what is the purpose of applying the policy to the device? devices will normally get auto registered w/ the system so everytime a device auto-registers you'd need to go in and set the acls.
it would seem what you want to do is not built in - if you right click and choose 'update permissions' you are only allowed to select authorizations from the DeviceGroup space and not device. so it's not functioning like the other object types. you can contact support and have them open a rfe for this, but i would like to understand why you are trying to do this.
Thanks for the response--I appreciate it. Basically we only want the systems administrators to have access to the devices. Maybe we are going about this the wrong way then.
I'm assuming that there is a way to set the ACLs when the device auto-registers so that our sys admin role has access at that point? I have never tried to have the policy apply when the device auto-registers, so I will investigate that. Any clues would be appreciated.
if your other roles do not need to do anything w/ devices, then don't grant the roles any Device Authorizations in the role. they won't be able to do anything to the devices, regardless of what acls are set on the device object.