Topic
This article describes the components of NinjaOne's Dynamic Policies feature and the logic it uses to facilitate dynamic user and endpoint management.
To learn how to create and edit dynamic policies, refer to NinjaOne Policies: Managing Dynamic Policies.
Environment
NinjaOne Endpoint Management
Description
This feature, available only for Microsoft Windows endpoints, enables you to configure individual policy components and settings that target users and devices dynamically, while leveraging a prioritization matrix to resolve conflicts. We've added new components and enhanced the NinjaOne platform's logic to facilitate the creation of these policies.
Select a topic to continue.
- Dynamic Policy Entity
- Conflicts and Merging
- Additive and Merging
- Conflict by Priority
- Target Rules
- Target Rule Assignment
- Device Effective Policy
- Policy Application Order
- Additional Resources
Dynamic Policy Entity
When you create dynamic policies, they'll appear in your NinjaOne instance at Administration → Dynamic policies → Windows.
Click any list entry to open the entity's detailed view. From this page, you can review and customize the dynamic policy's settings, including configurations for scheduled automations, conditions, OS patching, and more.
For comprehensive information about the entity details page, review our NinjaOne Policies: Managing Dynamic Policies article.
Good to Know
Two major rules apply to dynamic policy entities:
- Devices can have more than one dynamic policy assigned to them.
- Devices must have an assigned core base policy; dynamic policies apply on top of the base policy.
Dynamic policies have the same options as our standard policies, but they provide a checkbox for each policy configuration section that represents an "intent to configure."
"Intent to configure" means you explicitly choose to activate a specific setting or configuration in the policy. When you select a checkbox, the dynamic policy will apply the selection to all devices targeted by the policy. Settings and configurations that you do not select will not apply.
Conflicts and Merging
When a device has more than one dynamic policy with the same selection active, a conflict arises that requires resolution. Depending on the area within the dynamic policy, NinjaOne can address this conflict in two ways:
1. It merges settings or items in that part of the policy (Additive).
2. It resolves conflicts through a prioritization mechanism (Priority).
| Policy Area | Conflict and Merge Behavior |
|---|---|
| Scheduled Automations | Additive |
| OS Patching | Conflict resolution by priority |
Additive and Merging
When multiple policy areas are additive, NinjaOne combines all of the items and includes them in the final policy. For example, consider the following situation:
- Dynamic Policy A: Five scheduled automations
- Dynamic Policy B: Three scheduled automations
- Dynamic Policy C: One scheduled automation
In this case, the device's effective policy contains a total of nine scheduled automations.
The following diagrams illustrate how the same dynamic policy handles two different additive scenarios based on the endpoint's criteria.
Scenario A: DHCP/DNS/Active Directory Endpoint
Scenario B: Active Directory Endpoint
Conflict by Priority
There are certain policy areas where one setting must win. For instance, NinjaOne patching cannot be active and inactive at the same time. When multiple dynamic policies have conflicting settings, NinjaOne determines the winner based on the policy with the highest priority. You can designate policy priorities in the NinjaOne platform at Administration → Dynamic policies → Windows → Manage priority.
Consider the following situation:
- Dynamic Policy A: Priority 1 → OS Patching → Update Schedule → Monday at 3:00 A.M.
- Dynamic Policy B: Priority 2 → OS Patching → Update Schedule → Thursday at 5:00 A.M.
The effective device policy will enforce OS patching on Monday at 3:00 A.M.
Target Rules
Dynamic policies define the “what" of your security strategy, while target rules specify the "who." You can use target rules to create logical conditions based on organization, location, and attributes related to devices and users. Doing so enables you to target specific users or devices effectively.
You can define target rules for your dynamic policies by navigating to Administration → Dynamic policies → Target rules. To create a new target rule, click Add target rule. To edit an existing target rule, click any entry in the Target rules list.
A target rule requires you to select an initial subset of targets based on whether you want to include all organizations and locations or only specific ones. You then define rules to target devices or users within those subsets.
There are two key points about target rules to keep in mind:
- To apply target rules, you must tie them to a dynamic policy. You can do so from the Assignment tab of the target rule's detailed view.
- Target rules are event-driven; there is no polling or periodic searches. As attributes change, NinjaOne can apply dynamic policies to endpoints in seconds.
To view the devices that meet the criteria for a target rule, click the Preview targeted devices button available in the rule's detailed view.
Target rules can also have groups, up to two levels deep, that use alternating AND/OR logic.
For example, the rule in Figure 9 instructs NinjaOne to do the following: “Target anything where the Patch Monday device tag is present AND (the assigned user role is testRoleA OR the GS-DeviceCF custom field contains a value of Critical)."
Target Rule Assignment
Once you configure a target rule, the final step is to link it to a dynamic policy. To do so, navigate to the Assignment tab of the target rule's detailed view and click Assign dynamic policy. In the modal that opens, select the device type and the policy you'd like to associate with the rule. Then, click Apply.
Once you've established this link, the dynamic policy will immediately apply to all entities matching the target rule.
To learn more about managing target rules, refer to our NinjaOne Policies: Working With Target Rules article.
Device Effective Policy
Understanding the settings that apply to an endpoint is essential for monitoring its final configuration. Each device provides specific methods for verifying which policies are active. In the Settings → Policies section of the device's Detail page, you can find a list of dynamic policies and their application priorities, enabling you to determine the exact configuration details at any time.
Each device has a comprehensive list of dynamic policies that apply to it, along with their respective application priorities. Click View effective policy to review the individual policy settings for that device.
Move your cursor over dynamic conditions to view information about the policy that originated them. Click a condition for more details. You can override applied conditions at the device level.
Policy Application Order
NinjaOne calculates final policies in the following order:
- First, it applies the settings from the base policy. Even when using a dynamic policy, each device requires a core base policy.
- Dynamic policies compute from the lowest to the highest priority. Some settings are additive, while others resolve conflicts based on priority.
- Individual device overrides have the highest priority and supersede both the base policy and dynamic policy settings.
The following diagram illustrates the policy application order.
Additional Resources
The following articles provide further learning resources to help you leverage policy-based endpoint management in your environment:
- NinjaOne Policies: Managing Dynamic Policies
- NinjaOne Policies: Configuring Dynamic Policy Priorities
- NinjaOne Policies: Working With Target Rules
- NinjaOne Policies: Resource Catalog
- NinjaOne Policies: Condition Configuration
- NinjaOne Policies: Compound Conditions
- NinjaOne Policies: Scheduled Automations