This article addresses the following questions about Group Policies:
- Why isn't my Group Policy applying?
- What is the order of priorities for Group Policies?
- How do I completely block or whitelist a client?
- How do I bypass a network-wide Group Policy for a device?
Why isn't my Group Policy applying?
It may appear that a client is not being affected by parts of a group policy, or the group policy is not being assigned to the client at all. To perform some preliminary troubleshooting, please follow these steps, checking whether or not the policy works after each step:
- Make sure the client disconnects and reconnects to the network. A policy will not be applied until the device connects to the network.
- Under Monitor > Clients, look under the Access column and see if the policy is being applied (if you do not see this column, press the plus icon and enable it). If the policy is not listed here for that client, check that the client fits the criteria for the policy to be applied.
- Check that the desired policy is not being overwritten by policies that take a higher priority (see below, under "What is the order of priority for Group Policies").
- If the part of the policy that's not working is a content filtering/layer-7 firewall rule, check that the client is not using HTTPS or a proxy. This can prevent content filtering from working properly.
- Check your policy to determine if Blocked Website Categories has been set to Override with no categories defined. This would enforce the network-default categories (Configure > Content Filtering)
- If possible, delete the policy and see if that changes client behavior, then recreate the policy and follow previous steps.
- Create a more limited test policy (only blocking one website, for example) and manually apply that policy to the client, to see if any policies work.
- If the above steps do not solve the issue, please refer to the Knowledge Base to look up relevant articles on the specific issue.
Note: Layer 3 firewall rules configured in group policy are stateless, and corresponding rules may be required for return traffic.
What is the order of priority for Group Policies?
Since multiple Group Policies can affect the same settings, or overwrite network default settings, there is an order of priority in place for which settings will affect a client. This order is as follows, from top priority to lowest:
- Policies set manually for a specific client (on their client details page) take top priority. This includes the Whitelisting and Blocking default rules.
- Network-wide policies applied automatically by device type, VLAN, SSID, etc. will override network default settings, but be overridden by manual policies.
- Network settings will be overridden by any policies applied to the client.
Bob's network is set with a bandwidth limit of 500Kb/s, but he has created a Group Policy for iOS devices that will limit bandwidth to 250Kb/s. Therefore, all iPhones that connect to his network will have a cap of 250Kb/s, not 500. Alice is the president of the company, and she owns an iPhone, so Bob creates a Group Policy that will only be applied to Alice. This policy sets the bandwidth limit to "unlimited," and is applied manually to Alice's device. Now Alice's iPhone will have no bandwidth cap, because her manually-applied policy takes precedence over all others.
- If two policies are applied to the same client, but no settings actually conflict (e.g. policy A only affects bandwidth, policy B affects content filtering), both can be applied without issue.
- If using Active Directory to map groups to policies, only the first policy that matches the user will be applied.
How do I completely block or whitelist a client?
Group Policies are designed to allow an admin to set custom limits for certain devices or users, so for allowing full access or denying a client, the Cisco Meraki devices come with two built-in policies for blocking and whitelisting clients.
The following article fully describes how to block and whitelist devices - Blocking and Whitelisting Clients on Cisco Meraki Networks
How do I bypass a network-wide Group Policy for a device?
As described above under "What is the order of priority for Group Policies," a client-specific Group Policy will override settings applied by a network-wide policy. As such, to restore default network settings on a client device that's otherwise configured by a network-wide Group Policy, create a generic Group Policy that uses network-default settings for everything. Then, following the instructions above for "Applying to a device manually," set the client manually to use that policy. This policy will override the lesser, network-wide policy, and restore default network settings for the client.