Identify and organize zones
Understand and organize your zones before you create new zones to replace them.
You can identify legacy zones by viewing their details. A message appears in the Zone Rules section:
- “This is a legacy Zone Rule and cannot be deleted.”
Before you start creating new zones to replace legacy zones, identify and organize:
Zones that can be deleted
You should understand whether a zone is being used for any purposes before you remove it. When you determine that a zone is no longer used and that you can remove it without affecting device policy assignments, zone-based update policy assignments, or Zone Manager or User roles, you can remove it.
Consider deleting:
- Zones that have no devices.
- Zones with names that do not match the intended purpose for their member devices.
If a zone is used in a zone-based update policy, you should first determine whether the update policy is no longer needed. If it is no longer needed, you need to delete the update policy before you delete the zone.
Zones that are not used for device policy assignment
Zones that are not used for assigning device policies, where the Associated Policy field in the zone is set to None, can be recreated in any order.
Zones that are used for device policy assignment
Zones that are used for assigning device policies need to be organized and created in a specific order based on the ranking of the associated policy. This ensures the most desired policy is assigned to devices, especially if devices are members of multiple zones. This is good practice even if the zones you use for policy assignment are designed to not have overlapping devices.
Higher-ranked devices should be assigned a higher-ranked policy, which is considered to have more restrictive settings and should generally be used to protect your more critical endpoints. Likewise, lower-ranked devices would be assigned a lower-ranked policy, which has less restrictive settings for less critical endpoints.
|
Highest-ranked devices (most restrictive device policy) |
|
Servers |
|
Workstations for Executives |
|
Workstations for HQ |
|
Point of Sale Devices in Texas |
|
Contractors |
|
Lowest-ranked devices (least restrictive device policy) |
The order in which you create zones for each rank of devices should be from the lowest rank to the highest rank. In the example above, you might notice some devices could potentially overlap between the zones for "Workstations at HQ" and "Workstations for Executives". It is important to create the zones in the correct order, so that devices in the "Workstations for Executives" zone receives a more restrictive policy.
Zones that are used for update policy assignment
Zones that are only used for assigning update policies, and not device policies, can be recreated in any order. However, you must make sure the update policies are ranked accordingly so that if a device is a member of more than one zone with different update policies, the higher-ranked update policy is applied. You need to replace the zones assigned to update policies with the new zones.
You can easily identify whether a zone is assigned to an update policy from the Zones page. If the checkbox beside a zone is greyed-out, then it is currently assigned to an update policy. You are prevented from deleting the zone as long as it is assigned to an update policy.
- Go to the Settings > Updates page and document which update policy each zone is assigned to. Each zone can be assigned to one update policy only.
- Recreate the zones. If the zones are also used for device policy assignment, make sure to first create them in a specific order.
- Assign each new zone to an appropriate update policy. You can assign them to the same update policy if the new zone is the equivalent of the original zone. You can also create new update policies, rank them, and assign the zones accordingly. If the original zones are not used for any other purpose, you can delete them.