This chapter discusses the use and creation of handheld policies. Handheld policies are associated with handheld device objects and handheld groups or containers and affect their working environment.
Handhelds are associated with handheld policies through any of three ways:
Policies can be associated with the handheld object directly.
Policies can be associated with a parent container of the handheld object.
Policies can be associated with a handheld group to which the device is a member.
The ZENworks Handheld server periodically scans the eDirectory tree and imports PDA objects as well as discovers any associated policies or applications. When the handheld agent (or proxy on the synchronization device) contacts an Access Point, the services will communicate back to the Handheld server and will be given any associated policies or applications.
There are three unique handheld policy packages:
Handheld package—Holds policies given to the particular PDA to function on the device.
Handheld Service package—Holds policies that direct the functions of the Handheld Server.
Handheld User package—Holds policies that are for a handheld device but associated and based on a user rather than the particular device. These policies follow a user from device to device.
The following section examines how to set up the first of these—the Handheld Package.
The Handheld package is one of the three types of handheld policy packages. The Handheld package is associated with a handheld device, handheld group, or container and contains policies that are enforced on the associated handheld device.
To have a Handheld package, you must first create the policy package. To create a Handheld package do the following:
1. Start ConsoleOne.
2. Browse to the container where you want to have the policy package. Remember that you do not have to create the policy package in the container where you are doing the associations. You can associate the same policy package to many containers in your tree.
3. Create the policy package by right-clicking and choosing New→Policy Package or by selecting the Policy Package icon on the toolbar.
4. Select the Handheld Package object in the wizard panel and click Next.
5. Enter the desired name of the package in the Policy Package Name field and select the container where you want the package to be located. The Container field is already filled in with the selected container, so you should not have to browse to complete this field. If it is not, click the browser button next to the field and browse to and select the container where you want the policy object stored. Click Next.
6. Select the Define Additional Attributes field to go into the properties of your new object and activate some policies. Click Finish.
7. Check and set any policies you want for this handheld policy package and click OK.
The ZENworks Handheld agents search the eDirectory for all associated policies and combine all policies associated with the device, groups, or containers. Should more than one of the same type of policy be accessible by the device, the policy “closest” in search order (device, groups, and then containers) is used.
The following subsections describe each of the fields and property pages available in the Handheld package.
The Policies property page displays the policies available and activated in this package. Three platforms are supported by the handheld policy package: Palm, WinCE (which also implies PocketPC), and BlackBerry. You can manage the policies for each of these platforms by selecting the desired platform through the drop-down menu on the tab.
The Palm policies include the Palm Client Configuration policy, the Palm Configuration policy, and the Palm Security policy, as shown in Figure 16.1. Any number of File Retrieval policies may be included in the list by clicking the Add button.
The Policies tab allows for the configuration and activation of these policies. The Associations tab allows you to assign this policy to a device, container, or group of handheld devices.
The Palm Access Client Configuration policy allows you to specify for the associated Palm devices the set of Access Points that are available for the device. The device will attempt to connect to the first address listed. If that address is unavailable, the device will attempt the next address in the list. This will continue until the device connects with an Access Point.
To add an Access Point DNS name or IP address, activate the policy and click Properties. You will see a policy as shown in Figure 16.2.
From this page, click the Add button to input a new Access Point address. You will be presented with a screen where you can select the Access Points that are known to the system (see Figure 16.3).
Ensure the field points to the Handheld service object in your system. Then click the Display button to show the known Access Points to this service. From this list select the Access Point you want to add to the policy. Click OK. This will take you back to the administered access point list.
To re-arrange addresses and modify the order, select an entry and click the Move Up or Move Down button. When completed, click the OK button to return to the policy package screen.
The Palm Client Configuration policy allows the administrator to configure whether the client should prompt the user at synchronization time for his username and password. The configuration to prompt for the user credentials is also located in the handheld service object. This policy, when associated, can override the service object.
Click the Override the Server Configuration check box to have this policy override the server. Click Enable User Authentication on Handhelds to activate the prompting of the user credentials.
