Chapter 15 Setting Up Workstation Policies

This chapter discusses the use and creation of workstation policies. Workstation policies are associated with containers (resulting in all workstations in the container and subcontainers receiving the policy), workstations, and workstation groups and affect their working environment.

Relationship of Workstation Policies to Workstations

Workstations are associated with workstation policies through associations with policies in any of three ways:

Image   Policies can be associated with the workstation object directly.

Image   Policies can be associated with a parent container of the workstation object.

Image   Policies can be associated with a workstation group to which the workstation is a member.

The ZENworks Management agent is activated on a workstation at user login time for Windows 98 systems, and on Windows NT/2000/XP systems, it is activated when the service is started. When the ZENworks Management agent is activated, it logs in to the eDirectory tree as the workstation and walks up the tree looking for the first workstation policy package it can find associated with the workstation. Like all ZENworks agents, the order that the tree is searched depends on standard Novell eDirectory behavior and any search policies that may be in the tree. All the applicable workstation policies are merged together and then the culmination is applied to the workstation. If any conflicts occur with the policies (such as two workstation policies both affecting the same parameter), the parameter setting in the first policy found will be applied.

The Remote Control policy, for example, can be created for both the user and the workstation. In instances where a Remote Control policy exists for both the user and the workstation, the remote control subsystem takes the most restrictive of the policies. For example, if one policy says to prompt the user for permission and the other does not, the system prompts the user.

Advantages of Platform-Specific Policies

ZENworks enables the administration of specific policies for each platform supported in the system. By having a policy categorized for each type of platform, the administrator can make unique policies for each system. Regardless of the users logged in to the system, each workstation finds the policies associated with it and executes the administrative configurations for that platform.

Occasions exist in which you may want to associate a particular unique policy to a set of workstations that may be held in containers along with other workstations of the same type. You can then create a group of workstations and associate specific policies to those workstations. Consequently, these workstations receive the policies from this group rather than from the container.

Setting Up a Workstation Package

To have a workstation policy package, you must first create the policy package. To create a workstation policy package do the following:

1.   Start ConsoleOne.

2.   Browse to the container where you want to have the policy package. Remember that you do not have to create the policy package in the container where you are doing the associations. You can associate the same policy package to many containers in your tree.

3.   Create the policy package by right-clicking and choosing New→Policy Package or by selecting the Create Policy Package icon on the toolbar.

4.   Select the Workstation Package object in the wizard panel and click Next.

5.   Enter the desired name of the package in the Policy Package Name field and select the container where you want the package to be located. The Container field is already filled in with the selected container, so you should not have to browse to complete this field. If it is not, click the browser button next to the field and browse to and select the container where you want the policy object stored. Click Next.

6.   Select the Define Additional Properties check box to go into the properties of your new object and activate some policies. Click Finish.

7.   Check and set any policies you want for this workstation policy package and click OK.

The following subsections describe each of the fields and property pages available in the workstation policy package.

Policies Property Page

All the policies for workstations are activated within the Policies property page. Initially the page is on the general policies. As other platforms are selected, additional policies are displayed. You can select which platform to display by placing the mouse over the small triangle on the right side of the Policies tab. This activates a drop-down menu that enables you to select which platform-specific page you want to display.

The following sections discuss briefly each of the policy pages and then we cover the specifics of each policy.

General Policies

When you first go into the properties of the workstation policy package, you are presented with the Policies property page. The Policies page first displays the General category. All the policies activated in the General category are active for all workstation platforms supported by ZENworks and associated with the workstation.

Figure 15.1 shows the initial property page of the workstation policy package.

FIGURE 15.1 Workstation package, Policies General property page.

image

As you can see from Figure 15.1, four policies are available to all the platforms supported by ZENworks. They include the Novell iPrint policy, the Remote Control policy, the Workstation Imaging policy, and the ZENworks Desktop Management Agent policy. These, as well as all the other policies, are discussed later in this chapter.

To activate a policy, click on the box to the left of the policy. You can then go into the details of the policy and set additional configuration parameters on that specific policy.

Windows 9x Policies

Within the Policies tab you can select the Windows 9x Policies page. This page displays the policies available for Windows 9x workstations. These policies include the Computer Extensible policies, the Novell iPrint policy, the Remote Control policy, the Workstation Inventory policy, and the ZENworks Desktop Management Agent policy. Figure 15.2 shows the Windows 9x Policies page.

FIGURE 15.2 Workstation package, Windows 98 Policies property page.

image

Windows NT Policies

Within the Policies tab you can select the Windows NT Policies page. This page displays the policies available for Windows NT workstations. These policies include the Computer Extensible policies, the Novell iPrint policy, the Remote Control policy, the Workstation Inventory policy, and the ZENworks Desktop Management Agent policy. Figure 15.3 shows the Windows NT Policies page.

FIGURE 15.3 Workstation package, Windows NT Policies property page.

image

As you can see from Figure 15.3, some of the same policies are under both the General and the Windows NT Policies page (as well as other platform-specific pages). When you select a policy in the Windows NT page, it supercedes any selections that may have been on the General tab for that platform. The policies are not merged together, and only the platform-specific policy is used rather than the policy set in the General category. Also, only the policies selected in the platform-specific tab are used in place of the general policies. For example, if the Remote Control policy is selected in the General tab and in the Windows NT tab, agents on a Windows NT system use the Windows NT Workstation Remote Control policy rather than the policy in the General tab.

Windows 2000 Policies

Within the Policies tab you can select the Windows 2000 Policies page. This page displays the policies available for Windows 2000 workstations. These policies include the Computer Extensible policies, the Novell iPrint policy, the Remote Control policy, the Windows Group policy, the Workstation Inventory policy, and the ZENworks Desktop Management Agent policy. Figure 15.4 shows the Windows 2000 Policies page.

FIGURE 15.4 Workstation package, Windows 2000 Policies property page.

image

Windows XP Policies

Within the Policies tab you can select the Windows XP Policies page. This page displays the policies available for Windows XP workstations. These policies include the Novell iPrint policy, the Remote Control policy, the Windows Group policy, the Workstation Inventory policy, and the ZENworks Desktop Management Agent policy. Figure 15.5 shows the Windows XP Policies page.

