14 Distributing a Policy. Novell ZENworks Endpoint Security Management 4.1
Add to My manuals216 Pages
advertisement
Distributing a Policy
After you create and configure a security policy, you need to distribute it to users or computers.
The method you use to distribute policies depends on whether your ZENworks ® Endpoint Security
Management system uses the Management Service and the Policy and Distribution Service. If your system includes the two services, you publish policies and the services deliver the policies. If your system does not include the services, you export policies and then manually deliver them.
The following sections provide information for both methods:
Section 14.1, “Publishing a Policy,” on page 99
Section 14.2, “Republishing an Updated Policy,” on page 100
Section 14.3, “Exporting a Policy,” on page 102
14
14.1 Publishing a Policy
If your ZENworks Endpoint Security Management system includes the Management Service and
Policy Distribution Service, complete the following steps to publish a policy to your endpoint devices.
If your system does not include the services, you must export policies and then manually deliver
them. Skip to Section 14.3, “Exporting a Policy,” on page 102 .
To publish a policy:
1 In the Management Console, open the policy.
2 Click the Publish tab.
Distributing a Policy 99
The Policy Publish page displays the directory service trees to which the system has connections.
3 Select the users, computers, or groups to which you want to publish the policy.
Keep in mind the following:
If you select an entire domain or organizational unit, the policy is published to all users and computers within the domain or unit.
If a directory object is displayed in red, your Management Console login account does not provide rights to publish to that object.
If the directory tree does not display the users, computers, or groups to which you want to publish the policy, you might need to synchronize the Management database with the directory service. Users and computers are not added to the Management database until 1) they are synchronized from the directory service or 2) they log in via the Security Client
for the first time. For information about synchronizing the database, see Chapter 3,
“Configuring Data Synchronization Schedules,” on page 25 .
If you need to clear your selected objects, click Refresh.
4 Click Publish.
14.2 Republishing an Updated Policy
After a policy has been published to users or computers, you must republish the policy if you make any changes to it.
100 ZENworks Endpoint Security Management 4.1 Administration Guide
For example, if you change the WEP key for an access point, you need to save the policy and then publish it again. Any user or computer to which the policy was previously published receives the updated policy the next time the Security Client checks in.
1 In the Management Console, open the policy.
2 Click the Publish tab.
The Policy Publish page displays the directory service trees to which the system has connections. The icon indicates the objects to which the policy was previously published.
You do not need to reselect these objects. The policy will automatically be republished to them.
3 If there are additional users, computers, or groups to which you want to publish the policy, select those objects.
Keep in mind the following:
If you select an entire domain or organizational unit, the policy is published to all users and computers within the domain or unit.
If a directory object is displayed in red, your Management Console login account does not provide rights to publish to that object.
If the directory tree does not display the users, computers, or groups to which you want to publish the policy, you might need to synchronize the Management database with the directory service. Users and computers are not added to the Management database until 1) they are synchronized from the directory service or 2) they log in via the Security Client
for the first time. For information about synchronizing the database, see Chapter 3,
“Configuring Data Synchronization Schedules,” on page 25 .
If you need to clear your selected objects, click Refresh.
4 Click Publish.
Distributing a Policy 101
14.3 Exporting a Policy
If your ZENworks Endpoint Security Management system does not include the Management
Service and the Policy Distribution Service, you must export a policy from your stand-alone
Management Console and then manually deliver it to endpoint devices.
To export a policy:
1 Locate and copy the Management Console setup.sen
file to a separate folder.
The setup.sen
file is generated at installation of the Management Console and is placed in the
\Program Files\Novell\ESM Management Console\ directory.
2 In the Management Console, open the policy.
3 Click File > Export Policy.
4 Specify the name and location for the file, then click Export.
For the location, specify the same folder containing the setup.sen
name, specify policy.sen
.. All policies distributed must be named policy.sen
in order for the Security Client to accept them.
5 Distribute the policy.sen
and setup.sen
files to endpoint devices.
These files must be copied to the \Program Files\Novell\ZENworks Security Client directory
The setup.sen
file needs to be copied to endpoint devices only once with the first policy.
Afterwards, only new (or updated) policies need to be distributed.
NOTE: There are multiple methods you can use to distribute the policy to a Security Client located on the same machine as the standalone Management Console.
If the Security Client was installed on the machine after the standalone Management Console, the file must be exported and transferred manually as described above.
If the Security Client was installed on the machine before the standalone Management Console, you can follow the steps above to export the policy, or you can publish the policy. To publish the policy, click File > Publish.
