest priority and 100 being the highest priority. For a client computer that is assigned two or more policies with the same priority, the first policy received from the server takes priority and is applied first.
You can create your own policy objects or use the Default Policy object included with DeviceLock Enterprise Server. The Default Policy is automatically applied to all client computers regardless of any other applied policy objects. You cannot delete this policy, but you can block inheritance of it. Blocking inheritance of the Default Policy prevents the application of the policy. You can also partially modify it to suit your needs. In the Default Policy object, you can, for example, assign a policy by loading a DeviceLock Service settings file (.dls) or change a static list of client computers to which the policy is applied. You cannot change the name nor the priority of the Default Policy object. The Default Policy has the lowest priority. When multiple policy objects are applied to a client computer, the resultant policy that contains the sum of all settings from the policy objects is applied. If there are conflicting policy settings among these policy objects, the non-default policy takes priority over the Default Policy.
Once you have defined policy settings in policy objects, they are ready to be enforced. A client/server interaction works as follows:
A client computer locates a specific server that was chosen for connection and sends a policy request to the server to initiate a connection. The policy request contains a checksum of the client’s current policy settings.
A policy request from a client is sent either every hour or when any of the following events occurs:
A user boots or reboots the computer running DeviceLock Service.
A user logs on.
A user right-clicks the DeviceLock Tray Notification Utility icon in the notification area of the taskbar, and then clicks Refresh Current State.
The DeviceLock Tray Notification Utility icon is displayed in the notification area when Always show tray icon is enabled in Service Options.
DeviceLock Service switches from offline mode to online mode.
 
Note: Policies can be received only from the servers assigned to the Everyone account. The servers assigned to specific user accounts are not used for policy distribution, but only for audit log and shadow file collection.
The server determines which policy objects are applied to the client computer, creates a resultant policy for it by merging settings from the policy objects, and then compares the checksums of the current policy and the resultant policy. If the policy checksum comparison finds these policies are different, the server returns the resultant policy to the client. If the policies are identical, the policy transfer does not occur.
 
Note:  
If there is a list of DeviceLock Enterprise Servers that DeviceLock Service can connect to, and the initial server chosen for connection fails to send the requested policy to the client, the client then selects the next server in the list.
If the client has the DeviceLock Certificate (the public key), the server chosen for connection must also have the corresponding certificate (the private key). Otherwise, the policy transfer fails.