FIGURE 15.5 Workstation package, Windows XP Policies property page.

image

Windows NT-2000-XP Policies

The Windows NT-2000-XP tab provides backward compatibility for workstations using previous versions of ZENworks. If you need to set policies for workstations that are using versions of ZENworks previous to ZENworks 6, you will need to set these policies using the Windows NT-2000-XP tab.

Associations Property Page

The Associations page of the workstation policy package displays all the locations in the tree (containers and workstations) where the policy package has been associated. These associations do not necessarily reflect where the policy package is located in the directory. The agents associated with users or workstations in or below those containers have this policy package enforced. Clicking the Add or Remove buttons enables you to add or remove containers in the list that are associated with this policy.

Workstation Policies

The following sections describe the various policies available to workstations.

Computer Extensible Policies

Microsoft requires that software packages bearing the Windows approved logo provide the capability to be configured through .POL files. The poledit program enables you to edit these extensible policies and include them in the system .POL file. ZENworks also enables the policies stored in eDirectory to accept these additional extensible polices and provide them to all users associated with these policies.

The Computer Extensible policy enables you to import these special .ADM files into the eDirectory tree and have them administered and dispersed to the users associated with the policy package. After these .ADM files have been imported into the tree, they can be administered and associated with users in the eDirectory tree. These settings are applied like the user system policies.

Computer Extensible Policies Dialog

When you first bring up the Computer Extensible Policies dialog you are presented with the Computer Extensible Policies page under the Workstation Manager Policies tab. Figure 15.6 shows an example of this page.

FIGURE 15.6 Computer Extensible Policies page of the workstation policy package.

image

This page is split into three areas: ADM Files, Policies, and a policy-specific window at the bottom-right corner.

The files listed in the ADM Files list are the policies applied to the workstations associated with this policy. To add a policy file to the list, click the Add button, and you are presented with a file dialog box where you can browse and select the file. Remember that this file should reside on the server because it is stored there for retrieval by the policy managers. When you browse and select a file make sure that it is on the server and that the drive that you use is mapped correctly for all users who would be associated with the policy. You can enter a UNC path in the Filename field of the dialog box and thereby get a UNC path for the .ADM file; however, if you browse and then select, the program puts a drive letter into the path necessitating that each user have the same drive mapping.

When this policy is initialized, four .ADM files are automatically pulled in by the plug-in into ConsoleOne. These include admin.adm, common.adm, winnt.adm, zakwinnt.adm. Each of these files is stored in the ConsoleOne1.2inzenadmfiles directory, and they are considered the default packages to be used.

NOTE

Other .ADM files are available depending on which version of Windows you are running on your workstation. For example, Windows 2000 clients also include the system.adm, and there is a inetres.adm file for restricting Internet Explorer.

NOTE

The .ADM file must be stored on a server on which users have access. The policy references the .ADM file and needs to retrieve it to apply it to the users and to enable the administrators to modify the settings. It would be recommended, therefore, to use a UNC path in specifying the location of the file.

You delete the .ADM file from the applied set by selecting the file and clicking the Remove button. You can also modify the settings of the .ADM files by selecting the file in the ADM Files window. When you select the file, its registry content is displayed in the Policies window. The user interface for this window mimics the poledit program available from Microsoft. The small window underneath the Policies window displays information about the selected registry setting along with any subsetting categories available with the specific key. Selecting the key in the Policies window, by double-clicking, populates this details field.

You can browse through the .ADM files and turn on (checked), turn off (unchecked and white), or leave as set in the registry (unchecked and gray) each of the keys as you would in the poledit program. After you have made your changes, click Apply or OK to update the .ADM files on the server.

Policy Schedule Page

The Policy Schedule page enables you to customize (outside the package default schedule) when you want the .ADM files applied to the workstation.

This page enables you to select when the package should be applied: Event, Daily, Weekly, Monthly, or Yearly.

After you have selected when you want the package applied, you have additional fields to select in the lower portion of the screen. The following sections discuss the various options you have with scheduling the package.

Event

When you choose to have the .ADM files applied upon an event that occurs in the workstation, you also need to select which event effects the changes.

The events that you can select are one of the following:

Image   User Login—Causes the policies to be applied when the user logs in to the system. This happens after the user enters her username and password but before her desktop is shown and the user login scripts have started.

Image   User Desktop Is Active (WinNT-2000-XP Only)—Runs the policies after the user has logged in to the system and all login scripts have been completed but before the user desktop is displayed. This is available with Windows 2000/XP only.

Image   Workstation Is Locked (WinNT-2000-XP Only)—Causes the policies to be applied when the workstation is locked (such as when the screen saver is activated and is locked awaiting a password). This is available with Windows XP/2000 only.

Image   Workstation Is Unlocked (WinNT-2000-XP Only)—Runs the policies when the workstation becomes unlocked, after the user has supplied his password to unlock the system. This is available with Windows XP/2000 only.

Image   Screen Saver Is Activated—Runs the policies when the screen saver is activated on an idle system.

Image   User Logout—Applies the policies when the user logs out of the system.

Image   System Shutdown—Applies the policies when a system shutdown is requested.

Daily

When you choose to have the .ADM files applied daily on the workstation, you also need to select when the changes are made.

This schedule requires that you select the days when you want the policy applied by clicking on the days you want. The selected days appear as depressed buttons.

In addition to the days, you can select the times the policies are applied. These times, the start and stop times, provide a range of time where the policies will be applied.

To keep all workstations from simultaneously accessing the servers, you can select Randomly Dispatch Policy During Time Period. This causes each workstation to choose a random time within the time period when the workstation will retrieve and apply the policy.

You can have the policy also reapplied to each workstation within the timeframe every specified hour, minute, or second by clicking on the Repeat the Action Every field and specifying the time delay. This results in a scheduled action being run on every associated workstation for the selected repeat time.

Weekly

You can alternatively choose that the policies be applied only weekly. In the Weekly screen, you choose on which day of the week you want the policy to be applied. When you select a day, any other selected day is unselected. After you have selected the day, you can also select the time range when the policy may be applied.

To keep all workstations from simultaneously accessing the servers, you can select Randomly Dispatch Policy During Time Period. This causes each workstation to choose a random time within the time period when the workstation will retrieve and apply the policy.

