The automatic registration of mandatory policies is only for policies included with the image, i.e. only system policies can be mandatory policies.
The functionality was primarily included for the automatic registration of policies for platform specific or platform independant EEM policies. Automatic registration of non-system policies would be considered a security risk because it would allow someone to find some way to place a file into the location where EEM scripts are allowed (and with remote EEM policies in EEM 4.0 this could be even easier) and either wait for the box to restart or utilize some known vulnerability to cause the box to restart to get the policy to register. In other words the policy could be registered without entering config mode and changing the config. With the way mandatory policies work, it won't show up in the config at all. Therefor, we have isolated mandatory policies to system policies only.
Users can override mandatory policies to include additional options if needed or to change them in some way but at that point the config has to be changed to make that change and the policy is no longer a mandatory system policy, it becomes a user policy and shows up in the config.
OverviewCisco SDA Overview:Cisco ACI Overview:How the Integration works:Configuration:Topology:Cisco DNAC to ISE Integration:Cisco ISE to ACI Integration:Verification:Policy Enforcement in ACI Domain:Policy Enforcement in Cisco SD-Access Domain:
The long-awaited Cisco Catalyst 9600 Series switches are now here. As foundational building blocks for the Cisco Digital Network Architecture, Catalyst 9600 Series switches help customers simplify complexity, optimize IT, and reduce operational cost...
Inviting all Network professionals! We want you to tell us what devices you use to do your work and its screen resolution. Your response will help us improve network management tools.
Click here to take the 5-minute survey: http://cs.co/9009E28lV
Calling Cisco Customers who manage networks in your companies
We have a quick 5-minute survey for you to complete. Your response will help Cisco improve a product feature that could benefit you.
Click here now: http://cs.co/9002E0kjC
Since the last blog on IOS-XE release, there has been a standard maintenance release which was followed by the recently published Extended Maintenance Release(EMR) and the last release on the 16.x train, IOS-XE 16.12.1. With this being an EMR release, it ...