This error is usually obtained when trying to modify a Policy for which a newer version existed, but which was undeployed. The reason for the problem is that the newer version was never totally removed from the Policy Database and it leaves in one or more of the GPOLICY, DEPLOYMENT or GDEPLOYMENT records. This document describes how to totally remove the previously partially removed version so that it can either be redeployed or an updated version be created.
For the sake of simplicity we will assume that Policy_name#01 is the policy version we are trying to modify, to deploy again to certain endpoints. Following deletion of Policy_name#02, and on attempting modification of Policy_name#01, the error indicated above is obtained, so that now it is impossible to deploy a new version of the policy to the endpoints.
To solve the problem, follow these steps. Repeat them at the DMS, DH and endpoint
- Determine if there is any deployment containing Policy_name#02. Scroll the listing of sr DEPLOYMENT * for policy version Policy_name#02. Let's assume these are
- Find out the GDEPLOYMENT associated with the previous DEPLOYMENT records. For instance doing sr GDEPLOYMENT * and looking for any of them. Let's assume the associated GDEPLOYMENT containing both DEPLOYMENT objects is:
- Determine whether the old policy version still exists in the database. To do so, do a find POLICY ('Policy_name#02')
- If the Policy in step #3 is found do rr POLICY ('Policy_name#02') noexit
- Assuming that the RULESET associated to 'Policy_name#02' is called as well 'Policy_name#02', do rr RULESET ('Policy_name#02') noexit
- Repeat the rr selang command for the DEPLOYMENT and GDEPLOYMENT objects listed in steps 1 and 2
- Do a sr GPOLICY Policy_name and make sure it contains no reference to policy #02. Should it still contain the reference do a er GPOLICY Policy_name mem-('Policy_name#02')
This process needs to be done at the DMS and also at the DH and endpoint to make sure the information is consistent across ControlMinder objects.
This same procedure is valid when attempting to modify a ruleset returns a similar message error reporting it is already finalized.