You need to use values from Authorization:[Endpoints Repository] Category,
Device Name or OS Family. Also, be sure you have the endpoints repository as
an authorization source.
I'd recommend tagging the device type in the role map instead of a direct
role name.
For example:
ROLE MAP:
Authorization:[Endpoint Repository] Device Name
EQUALS Apple iPhone
Role = DEVICE_IPHONE
ENFORCEMENT POLICY:
Tips:Role EQUALS DEVICE_IPHONE
AND Tips:Role EQUALS USER_FACULTY
EP-FacStaff Role