Policy-based management is powerful - define settings once, apply them across hundreds of devices automatically. But what happens when that automation doesn't work as expected? A policy that fails to apply leaves devices unprotected, misconfigured, or inconsistent with the rest of your fleet.
The good news: policy failures in Faronics Cloud are relatively rare, and when they do occur, the platform provides visibility to identify and resolve them. The key is understanding why failures happen, how you'll know about them, and what steps to take to fix and prevent issues.
This guide covers policy troubleshooting from end to end - the common causes of policy failures, how Faronics Cloud notifies administrators, and practical steps for resolution and prevention.
Why Policies Fail to Apply
Policy failures generally fall into a few categories. Understanding these helps you diagnose issues quickly:
Device connectivity issues
The most common cause of policy failures is simply that the device can't communicate with Faronics Cloud:
Device offline: If a computer is powered off, disconnected from the network, or otherwise unreachable, it can't receive policy updates. The policy exists in the cloud, but the device never gets it.
Network restrictions: Firewalls, proxy servers, or network policies may block communication with Faronics Cloud servers. The device is online but can't reach the management service.
Intermittent connectivity: Devices with unstable network connections may check in sporadically, missing policy updates or receiving them incompletely.
DNS issues: If the device can't resolve Faronics Cloud hostnames, communication fails even with working internet access.
Agent-related problems
Sometimes the issue is with the Faronics agent itself:
Agent not running: If the Faronics agent service has stopped or failed to start, the device can't communicate with the cloud or apply policies.
Outdated agent: Very old agent versions may not support newer policy features or may have bugs that affect policy application.
Corrupted installation: In rare cases, the agent installation may become corrupted, preventing proper operation.
Conflicting software: Security software or other system utilities might interfere with the Faronics agent's operation.
Configuration conflicts
Policy settings themselves can sometimes cause issues:
Incompatible settings: Some policy combinations may conflict or be impossible to apply together. The system may reject or partially apply such configurations.
Hardware limitations: Policies requiring features the hardware doesn't support (like Wake-on-LAN on devices without WoL capability) will fail for those specific features.
Operating system mismatches: Policies designed for specific Windows versions may not apply correctly to devices running different versions.
Timing and synchronisation issues
Policy application isn't always instant:
Check-in intervals: Devices check in periodically, not continuously. A policy change may take several minutes to propagate to all devices.
Reboot requirements: Some policy changes require a device reboot to take effect. Until the reboot occurs, the policy appears "applied" but isn't fully active.
Maintenance window timing: Certain policies (like maintenance schedules) only activate during their defined windows. They're not "failed" - they just haven't triggered yet.
Administrative errors
Sometimes the issue is on the admin side:
Wrong group assignment: Device is in a different group than intended, receiving different policies.
Policy not saved: Changes were made but not saved, or the save operation failed.
Policy not assigned: Policy was created but not assigned to any groups.
Testing vs production confusion: Policy was applied to a test group but not promoted to production.
How Administrators Are Notified
Faronics Cloud provides several ways to identify policy issues:
Dashboard visibility
The Faronics Cloud console provides at-a-glance status:
Device status overview: See which devices are online, offline, or in unexpected states. Devices not checking in may have policy issues.
Protection status: View whether devices are frozen, thawed, or in other states. Inconsistencies with expected policy are visible.
Group-level views: Filter by device group to see whether all devices in a group are receiving consistent configuration.
Device-level details
Drilling into individual devices reveals more information:
Last check-in time: When did the device last communicate? Extended periods without check-in suggest connectivity problems.
Current policy assignment: Verify which policy the device is receiving. Mismatches indicate group assignment issues.
Configuration state: See the actual configuration on the device versus what's expected.
Agent version: Identify devices running outdated agents that may need updating.
Proactive problem identification
Rather than waiting for problems to surface, you can proactively check for issues:
Regular dashboard reviews: Check the console daily or weekly. Look for devices that haven't checked in, unexpected states, or inconsistencies.
Post-change verification: After making policy changes, verify devices are receiving updates. Don't assume success - confirm it.
Periodic compliance checks: Review device configurations against expected baselines. Identify drift before it becomes problematic.
What notification doesn't include
To set realistic expectations:
Automatic email alerts: Faronics Cloud does not send automatic emails for every policy failure. Proactive dashboard monitoring is important.
Detailed error messages: When policies fail, you may see that they didn't apply rather than a detailed explanation of why. Some investigation may be required.
Automatic remediation: The system identifies issues but doesn't automatically fix them. Administrator action is required.