Monthly

Under the monthly schedule, you can select on which day of the month the policy should be applied, or you can select Last Day of the Month to handle the last day because all months obviously do not end on the same calendar date (30 days hath September, April, June, and November; all the rest have 31 except for February...).

After you have selected the day, you can also select the time range when the policy may be applied. To keep all workstations from simultaneously accessing the servers, you can select Randomly Dispatch Policy During Time Period. This causes each workstation to choose a random time within the time period when the workstation will retrieve and apply the policy.

Yearly

Select a yearly schedule if you want to apply the policies only once a year. On the Yearly page you must choose the day that you want the policies to be applied. This is done by selecting the calendar button to the right of the Date field. This brings up a monthly dialog box where you can browse through the calendar to select the date you want for your policies to be applied. This calendar does not correspond to any particular year and may not take into account leap years in its display. This is because you are choosing a date for each year that comes along in the present and future years.

After you have selected the date, you can also select the time range when the policy may be applied. To keep all workstations from simultaneously accessing the servers, you can select Randomly Dispatch Policy During Time Period. This causes each workstation to choose a random time within the time period when the workstation will retrieve and apply the policy.

Advanced Settings

On each of the scheduling pages you have the option of selecting the Advanced Settings button, which allows you some additional control of the scheduled action placed on each workstation. Clicking Advanced Settings gives you a dialog with several tabs to set the specific details of the schedule.

When first displayed, the Completion tab is activated. The following sections describe each field on the tabs and how it relates to the action.

Completion

The Completion dialog allows you to specify what should happen on the workstation after the scheduled action has completed. You can choose any of the following by selecting the check box next to the appropriate items:

Image   Disable the Action After Completion—Prevents the action from being rescheduled after completion. If you decide that the policy should be applied every hour, choosing this turns off that action. The policy will not be reapplied. This rescheduling only occurs and is reset when the user logs off and back on to the system.

Image   Reboot After Completion—Causes the workstation to reboot after applying the policies.

Image   Prompt the User Before Rebooting—Allows the user to be prompted before rebooting. The user can cancel the reboot.

Fault

This dialog tab allows you to specify what should occur if the scheduled action fails in its completion.

The following choices are available to failed actions:

Image   Disable the Action—Results in the action being disabled and not rescheduled or rerun.

Image   Retry Every Minute—Attempts to rerun the action every minute despite the schedule that may have been specified in the policy.

Image   Ignore the Error and Reschedule Normally—Assumes that the action ran normally and reschedules the action according to the policy.

Impersonation

These settings allow you to specify the account that should be used when running the action.

The following choices are available for the user type used to run the scheduled item:

Image   Interactive User—Runs the action with the rights of the currently logged-in user. This should be used if it is acceptable to run this action and not have access to the secure portions of the registry because most local users do not have access to the secured portions of the registry or file system.

Image   System—Runs the action in the background with administrative privileges. This impersonation level should be used only if the action has no user interface and requires no interaction with the user.

Image   Unsecure System—Runs the action as a system described previously but allows user interaction. This is available only on Windows XP and 2000.

Priority

This tab allows you to specify at which level you want the action to run on the workstation.

The following choices are available within the priority schedule:

Image   Below Normal—Schedules the actions at a priority below the normal user activity. This level does not interfere with the behavior of the system and gives the user a normal experience.

Image   Normal—Schedules the action at the same level as any user activity. This can cause the workstation to perform at a slower level because the service is competing with the user for resources.

Image   Above Normal—Schedules the action at a higher priority than the user requests and results in being completed before user activity, such as mouse and keyboard input, is serviced by the system. Using this level allows the action to be completed faster; however, it can negatively impact user productivity by resulting in slow performance on the client.

This tab of the scheduled advanced settings allows you to specify how long the service should be allowed to run before it is terminated. This can be used to protect you from having the action run for long periods of time on the workstation. This terminates the action, which may cause the action to not complete properly. This tab is not normally used because you usually want the action to fully complete.

Time Limit

This tab of the scheduled advanced settings enables you to specify how long the service should be allowed to run before it is terminated. This can be used to protect you from having the action run for long periods of time on the workstation. Terminating the action, though, may prevent the action from completing properly. Therefore, because you usually want the action to fully complete, this tab is not normally used.

Novell iPrint Policy

The Novell iPrint Policy option is available across all platforms and on the General Policies page. It allows you to configure a Novell iPrint client that can be placed on the workstation, allowing it to use Internet printing capabilities.

Client Install Page

This page allows you to specify the path on a server where the iPrint client can be found. Specifying the path on the iPrint policy causes the iPrint client to automatically be installed on the workstation. You can also specify the language and the version number of the software. Also you can specify whether to install the new client, should an older version be found on the workstation.

Settings Page

This page allows you to specify any set of printers you want to automatically install and configure on the receiving workstation.

Remote Control Policy

The Remote Control Policy option is available across all platforms and on the General Policies page.

A Remote Control policy is activated for this policy package by selecting the check box next to Remote Control Policy. After this is selected and a check is displayed in the check box, this Remote Management policy is activated for all workstations associated with the workstation policy Package.

The Remote Control policy controls the features of the Remote Management subsystem shipped with ZENworks. The Remote Management system is comprised of two parts: Remote Management Session Manager, which makes the connection and is used by the administrator, and the remote control agents, which are installed on the end-user’s workstation. The remote control agent is part of the full ZENworks management agents and is installed as part of the agent installation process. Running the ZfDAgent.msi in the publiczenworksfDAgent<language> folder installs the agent on the workstation that has MSI installed.

The Remote Management system makes a peer-to-peer IP connection between the administrator’s workstation and the remote workstation. Remotely controlling a workstation via ZENworks Desktop Management may also require rights within the workstation object that represents the workstation to be controlled. Without these rights, the administrator is denied access to the remote control subsystem. Both the session manager and the agents validate that the user has rights to remotely control the workstation. You assign the remote control rights through the Remote Management Rights Wizard, or in the workstation object in the Remote Operators page.

ZENworks Desktop Management also has the capability to remotely control via a password, without any workstation object in the tree. Launching remote control from the Tools menu of ConsoleOne does this (right-clicking when a workstation is selected). The dialog that comes up requires the IP address of the workstation and a password. This password must match the password entered by the end-user through the Security menu of the remote control agent (on the system tray) of the workstation. The password use of remote control must be configured in the policy as accepted.