When user credentials are given, ZENworks uses LDAP to authenticate to eDirectory and then find any applications and policies that have been associated with the user.
The Palm Configuration policy allows the administrator to configure the various parameters, buttons, and applications that should reside on the Palm device.
On the General tab of the Palm Configuration policy, you can configure the following parameters:
Auto-off After—Specify the number of minutes before the Palm device should automatically power off.
Stay on in Cradle—Flag to see whether the Palm device should stay on or off when sitting in the cradle.
System Sound—Set the system sound to off, low, medium, or high.
Alarm Sound—Set the alarm sound to off, low, medium, or high.
Alarm Vibrate—Turn off or on the vibration of the device when an alarm fires.
Alarm LED—Turn off or on the flashing of the Palm screen with an alarm.
Game Sound—Set the game sound to off, low, medium, or high.
Beam Receive—Turn beam receiving off or on.
On the Buttons tab, the policy can be used to configure the following buttons on the Palm device: Date Book, Address, To Do List, Note/Memo Pad, Calculator, HotSync Cradle, and HotSync Modem. Each button can be set to specify the application that should be launched when clicked. If the button is not defined, it remains as set on the handheld device.
Additionally, you can configure a special Pen behavior where dragging the pen from the writing area to the top of the screen causes an administered function to occur. The following functions can be chosen:
Not Specified—Applies no function when the pen is moved.
Backlight—Lights the backlight on the Palm device.
Keyboard—Brings up the keyboard to the screen to allow input from the displayed keyboard.
Graffiti Help—Displays the Graffiti Help screen, which displays the Graffiti keystrokes and the corresponding text character.
Turn Off & Lock—Turns off and locks the Palm device.
Beam Data—Beams the selected data or application.
On the Programs tab of the policy, the administrator can specify the applications that should be allowed or removed from the handheld PDA. Clicking the Add button allows the administrator to browse to and select an application found on the file system server. The selected application can then be set to be allowed or removed from the PDA device.
The Policy Status tab allows the administrator to click the Display button and query the Handheld Service running on the ZENworks Handheld server to determine whether the policy has been delivered and applied to associated devices.
The Policy Schedule tab allows you to select when the policy is applied to the associated Palm devices. The policy is always applied at synchronization time, but you can also specify a time or date when the policy will be effective. Advanced settings allow you to specify what should happen if there was a fault attempting to send or apply the policy.
The Palm security policy provides configuration settings that give a greater security to the palm data, through power-on passwords and enforcement of data and application removal should security be compromised.
The Security tab allows you to configure whether a password is to be required on the Palm device. On this screen, you can specify some additional requirements to provide a greater measure of security when it comes to the password set on the device. This feature is not available natively on the PDA device and includes minimum password length, alphanumeric mix, password expiration, and unique passwords. Additionally, the policy can specify whether the password should be set as part of power-on sequence after inactivity for a specified time or at a specified time. ZENworks enforces this on the PDA device. ZENworks also remembers the last eight passwords to prevent the user from reentering any of these last eight passwords.
The Self-Destruct tab allows you to specify when the data and applications should be destroyed on the PDA device through a system reset. The self-destruct can be set to occur should the user fail to enter the correct password after a specified number of attempts and/or number of days since the last time the device has synchronized. Should the device not be synchronized after the specified time, or the password fails, the device will be reset and factory restored—removing all data and installed applications.
NOTE
The Self-Destruct feature causes the Palm device to perform a factory reset, removing all data and applications that have been placed on the device. This could result in all or some of your data being lost. You can restore from your last synchronization, but any changes since then will be lost.
The policy status can display how this policy has been deployed across associated devices. The policy schedule allows the specification of when the policy will be enforced.
This policy can be effective in protecting any sensitive corporate data from being lost or stolen. Should some problem arise and the device be reset inadvertently, the user need only resynchronize with ZENworks to have all associated applications and data restored either through ZENworks or HotSync features.
The File Retrieval policy is included in the package by clicking the Add button. You can have multiple File Retrieval policies in the package.