Fixing and Preventing Policy Issues
When policy issues occur, here's how to resolve them - and prevent recurrence:
Immediate troubleshooting steps
When you identify a policy problem, work through this sequence:
1. Verify the policy configuration: Is the policy correctly configured in the console? Are settings saved? Is it assigned to the right groups?
2. Check device connectivity: Is the device online and checking in? When was its last successful communication?
3. Verify group membership: Is the device in the correct group to receive the expected policy?
4. Force a check-in: Request an immediate check-in to push pending policy changes.
5. Restart the device: Some policies require a reboot. If force check-in doesn't help, try a restart.
6. Check the agent: Verify the Faronics agent is running and up to date on the affected device.
Resolving connectivity issues
If connectivity is the problem:
Verify network access: Can the device reach the internet? Can it access other cloud services?
Check firewall rules: Ensure Faronics Cloud endpoints aren't blocked by network security. Consult Faronics documentation for required URLs and ports.
Test DNS resolution: Verify the device can resolve Faronics hostnames.
Check proxy settings: If your network uses a proxy, ensure the Faronics agent is configured to use it.
Resolving agent issues
If the agent is the problem:
Restart the service: On the affected device, restart the Faronics agent service. This often resolves temporary issues.
Update the agent: If the agent is outdated, update to the current version. Newer versions include bug fixes and improved compatibility.
Reinstall if necessary: For persistent agent issues, uninstall and reinstall the agent cleanly.
Check for conflicts: Review other security software that might interfere. Add exceptions if necessary.
Preventing future issues
Build practices that reduce policy failures:
Test policies before broad deployment. Apply new policies to a pilot group first. Verify they work correctly before rolling out to all devices.
Document your configuration. Keep records of which policies apply to which groups and why. This helps troubleshoot and prevents confusion.
Schedule regular reviews. Weekly or monthly, review the dashboard for devices that aren't checking in or are in unexpected states.
Keep agents updated. Maintain current agent versions across your fleet to ensure compatibility with policy features.
Verify after changes. After making policy changes, check that they've propagated. Don't assume - confirm.
Maintain network stability. Reliable network connectivity is the foundation. Ensure devices can consistently reach Faronics Cloud.
When to escalate
Some issues require additional help:
Persistent failures: If standard troubleshooting doesn't resolve the issue, contact Faronics support.
Widespread problems: If many devices suddenly develop policy issues, there may be a broader problem - network change, service issue, or configuration error affecting multiple systems.
Unexplained behaviour: If devices are behaving in ways that don't match either the intended policy or no policy at all, expert investigation may be needed.
Frequently Asked Questions
How long should I wait before considering a policy "failed"?
For online devices, policies should apply within minutes - typically the next check-in cycle. If a device hasn't received a policy within an hour despite being online, investigate. For offline devices, the policy will apply when they next connect and check in.
Can a failed policy leave a device in an unsafe state?
It depends on the situation. If Deep Freeze was already active, the device remains protected even if a policy update fails. If you're deploying initial protection and it fails, the device remains unprotected. This is why verifying initial deployment is important.
What if a policy partially applies?
Partial application is possible if a policy contains multiple settings and some fail while others succeed. Check device-level details to see the actual configuration. You may need to resolve the specific failing components rather than the entire policy.
Should I create separate policies for different hardware types?
If you have significantly different hardware (desktop vs laptop, old vs new), separate policies may prevent issues from hardware-specific settings. Group devices by capability and apply appropriate policies to each group.
How can I tell if a policy failure is my mistake or a system issue?
Check whether the issue affects one device or many. Single-device issues usually indicate device-specific problems (connectivity, agent). Multi-device issues suggest policy configuration or broader infrastructure problems. If a policy works on some devices but not others with identical setups, investigate the differences.
The Bottom Line: Visibility and Verification
Policy failures in Faronics Cloud are uncommon, but they do happen. The key to managing them effectively is visibility - knowing when something hasn't worked - and verification - confirming that changes have actually applied.
Most policy issues stem from connectivity problems, which are resolved by addressing the underlying network issue. Others result from configuration conflicts or administrative oversights, which are resolved through careful review and testing.
Build verification into your workflow: check the dashboard regularly, confirm changes after making them, and investigate devices that aren't checking in. This proactive approach catches issues early, before they become problems that affect users or security.
Ready to Experience Policy-Based Management?
Try Faronics Cloud free for 30 days. See how policy management simplifies endpoint administration.