Remote Management Page

The Remote Management page identifies the features that you want to be activated with the Remote Management system. The following sections describe configuration options available under each of the tabs of the Remote Management policy window shown in Figure 15.7.

FIGURE 15.7 Remote Management page, General tab of a workstation policy package.

image

General Tab

The first tab of the Remote Management page allows you to set the following general system functions:

Image   Enable Diagnostics—Allows the agent on the workstations to perform a diagnostics report. This can be done by selecting the workstation and then right-clicking and selecting Actions→Diagnostics from the menu. The Diagnostics utility performs some basic queries on the system and returns the information about the workstation. This information includes memory, environment, and processes running. Additionally, it would include eDirectory and NetWare connection information, client information, network drives, and open file list, as well as printers, Network protocols, and network services active. You can also view the various event and error logs that have been recorded on that workstation.

Image   Enable Password-based Remote Management—Allows the operator to establish password-based remote management with the workstation.

Image   Enable Session Encryption—Activates session encryption between the administrative workstation and the remote controlled desktop. The system activates a 168-bit DES algorithm when a password-based remote control session is started, and a 512-bit RSA algorithm session when an eDirectory-enabled session is activated.

Image   Allow User to Request Remote Session—Allows the remote user to request a remote control session of the administrator. This is useful when the remote workstation is behind a NAT, and you cannot accurately determine the address and port required.

Image   Terminate Session When New User Requires to Be Prompted for Permission—Terminates any ongoing remote management session with the workstation when a new user, whose permission for starting a remote management session is required, logs in.

Image   Accept Connections Across NAT/Proxy—Allows the remote agents to accept connections across a NAT/proxy. This option is only valid for eDirectory-based remote sessions.

Image   Prompt User for Permission to Accept Connections Across NAT/Proxy—Is valid only for eDirectory based sessions and will, when selected, cause the user to be prompted when the connection is over a NAT/proxy even if the other policies state not to prompt the user.

Image   Display Remote Management Agent Icon to Users—Controls whether an icon will appear on the user’s system tray. From this icon the user may set the password and review policy configurations applied to the workstation.

Control Tab

The Control tab describes the feature enabling of remote control functions. The following are the settings that can be managed from this policy:

Image   Enable Remote Control—Activates the remote control subsystem. Without this setting on, no one may remotely control the workstations where the currently logged-in user has this policy associated with his user object.

Image   Prompt User for Permission to Remote Control—Causes a dialog box to be displayed on the end-user’s machine when a remote control session is started. The end-user has the option of accepting or denying the remote control request. Within this dialog box, the user is told who wants to remotely control his machine and asks whether this is approved. If the user denies the remote control session, the session is terminated and the administrator cannot remotely control the workstation.

Image   Give User Audible Signal When Remote Controlled—Provides the end-user a tone periodically while the remote control session is active. This option can be further modified by specifying the number of seconds between beeps.

Image   Give User Visible Signal When Remote Controlled—Displays a dialog box on the end-user’s desktop while the remote control session is active. The dialog box displays that the workstation is being remotely controlled and also displays the eDirectory name of the user remotely controlling the workstation. You can set the number of seconds that you want to have between flashing the name of the user initiating the remote control session.

Image   Allow Blanking User’s Screen—Causes the screen on the remote desktop to be blanked, preventing the end-user from seeing what is being done by the administrator to the user’s workstation. When you enable the blanking of the screen, the keyboard and mouse are automatically locked.

Image   Allow Locking User’s Keyboard and Mouse—Deactivates the keyboard and the mouse when the administrator remotely controls the workstation. The end-user may move the mouse or keyboard, but they will not function, and any input from them will be ignored.

View Tab

The View tab describes the feature enabling of the remote view functions. Remote view is the capability for the administrator to view the remote Windows screen of the target machine but not be able to control the mouse or keyboard of the machine. The following lists the options available:

Image   Enable Remote View—Activates the remote view subsystem. Without this setting on, no one may remotely view the workstation.

Image   Prompt User for Permission to Remote View—Causes a dialog box to be displayed on the end-user’s machine when a remote view session is started. The end-user has the option of accepting or denying the remote view request. Within this dialog box, the user is told who wants to remotely view his machine and asks whether this is approved. If the user denies the remote view session, the session is terminated, and the administrator cannot remote view the workstation.

Image   Give User Audible Signal When Remote Viewed—Provides the end-user a tone periodically while the remote view session is active. You can also set the number of seconds between each beep.

Image   Give User Visible Signal When Remote Viewed—Displays a dialog box on the end-user’s desktop while the remote view session is active. The dialog box displays that the workstation is being remotely viewed and also displays the eDirectory name of the user remotely viewing the workstation. You can set the number of seconds that you want to have between flashing the name of the user initiating the remote view session.

File Transfer Tab

The File Transfer tab describes the feature enabling of the file transfer system. This allows you, the administrator, to send files to the remote workstation. The following provides a list of options available:

Image   Enable File Transfer—Activates the file transfer subsystem. Without this setting on, no one may send files to the workstation.

Image   Prompt User for Permission to Transfer Files—Causes a dialog box to be displayed on the end-user’s machine when a file transfer session is started. The end-user has the option of accepting or denying the file transfer request. Within this dialog box, the user is told who wants to perform the file transfer from her machine and asks whether this is approved. If the user denies the file transfer session, the session is terminated, and the administrator cannot send the files to the workstation.

Remote Execute Tab

The Remote Execute tab describes the feature enabling of the remote execute system. This allows you or the administrator to remotely execute a program on the remote workstation. The output of the program is not displayed on the administrative console. The following options may be administered:

Image   Enable Remote Execute—Enables the administrator to execute applications or files on the remotely managed workstation.

Image   Prompt User for Permission to Remote Execute—Causes a dialog box to be displayed on the end-user’s machine when a remote execute session is started. The end-user has the option of accepting or denying the remote execute request. Within this dialog box, the user is told who wants to perform the request and asks whether this is approved. If the user denies the remote execution session, the session is terminated, and the administrator cannot execute the program on the workstation.