102 ZENworks Endpoint Security Management 4.1 Administration Guide
advertisement
Related manuals
advertisement
Table of contents
- 1 ZENworks Endpoint Security Management 4.1 Administration Guide
- 5 Part I System Configuration and Maintenance 13
- 5 1 Managing Directory Service Connections 15
- 5 2 Changing the Policy Distribution Service URL 23
- 5 3 Configuring Data Synchronization Schedules 25
- 5 4 Forcing Data Synchronization 27
- 5 5 Managing Directory Service Objects that Have Moved 29
- 5 6 Renewing ZENworks Endpoint Security Management Credentials 31
- 5 7 Managing Encryption Keys 33
- 5 8 Applying a License Key 35
- 5 Part II Security Policies 37
- 5 9 Creating a Security Policy 39
- 5 10 Configuring a Policy’s Global Settings 41
- 6 11 Configuring a Policy’s Locations 61
- 6 12 Configuring a Policy’s Integrity and Remediation Rules 87
- 6 13 Configuring a Policy’s Compliance Reporting 97
- 6 14 Distributing a Policy 99
- 6 15 Importing and Exporting Policies 103
- 6 Part III Security Client 105
- 6 16 About the Security Client 107
- 7 17 Installing the Security Client 113
- 7 18 Updating the Security Client 115
- 7 19 Uninstalling the Security Client 117
- 7 20 Using the Security Client Diagnostic Tools 121
- 7 Part IV Auditing 137
- 7 21 Generating Standard Reports 139
- 8 22 Generating Custom Reports 147
- 8 23 Using Alerts Monitoring 157
- 8 Part V Utilities 161
- 8 24 ZENworks File Decryption Utility 163
- 9 25 Override-Password Key Generator 165
- 9 26 Device Scanner 167
- 9 Part VI Appendixes 169
- 9 A Predefined TCP/UDP Port Groups 171
- 9 B Predefined Access Control Lists 173
- 9 C Predefined Application Controls 175
- 9 D Advanced Scripting Rules 177
- 9 E Shared Component Usage 215
- 11 About This Guide
- 13 I System Configuration and Maintenance
- 15 1 Managing Directory Service Connections
- 15 1.1 Creating a Directory Service Configuration
- 15 1.1.1 Defining eDirectory as the Directory Service
- 18 1.1.2 Defining Active Directory as the Directory Service
- 21 1.2 Synchronizing the Management Database with the Directory Service
- 21 1.3 Removing a Directory Service Configuration
- 23 2 Changing the Policy Distribution Service URL
- 25 3 Configuring Data Synchronization Schedules
- 27 4 Forcing Data Synchronization
- 29 5 Managing Directory Service Objects that Have Moved
- 31 6 Renewing ZENworks Endpoint Security Management Credentials
- 33 7 Managing Encryption Keys
- 33 7.1 Exporting Encryption Keys
- 33 7.2 Importing Encryption Keys
- 34 7.3 Generating a New Key
- 35 8 Applying a License Key
- 37 II Security Policies
- 39 9 Creating a Security Policy
- 41 10 Configuring a Policy’s Global Settings
- 41 10.1 Accessing the Global Settings
- 42 10.2 Policy Settings
- 44 10.3 Wireless Control
- 46 10.4 Communication Hardware
- 47 10.5 Storage Device Control
- 49 10.6 USB Connectivity
- 49 10.6.1 How the Access Setting Is Determined
- 50 10.6.2 Configuring the USB Connectivity Settings
- 53 10.7 Data Encryption
- 54 10.7.1 Configuring the Data Encryption Settings
- 56 10.7.2 Data Encryption Performance Impact
- 56 10.8 ZSC Update
- 57 10.9 VPN Enforcement
- 61 11 Configuring a Policy’s Locations
- 61 11.1 Location Concepts
- 62 11.2 Adding a Location
- 63 11.3 Configuring a Location
- 65 11.3.1 Locations
- 66 11.3.2 Communication Hardware
- 68 11.3.3 Storage Device Control
- 69 11.3.4 Firewall Settings
- 76 11.3.5 Network Environments
- 78 11.3.6 USB Connectivity
- 82 11.3.7 Wi-Fi Management
- 86 11.3.8 Wi-Fi Security
- 87 12 Configuring a Policy’s Integrity and Remediation Rules
- 87 12.1 Antivirus/Spyware Rules
- 89 12.1.1 Integrity Tests
- 91 12.1.2 Integrity Checks
- 92 12.2 Advanced Scripting Rules
- 94 12.2.1 Script Variables
- 95 12.2.2 Script Text
- 97 13 Configuring a Policy’s Compliance Reporting
- 99 14 Distributing a Policy
- 99 14.1 Publishing a Policy
- 100 14.2 Republishing an Updated Policy
- 102 14.3 Exporting a Policy
- 103 15 Importing and Exporting Policies
- 103 15.1 Importing Policies
- 103 15.2 Exporting a Policy
- 105 III Security Client
- 107 16 About the Security Client
- 107 16.1 What the Security Client Does
- 107 16.2 Security Client Differences Based on Windows Version
