Flex policies now support End User attributes as conditions, allowing you to scope policy deployment based on the assigned user's identity, department, role, and other attributes synced from your Identity Provider (IdP). This enables targeted policy delivery without creating separate policies for each user group.
This feature requires End User Management to be configured and a user assigned to the device.
How It Works
When you add an End User attribute as a condition to a Flex policy, Addigy evaluates the assigned user's attributes on each device to determine whether the policy should be applied. Only devices with an assigned user whose attributes match the condition will receive the policy.
For example, you can create a condition that targets only users in the "Engineering" department. Devices assigned to users in that department will receive the policy, while all other devices will be excluded.
If no user is assigned to a device, End User attribute conditions will not match, and the policy will not be applied to that device.
Adding an End User Condition
- Navigate to Policies and open an existing Flex policy or create a new one.
- In the Auto Assignment section, click Add Filter.
- From the attribute dropdown, select an End User attribute (e.g., Department, Title, Primary Email).
- Choose an operator (e.g., equals, contains, is not).
- Enter the value to match against.
- Save the policy.
You can combine multiple End User attribute conditions with other device-based conditions to create precise targeting rules.
Available Attributes
All End User attributes synced from your IdP are available as conditions in Flex policies. This includes:
| Category | Example Attributes |
|---|---|
| Identity | Username, Display Name, Title, User Type |
| Name | First Name, Last Name, Full Name |
| Emails | Primary Email, Work Email |
| Phone Numbers | Primary Phone, Work Phone, Mobile Phone |
| Addresses | Primary City, Primary State/Region, Primary Country |
| Enterprise | Department, Division, Organization, Cost Center, Employee Number |
| Groups & Roles | Groups, Primary Role |
| Status | Active |
Examples
Deploy a VPN configuration to the Engineering department
Add a condition to scope your VPN Flex policy to Engineering:
- Attribute: Department
- Operator: equals
- Value: Engineering
Only devices assigned to users with "Engineering" as their department will receive the VPN configuration.
Restrict a security policy to a specific office location
Target devices assigned to users at your New York office:
- Attribute: Primary City
- Operator: equals
- Value: New York
Exclude contractors from a policy
If contractors are identified by User Type in your IdP:
- Attribute: User Type
- Operator: is not
- Value: Contractor
Combine End User and device conditions
You can layer End User attributes with device-based conditions. For example, apply a policy only to macOS devices assigned to users in the Finance department:
- Condition 1 (Device): OS Type equals macOS
- Condition 2 (End User): Department equals Finance
Notes
- End User attribute conditions are evaluated against the currently assigned user on each device. If a device's user assignment changes, policy applicability is re-evaluated automatically.
- If no user is assigned to a device, conditions based on End User attributes will not match, and the policy will not apply to that device.
- Attribute values are synced from your IdP. Ensure your IdP data is accurate and up to date for conditions to work as expected.
- End User Management must be configured before End User conditions are available.