Windows Group Policy

The Windows Group Policy option is available on the Windows 2000 and Windows XP platforms. With Windows 2000 and Active Directory, Microsoft introduced the Group Policy to its servers. This policy can be applied to a set of workstations that are part of a container or a subcontainer in Active Directory. Novell ZENworks incorporates this Group Policy into ZENworks by applying this policy to any workstation, workstation group, or container in the tree.

The Microsoft Group Policy is nothing more than another .ADM file applied to all the users in the container—in Novell’s case, users associated with this policy via direct association, group association, or container association.

Figure 15.8 displays a sample screen of this policy.

FIGURE 15.8 Windows group policy of the Workstation Policies page.

image

After a group policy directory is specified in the Network Location of Existing/New Group Polices field, all the remaining options become available. The following describes each of the options available on the Windows Group Policy page:

Image   Network Location of Existing/New Group Policies—Allows you to specify or browse to the location of the group policy you want to edit or create.

Image   Edit Policies—If you are running on a Windows 2000 or XP workstation, the Microsoft Management Console editor is accessed. You can then edit the user and computer configuration settings.

Image   Import Policies—If you want to create or access a group policy from Active Directory, this allows you to browse to the folder where the Active Directory Group policy or Security Settings are and copy it to the directory specified in the Network Location field.

Image   Persist Workstation Settings—Check this box to indicate that the selected group policies will remain in effect on the local desktop after the user has logged out or the workstation has rebooted.

Image   Applied Settings Type—ZENworks allows you to apply Windows user, computer, and security settings to be selected with a user policy. Each option is discussed in the following list:

Image   User Configuration—Enables the settings under User Configuration with the group policy.

Image   Computer Configuration—Enables the settings under Computer Configuration (except Security settings) with the group policy.

Image   Security Settings—Applies all Security settings in the group policy.

Image   Group Policy Loopback Support—Controls how the group policies interact between a workstation (which is applied to all users) and any group policies that may be associated with the user logging in to the workstation. After the loopback support is checked, you may specify the following:

Image   Don’t Apply User’s Policy Settings (Replace Mode)—Does not apply the user’s associated group policy and leaves the workstation associated policy in effect for any users logging in to the workstation.

Image   Apply Workstation’s Policy Settings Last (Merge Mode)—Causes the agents to apply the associated user’s group policy to the desktop and then apply the workstation’s associated group policy onto the desktop. Any settings made in the user’s policy will be overwritten by the workstation’s policy (if the workstation policy has the same policy key set as the user’s policy).

The association of a group policy to a workstation is powerful in that you could lock down a specific workstation regardless of the user logging in. This may be valuable if there are some special hardware or capabilities of the workstation that you want to protect—such as not allowing the users to install software on that particular workstation.

Workstation Imaging Policy

ZENworks has the capability to image a workstation and then to apply that image back to the original or other workstations. See Chapter 22, “Imaging a Workstation,” for more detailed information on the functionality of the ZENworks imaging system.

The placement of an image, associated with an image object in the directory, onto a workstation may occur four different ways in ZENworks:

Image   Booting the workstation and allowing the NIC card with PXE (Preboot Execution Environment) capabilities to communicate to the imaging server through PXE.

Image   Booting the workstation with a floppy disk that communicates with the imaging agent on the server.

Image   Placing a special boot partition on an unregistered workstation that communicates with the imaging agent on the server.

Image   Placing a special boot partition on a registered workstation and setting the Put an Image on This Workstation on the Next Boot field in the workstation object.

Each of these ways results in the workstation being imaged. The image being used will either be the image associated with the workstation or determined by the imaging agent (and associated policy) that resides on the server. The workstation finds the imaging server when the imaging boot diskettes are created; the administrator can specify either an IP or a DNS name for the server. This information is saved on the diskettes or in the special boot partition. In the case of PXE, configuration settings are made when the ZENworks PXE system is installed that will direct the workstation to the imaging server.

The Workstation Imaging policy comes into effect if the workstation is to be imaged, no image is associated with the workstation object, and the policy is activated. This policy enables the administrator to create a set of rules that can govern when a particular image should be used, based on some basic information from the workstation. The imaging server follows the list of rules in the policy until one of the rules is satisfied. The rule that is satisfied results in an associated image that is then applied to the workstation.

Rules Page

This page enables the administrator to input the rules and associated images that the system uses to determine the image to place on a specific type of workstation. Figure 15.9 shows a sample of this page.

FIGURE 15.9 Rules page for a sample Workstation Imaging policy of a workstation policy package.

image

You must first click the Add button to add rules to the list. After you have added several rules, you may then select a specific rule, change its order in the list, look at its properties, or remove the rule. When you click Add a dialog box is brought up to add the rule to the policy.

You first click the browse icon button next to the Use This Image field to browse to an image object in the tree associated with an image file on the image server. After the image object is selected, you may identify the rule associated with this image. You may currently have only six key/value pairs to compare about the workstation to determine what image to use.

In the middle of the dialog, you can see the six potential equations that you can generate to determine whether the image should be used. The equation is made up of a series of true/false statements put together with AND and OR logic. You construct the statement by filling in the drop-down statements. (The resulting statement is displayed in a more English-like view to help you understand the equation.)

The logic for the AND and OR operators is strictly left to right in the equation. In the Rule Description box, parentheses are added to the equation to help the administrator understand how the rule is evaluated. You cannot insert the parentheses; they are automatically inserted as part of the explanation of the equation and are not under user control.

You first select the key you want to examine by selecting the key via a drop-down dialog box. The keys that you can choose from are the following:

Image   CPU—The reported processor. An example would be GenuineIntel Mobile Pentium MMX 233 MHZ.

Image   Video—The type of video adapter in the workstation. An example of this would be Trident Cyber9397 (rev 243).

Image   Network—The network adapter for the workstation. An example would be 3Com.

Image   Sound Card—The sound card that has been reported. Often this field results in no sound card detected. This is because the system sends out a PCI request, and, if no sound cards respond, you get this even if a sound card is present.

Image   Hard Drive Controller—The type of hard drive in the system. If the hard drive is an IDE device, the value for this field is IDE. If the hard drive is a SCSI device, you get the reported name of the device, such as FUJITSU MHJ2181AT.