- 110 16.3 Security Client Self Defense
- 111 16.4 Multiple-User Support
- 111 16.5 Machine-Based Policies
- 113 17 Installing the Security Client
- 115 18 Updating the Security Client
- 115 18.1 Using a Policy’s ZSC Update Setting
- 115 18.2 Using the Installation Program’s Upgrade Switch
- 115 18.3 Using an MSI Uninstall and Reinstall
- 117 19 Uninstalling the Security Client
- 117 19.1 Preparing a Machine for Client Uninstallation
- 117 19.2 Performing an Attended Uninstall
- 118 19.3 Performing an Unattended (Silent) Uninstall
- 121 20 Using the Security Client Diagnostic Tools
- 121 20.1 Windows 2000/XP Security Client Diagnostics Tools
- 121 20.1.1 Creating a Diagnostics Package
- 123 20.1.2 Administrator Views
- 127 20.1.3 Logging
- 128 20.1.4 Reporting
- 129 20.2 Windows Vista/7 Security Client Diagnostic Tools
- 129 20.2.1 Creating a Diagnostics Package
- 131 20.2.2 Administrator Views
- 134 20.2.3 Module List
- 135 20.2.4 Logging
- 137 IV Auditing
- 139 21 Generating Standard Reports
- 139 21.1 Generating a Report
- 141 21.2 Adherence Reports
- 141 21.2.1 Endpoint Check-In Adherence
- 141 21.2.2 Endpoints that Never Checked-In
- 141 21.2.3 Group Policy Non-Compliance
- 141 21.2.4 Policy Assignment
- 141 21.2.5 Endpoint Check-In Adherence
- 142 21.3 Alert Drill-Down Reports
- 142 21.3.1 Client Tampering Alert Data
- 142 21.3.2 Files Copied Alert Data
- 142 21.3.3 Override Attempts Alert Data
- 142 21.3.4 Port Scan Alert Data
- 142 21.3.5 Uninstall Attempt Alert Data
- 142 21.3.6 Unsecure Access Point Alert Data
- 142 21.4 Application Control Reports
- 143 21.4.1 Application Control Details
- 143 21.5 Endpoint Activity Reports
- 143 21.5.1 Blocked Packets by IP Address
- 143 21.5.2 Blocked Packets by User
- 143 21.5.3 Network Usage Statistics by User
- 143 21.5.4 Network Usage Statistics by Adapter Type
- 144 21.6 Encryption Solutions Reports
- 144 21.6.1 File Encryption Activity
- 144 21.6.2 Encryption Exceptions
- 144 21.7 Client Self Defense Reports
- 144 21.7.1 Endpoint Security Client Hack Attempts
- 144 21.8 Location Reports
- 144 21.8.1 Location Usage Data by Date and User
- 145 21.9 Outbound Content Compliance Reports
- 145 21.9.1 Removable Storage Activity by Account
- 145 21.9.2 Removable Storage Activity by Device
- 145 21.9.3 Detected Removable Storage Devices
- 145 21.9.4 Chart 7 Days of Removable Storage Activity by Account
- 145 21.10 Administrative Overrides Reports
- 145 21.10.1 Security Client Overrides
- 146 21.11 USB Devices Reports
- 146 21.12 Wireless Enforcement Reports
- 146 21.12.1 Wireless Connection Availability
- 146 21.12.2 Wireless Environment History
- 147 22 Generating Custom Reports
- 147 22.1 Software Requirements
- 148 22.2 Creating a ZENworks Endpoint Security Management Compliant Report
- 149 22.3 Available Reporting Information
- 151 22.4 Creating a Report
- 157 23 Using Alerts Monitoring
- 157 23.1 Configuring Endpoint Security Management for Alerts
- 157 23.1.1 Activating Reporting
- 158 23.1.2 Optimizing Synchronization
- 158 23.2 Configuring Alert Triggers
- 159 23.3 Managing Alerts
- 161 V Utilities
- 163 24 ZENworks File Decryption Utility
- 163 24.1 Using the File Decryption Utility
- 163 24.2 Using the Administrator Configured Decryption Utility
- 165 25 Override-Password Key Generator
- 167 26 Device Scanner
- 169 VI Appendixes
- 171 A Predefined TCP/UDP Port Groups
- 173 B Predefined Access Control Lists
- 175 C Predefined Application Controls
- 177 D Advanced Scripting Rules
- 177 D.1 Supported Script Languages
- 177 D.2 Rule Scripting
- 178 D.3 Trigger Events
- 180 D.4 Script Namespaces
- 180 D.4.1 General Enumerations and File Substitutions
- 182 D.4.2 Action Namespace
- 188 D.4.3 Query Namespace
- 198 D.4.4 Storage Namespace
- 200 D.5 Interfaces
- 200 D.5.1 IClientAdapter Interface
- 202 D.5.2 IClientEnvData Interface
- 203 D.5.3 IClientNetEnv Interface
- 209 D.5.4 IClientWAP Interface
- 209 D.5.5 IClientAdapterList Interface
- 210 D.6 Sample Scripts
- 210 D.6.1 Create Registry Shortcut (VBScript)
- 212 D.6.2 Allow Only One Connection Type (JScript)
- 213 D.6.3 Stamp Once Script
- 215 E Shared Component Usage