[skeptik]

Hi I am a new BES admin who has inherited a system and I would like to change some info in our default policy (like password requirements and attempts before the device will wipe itself etc..). I do know how to do this and have created a test policy that works exactly how I want it to but have come across a dilemma.
Everyone says it is best practice not to make any changes to the default IT policy and to apply a policy to a group. What I would like to know is why? If I am only planning on having limited changes that I would like to be Default to all devices on our network it seems to me that it would be best to use the default as I want to ensure these policy setting are applied to all devices that connected to our servers. if I was to change the default I would also make a backup of it first
I’ve been searching around the web trying to find an explanation to this question but have had a hard time finding it typical answers are “its best practice to” but there never seems to be a why

sorry a little long winded

any info would be greatly appreciated

[jjbova]

My opinion on it -

At this point in time it is "Your" server, and you can do what you please, set it up how you want, configure it the way that helps with you. HOWEVER, think if the admin before you changed everything in the default policy. That wouldn't be that hard to go back and change, but it is time consuming and annoying. When it takes little to no effort to just Copy the default one, and then make your changes.

What BES version are you running? Groups changed ALOT between 4.1 and 5.0 and they also added child groups and Roles. I imagine the responses you will get about groups will vary depending on your version.

[juwaack68]

Moved to BES Admin forum.

Different BES Admins have different thoughts on this, and after discussing with some I made a copy of the Default policy and called it 'Blank'. I then made the Default Policy very restrictive and have it populate the Owner field with "Your device has the wrong IT Policy - please contact the Helpdesk to have it changed to the correct policy".

Why? Because we have a Helpdesk of 18 different people who add/remove users and assign policies. They forget to change the policy from the Default when setting up new users, and that used to mean that people 'got away with' not having the any security on their devices. Therefore they now get an even more restrict policy, and call to get the less restrictive one.

I'd rather someone have too much security then not enough.

[skeptik]

thanks for the move (i must have missed the Admin Forum)
to add i am Running 5.01 MR3 currently but will probably update to 5.02 in Production within the next few months (currently running a on a test environment)
i would like to use grouping to do this as looking down the road from a managability stand point it make sense but it also makes sens to ensure ALL users attached get the policy (it is just a slightly altered basic password policy). my boss posed the question of why not just edit the default policy and the problem i have is both sides make sense

we have about 2000 users and there are a about 10-15 help desk people with rights to add/remove and a few other basic options. i do have some concern about making sure they all users are groups as people may be busy and miss adding them, but it is easy enough to pull info regulary (say on a weekly basis) of people not on the right policy or assign someone to do so and theh properly group them.

[jjbova]

I like that idea of restricting the default policy. I have that problem sometimes that I will find a few users still in the default polidy with no group...... I just shake my head wondering "What is so hard about just adding the user to a group".

[cyclmpc]

Skeptik

It will depend on your environment. As you say, it isn't too hard to go through your users to list and see who has the correct policy applied to them. It seems in your case, having a user with the incorrect policy is not too big a deal. You just change them.

In my case, I'm not prepared to put my tail on the line because a Help Desk person did not live up to their duties. I can not go to my management and say, "sorry, the user got the wrong policy because the Help Desk did not do their job". It is just an excuse. I do not worry about things that I cannot control, but for the things I can control, I sure get upset when I do not do the things in my power to prevent it from happening.

It's just a way to look at things. As juwaak68 said, I also prefer to sit on the side of too much vs. not enough.

[Mikey_AGBoston]

OK - going to chime in on this one...
So, we enforce a password policy at my firm. And, there were instances where BES admins were forgetting to apply the password policy when activating users..
Finally I was like, forget this... and I applied the password policy to the default.
Now, I know this isn't BEST PRACTICES... but now, it can't be forgotten..
I sleep better, and all is right in the world...