Image   MAC Address—The MAC address of the network card. An example of this value would be 00 60 80 03 C2 E7.

Image   IP Address—The assigned IP address of the workstation. This would be reported as the traditional 137.65.237.5.

Image   BIOS Asset Number—Any asset value placed in the BIOS of the computer.

Image   BIOS Serial Number—The serial number placed in the BIOS of the computer.

Image   Hard Drive Size—The disk size in number of megabytes. Therefore, an 8GB hard drive would be reported as 8192MB in this field. The imaging system may not always report the full disk capacity. It is advisable that you use a wide boundary when generating your rules. For example, if you want to look for an 8GB drive, put in the statement Hard drive size > 8000MB and not equal to an exact number.

Image   RAM—The reported amount of RAM in megabyte units. This would be reported as 64MB. This field also may not always report the exact amount of RAM space that you would expect on your workstation. It is advisable that you use a wide boundary when generating your rules. For example, if you want to look for 16MB of RAM, put in the statement RAM > 15MB and not equal to an exact number.

When the workstation is booting the imaging system, it is in reality booting up the Linux operating system and running the tools included in the imaging system. The values for the keys described previously are values that the Linux system can report to the software. To discover what a system reports to Linux, you need to boot a sample workstation with the Imaging system boot disk and run the Img information command. This displays the information sent to the image server about the workstation. This information will be the data values that you put into the key comparison equations for your rules. You can also get this information from an image by opening the image in the ZENworks image editor and choosing properties on the image root. See Chapter 22 for more detailed information on the functionality of the ZENworks imaging system.

The next part of the equation is to specify the operator. Two types of operators exist: String and Integer operators. The Hard Drive Size and RAM fields are treated as integers; all the other fields are treated as strings, where a case insensitive string compare is done to determine operator results. The string operators are contains, doesn't contain, begins with, and equals. The integer operators are =, <>, >, >=, <, and <=.

These operators perform expected comparisons between the key value supplied by the workstation to the imaging server and the value that you place into the value field of the equation. The following meanings are placed with each operator:

Image   containsThe specified value is a substring anywhere in the reported value.

Image   doesn't containThe specified value is not equal to or contained in the reported value.

Image   begins withThe specified value is represented in the initial character of the reported value.

Image   equalsThe specified value is the same as the reported value.

Image   = equals—The specified value is numerically equivalent to the reported value.

Image   <> not equal—The specified value is not equal to the reported value.

Image   > greater than—The specified value is greater than the reported value.

Image   >= greater than or equal to—The specified value is numerically equal or greater than the reported value.

Image   < less than—The specified value is less than the reported value.

Image   <= less than or equal to—The specified value is numerically less than or equal to the reported value.

The next field in the operation is where you enter the value that you want to compare. The far right field enables you to extend the operation to additional key/value comparisons. Your choices currently are AND and OR.

The Boolean operators are evaluated strictly from left to right. For example, if the following rules were entered into the policy:

Image   Hard drive size >= 600MB AND

Image   RAM < 16MB OR

Image   RAM > 31MB

the resultant evaluation would be (hard drive < 60MB AND RAM < 16MB) OR (RAM > 31MB). This would result in giving the image to any system that has a disk smaller than 200MB with less than 16MB RAM. This would also give the image to any system that has more than 31MB RAM regardless of the size of the hard drive.

You can view the precedence of the equation, complete with parentheses, on the bottom half of the screen as you introduce new key/value pairs into your rule.

After your set of key/value pairs has been entered and you have reviewed your equation at the bottom of the screen, click the OK button to include the rule into the imaging system. You are returned to the original Rules page with the rule that you entered placed on the screen.

Once again, from this page—after you have entered some rules—you can then specify the order that the rules are evaluated. After selecting a rule, you can move that rule in the order by clicking either the Move Up or the Move Down buttons. As the imaging server is evaluating the rules, the first rule that results in a TRUE evaluation results in that image being supplied to the workstation.

Imaging Partition

The Imaging Partition page allows you to disable the ZENworks imaging partition if it exists. This page is accessed by clicking on the triangle on the Work To Do tab and selecting Imaging Partition from the drop-down list.

This is useful if you want to disable imaging on the workstation because no active imaging is occurring on the workstation. For example, you have a one-time image applied to a workstation annually in January. You need the partition to remain intact, but you can disable it the rest of the year.

NOTE

Novell recommends that you disable the imaging partition and use PXE instead to perform preboot work.

Multicast

The Multicast page is accessed by clicking on the triangle on the Work To Do tab and selecting Multicast from the drop-down list.

This page allows you to specify whether the imaging server checks first to see whether the workstation should take part in a multicast session prior to checking the image selection rules within this policy. If the check box is checked, the imaging server checks the image selection rules prior to checking its multicast sessions.

NOTE

This check box will have no effect on workstations configured to serve as session masters because that role takes priority over any other imaging setting.

PXE Settings Page

ZENworks Desktop Management ships with PXE-enabled software. You also may set the PXE settings for deploying any images. Novell now recommends that the Linux partition on the workstation be removed, and customers should move to the PXE method of image deployment. On this page you may set whether the PXE menu should appear automatically when PXE is launched, and you may also set the values that appear on the menu.

A PXE menu will display, for example, whether to receive an image or to take an image.

On this page you may select the following options:

Image   Always Display the PXE Menu—When checked, this item causes the PXE menu to always be displayed when the workstation is rebooted.

Image   Display the PXE Menu Only if Ctrl+Alt Are Held During Reboot—When selected, the PXE boot menu will not be displayed unless the user presses and holds down the Ctrl+Alt keys while the workstation is rebooting.

Image   Do Not Display the PXE Menu—This option prevents the PXE menu from being displayed.

Image   Read the PXE Menu from This File Instead of Using the Default Menu—This field allows you to browse to and select a file that will be used to display the PXE menu.

NOTE

The PXE menu file that you specify must be located in the tftp directory on the server (SYS:TFTP for NetWare, Program FilesEN Preboot ServicesTFTPData for Windows NT/2000/XP).

To create the menu, you need to run the Menu Editor tool located on the server where the PXE boot services were installed. If you want, they can be run from the ZENworks Desktop Management CD in the EN Preboot ServicesMenu Editor directory. Run the MEditor.exe program.

Image-Safe Data Page

The Image-Safe Data page is a tab composed of four pages. These pages represent information and data placed or retrieved from the system regardless of the image used. The following depicts the pages available by selecting the small triangle drop-down menu on the tab.

An agent exists that may be placed on the workstation called the Image-Safe Data agent. This agent has the responsibility of moving data between a special sector on the disk that is used to store configuration information such as IP address or DHCP configuration along with workgroup information. This information on the disk is not affected by an image taken or placed on the drive.

When the Image-Safe Data agent runs on the workstation it makes sure that the information in the special sector and the operating system are synchronized properly. For example, following an image placement the agent moves the data from the disk into the operating system, setting up the DHCP and computer name. On a workstation that has not just been imaged, the agent moves the information from the operating system into the sector on the disk so that the data can be restored should a new image be placed on the drive. Should the agent not run, the workstation would be an exact mirror of the image (with the same IP and computer name configuration).

The Image-Save Data configuration page enables the imaging server to pass this configuration information to the agent via this disk sector.

IP Assignment Log Page

The IP Assignment Log page displays the IP addresses that the imaging server has assigned to any imaged or reimaged workstations. The set of available IP addresses can be set in the IP Configuration Page described following.

The IP Assignment page displays the log of these addresses that have been assigned.

This page can also be used to place an IP address back into the pool of available addresses. If you have an address that you want to place back into the pool, you can select it in the log list and then click the Remove button.

NOTE

When you remove a specific IP address, it may not be properly represented in the IP Configuration range and therefore will not be reused.

If you specify a range in the IP Configuration page to be the set of IP addresses that you will make available for workstations, when the imaging server uses a portion of the range (at the ends), the range is refreshed on the configuration page. For example, if the range 123.65.234.1...123.65.234.100 was in the configuration and IP address 123.65.234.1-10 was assigned, the range would be changed to 123.65.234.11...123.65.234.100. Consequently, when you go to the log page and free up IP address 123.65.234.10, the range is not reconfigured, and the freed IP address is not reassigned. You must manually go to the configuration page and modify the range to include the addresses that you have freed.

IP Configuration Page

The IP Configuration page enables you to specify whether the workstations imaged by the imaging server will obtain their IP address from a DHCP server or via a static assignment done as part of the imaging process.

If you select the DHCP option, when the workstation is imaged the windows system is told to get IP addresses from a DHCP server. If, however, you select that you want to specify an IP address, the other fields on the page are activated.

To specify a static IP address you must first enter the subnet mask and default gateway that you want all your imaged workstations (imaged via the image server using this particular policy) to receive. You must also specify the range of IP addresses used by the imaging server and assigned uniquely to each of the imaged workstations. You specify the set of IP addresses by using the Add and Add Range buttons.

When the imaging server is given a request for an image, after the image has been placed onto the workstation, the IP address information is transmitted and assigned to the workstation. That address is then logged in the imaging server and not reused for another workstation.

To remove any address or ranges from the possible set, select the item and click the Remove button. These addresses will no longer be in the pool of available addresses for the imaging server to assign.

Windows Networking Page

In the Windows Networking page you can specify the computer name for the workstation and the workgroup for the system.

The computer name prefix that you enter in the field (maximum of seven characters) is prepended to a randomly generated set of characters and numbers to construct the final 15-character computer name for the workstation.

The Make the Computer a Member of the Following field enables you to specify the workgroup that you want for the workstation. You select which you prefer by selecting the field and entering the workgroup name.

DNS Settings

The DNS Settings page allows you to specify the DNS suffix and name servers that will be used by this policy. Simply type in the suffix you want to use and then click the Add button to bring up an IP address dialog box to specify the addresses of name servers. It is important to use the correct suffix and name servers for the ZENworks Desktop Management imaging engine to process imaging operations on a workstation.

Security Page

As part of the imaging system, the administrator has the ability to request that the workstation have an image taken of itself and placed onto the server. This is done by checking some fields in the workstation object (see Chapter 22, for more details), which causes the workstation to take an image of itself on its next reboot.

When the workstation takes an image of itself, or when an image is taken when a request is made through the Linux boot system, the image is transmitted to the image server. This image server then receives the .ZMG file and places it in the path specified. To protect the system from overwriting any files or by having users place the image files into inappropriate directories, the imaging server takes the information in the Security page and restricts the placement of the image files.

When you check the Allow Imaging to Overwrite Existing Files When Uploading option, you enable the system to overwrite any files that may have the same name as the one specified by the user for the name of the image file.

The Restrict Uploads to the Following Directories check box activates the requirement that all requested uploads must specify one of the directories identified. If the directory portion of the destination path, specified by the user, does not match one of the directories specified in the list on this page, the request to store the uploaded image is refused. To add paths to the list of accepted destinations, click the Add button and enter the acceptable path.

Paths in the directories may be one of the following formats:

Driveletter: path

Volume path

NTShare path

The system does not, for example, take any UNC path. When the user enters the location of the file, including the path, this information transmits to the imaging server; the server compares the directory portion of the path given with all the strings in this list. If a match occurs (that is, the directory is listed), the operation is accepted, and the image is taken and stored; otherwise, the operation fails, and the image is not taken.

Workstation Inventory Policy

The ZENworks Workstation Inventory Policy page allows you to configure how workstations associated with this workstation policy package will be inventoried.

See Chapter 20, “Using ZENworks Workstation Inventory,” for more detailed information about the inventory system with ZENworks.

With the Workstation Inventory policy, you identify where the collector of the inventory information is located, whether hardware or software scanning is done, and the capability to customize the scan list to identify programs without any identifying header.

Figure 15.10 displays the Workstation Inventory page of the Workstation Inventory policy.

FIGURE 15.10 Workstation Inventory policy within a workstation policy package.

image

Within the inventory policy, the administrator has the ability to administer the following parameters:

Image   Inventory Service—Represents the service object in the tree that represents the service module running on a server in the network. This server agent is responsible for receiving the information from the workstations and processing it, either by placing it in a local Sybase database, or forwarding it on to the next level of the inventory database hierarchy (see Chapter 19, “Creating Server Policies”). All workstations that have this policy associated with them send their scanned information to the specified server agent.

Image   Hardware Scan—Enables DMI (Desktop Management Interface), WMI (Windows Management Instrumentation), and custom scanning as well as configures the custom attributes to scan for.

Image   Software Scan—Enable Software Scan—Turns on ZENworks Desktop Management agents to perform a software scan in addition to the standard hardware scan.

Image   Software Scan—Custom Scan Editor—Brings up a dialog that enables you to configure information about files that may be found on a workstation. You can store the vendor name, product name, product version, filename, and file size in this list. When a file does not have header information, it is found in this table (by filename and size) and reported as the specified program. You can export and import these file lists into the eDirectory policy object.

Image   Configuration Editor—Allows you to import, export, and modify custom scanning configuration settings, such as Zip file extensions to scan for, vendor and product rules, and asset information.

NOTE

The Policy Schedule page determines when the hardware and software inventories for associated workstations are run. See the “Computer Extensible Policies” section earlier in the chapter, for a description of this page.

ZENworks Desktop Management Agent Policy

The ZENworks Desktop Management agent is one of the most dynamic features of ZENworks because it provides you with the ability to maintain workstations. The ZENworks Desktop Management Agent policy, shown in Figure 15.11, allows you to configure the following settings that the agent running on workstations associated with the workstation policy package will use:

Image   Apply Middle Tier Address—Causes the address specified in this policy to be applied to the associated workstation agents.

Image   DNS Name or IP Address of the ZENworks Middle Tier Server—Specifies the IP address or DNS name for the web server running the ZENworks middle-tier server that the ZENworks Desktop Management agent uses to connect the workstation to the network. This field is activated only when the Apply Middle Tier Address check box is selected.

Image   eDirectory Refresh Rate (Minutes)—Specifies the amount of time in minutes that the ZENworks agent waits before checking eDirectory for changes in objects of policies. The default is 1380 minutes. Each time the agent refreshes, eDirectory information traffic is generated on your network, so if you have many workstations connecting through the agent, you may need to adjust this time to a larger amount.

Image   Display ZENworks Authentication Dialog—Allows you to specify whether ZENworks should present the login dialog rather than the standard Windows dialog.

Image   Allow Users to Change ZENworks Middle Tier Address on Authentication Dialog—On the dialog, a field shows the DNS name or IP address of the middle tier that the agents will be contacting. This check box allows users to edit this field, directing the agents to a different middle tier. This field is only accessible when the Display ZENworks Authentication Dialog check box is selected.

Image   Resident Workstation Welcome Bitmap (NT/2000/XP Only)—Allows you to specify the bitmap file that should be displayed when the workstation starts up. This file must be present on the workstation. (You can get it there with ZENworks.)

Image   Welcome Caption (NT/2000/XP Only)—Allows you to specify the text that will be displayed on the header of the welcome screen.

Image   Login Window Bitmap (NT/2000/XP Only)—Specifies the bitmap file that should be displayed as part of the login. This file must be present on the workstation, in the default Windows directory.

Image   Enable Volatile User Cache—Allows volatile user information that has been cached on a workstation to stay cached on the workstation for the specified period of time.

Image   Cache Volatile User Time Period (Days)—The default time is five days. Because volatile users are not created or removed at every login or logout, this makes login times much faster and makes it possible for a user to continue using the workstation even when the workstation is disconnected from the network and the user is not a registered user on the workstation. Here you can set the number of days before the cached information is removed. This field is available only when the Enable Volatile User Cache check box is activated.

FIGURE 15.11 ZENworks Desktop Management Agent policy within a workstation policy package.

image

Scheduled Action Policy

The Scheduled Action policy is a plural policy that allows you to specify one or more actions to perform on workstations associated with the workstation policy package based on the policies schedule. Because it is a plural policy, you can create as many Scheduled Action policies for each platform in the workstation policy package as you need.

For example, if you needed all your DNS/DHCP clients to refresh their IP configuration every day at 8 a.m., you could create a Scheduled Action policy that runs the IPCONFIG utility twice, once with the /release and once with the /renew parameter. Then set the policy schedule to run daily at 8 a.m.

You create a Scheduled Action policy by going to the package you want and clicking the Add button on the Policies tab. This brings up a dialog that lists the plural policies available. Schedule Action policy will be one of them. Enter a policy name and click OK to add the policy to the package.

From the Scheduled Action Policy window Actions tab, shown in Figure 15.12, you can configure the following for each action by clicking the Add or Properties button:

Image   Name—Full path name to the application that will be executed on the workstation.

Image   Working Directory—The working directory the policy will use when applying the action.

Image   Parameters—Command-line parameters that will be added to the command line when the action is executed.

Image   Priority—The priority assigned to this action when compared to the priority of the user’s access to the workstation. You can specify a priority of Action Default, Above Normal, Normal, and Below Normal. Setting the priority to Above Normal helps ensure that the action is performed quickly on the workstation no matter what the user is doing. Setting the priority to Below Normal impacts the user on the workstation less. For example, take into account this priority balance when scheduling actions. You may want to create one Scheduled Action policy for high priority actions and one for low priority.

Image   Terminate Time if Still Running After—The amount of time in minutes that the application will be allowed to run on the workstation before the policy forces its termination. The default is one minute. This can be useful in protecting users from experiencing too big of a performance hit by the scheduled action. It can also be useful in ensuring that all the actions in the policy are able to run.

FIGURE 15.12 Scheduled Action policy within a workstation policy package.

image

You can also disable an individual action by selecting the individual action in the list and clicking the Disable button. This allows you to keep the action and its setting available for future use but not have it executed the next time the policy schedule is reached.

The final setting you have on the Actions tab of the Scheduled Actions policy is to enable the Run Items in Order Listed option, shown in Figure 15.12. When enabled, this forces the actions to run one at a time in the order they are listed in the Actions list. This can be useful if you need to run a set of actions in a specific order. The Move Up and Move Down buttons allow you to change the order of the actions if necessary.

Summary

This chapter discussed all the policies that can be applied to workstations in your environment. These policies can manage the operating system of your Windows workstations as well as the behavior of ZENworks features and functions.

With these policies you can cause work to be done on a recurring, scheduled basis; you can apply corporate images and lock down workstations through group policies.

These policies provide you full life-cycle management for your workstations.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.225.11.98