On the Files tab, the policy allows the specification of the files that should be collected from the handheld device. The filenames are case sensitive and can include wildcards. Additionally, this policy specifies the destination directory of the files. As part of the destination path, the policy may refer to specific values, including
Device CN—Common name in eDirectory for the handheld device.
Device DN—Distinguished name of the eDirectory object for the device.
Device User—Username of the device.
Retrieval Date—Date when the file was retrieved from the device.
Retrieval Time—Time stamp of when the file was retrieved from the device.
Device GUID—Unique GUID of the device that is automatically generated when the agents are placed on the device and the device is imported into the system.
Server Name—Windows Name of the server that received the data.
The destination filename may also be set as the same as the original or then renamed to another name.
The WinCE policies include the WinCE Client Configuration policy, the WinCE Configuration policy, and the WinCE Security policy, as shown in Figure 16.4. Any number of File Retrieval policies may also be included in the list by clicking the Add button.
The Policies tab allows for the configuration and activation of these policies. The Associations tab allows you to assign this policy to a device, container, or group of handheld devices.
The WinCE Access Client Configuration policy allows you to specify for the associated Palm devices the set of Access Points that are available for the device. The device will attempt to connect to the first address listed. If that address is unavailable, the device will attempt the next address in the list. This will continue until the device connects with an Access Point.
To add an Access Point DNS name or IP address, activate the policy and click Properties. From this page, click the Add button to input a new Access Point address. To re-arrange addresses and modify the order, select an entry and click the Move Up or Move Down button. When completed, click the OK button to be return to the policy package screen.
The WinCE Client Configuration policy allows the administrator to configure whether the client should prompt the user at synchronization time for her username and password. The configuration to prompt for the user credentials is also located in the handheld service object. This policy, when associated, can override the service object.
Click the Override the Server Configuration check box to have this policy override the server. Click Enable User Authentication on Handhelds to activate the prompting of the user credentials.
When user credentials are given, ZENworks uses LDAP to authenticate to eDirectory and then find any applications and policies that have been associated with the user.
The WinCE Configuration policy allows the administrator to configure the various parameters, buttons, and applications that should reside on the WinCE device.
On the Buttons tab of the WinCE Configuration policy, you may configure 31 different button and action combinations. For each button assignment, the policy can be configured to reset the button to the default action, assign the button to launch a specified application, or set the button to activate a function, including Input Panel, Scroll Down, Scroll Left, Scroll Right, Scroll Up, Start Menu, or Today.
The Programs tab on the policy specifies the applications presented in the Start menu or on the desktop. Each specified shortcut allows you to give the application to launch when selected. The policy can also specify whether other menu or desktop items not specified should be hidden from view.
The Power tab specifies how long the device should run before being turned off, either when the device is on battery power or on external power.
The policy status can display how this policy has been deployed across associated devices. The policy schedule allows the specification of when the policy will be enforced.
The WinCE Configuration policy allows the administrator to configure if Remote Control is allowed on associated WinCE devices. When you select to administer this policy, you will be presented with a screen shown in Figure 16.5.
Check the Allow Remote Control of the Device to activate the remote control capabilities of ZENworks for Handhelds. After this check box has been activated, you can chose any of the following options:
Prompt User for Permission to Remote Control—This causes a prompt to appear on the PDA Device when you request a remote control session with the device. The user will have the option of accepting or declining the remote control session.
Ignore the Remote Control Password Set on the Device—Selecting this will keep the user or administrator from having to know the local security password on the device in order to perform Remote Control functions.
The WinCE security policy provides configuration settings that give a greater security to the data, through power-on passwords and enforcement of data and application removal should security be compromised.
The Security tab allows you to configure whether a password will be required on the device. On this screen, you can specify some additional requirements to provide a greater measure of security when it comes to the password set on the device. This feature is not available natively on the handheld device and includes minimum password length, alphanumeric mix, password expiration, and unique passwords. Additionally, the policy can specify whether the password should be set as part of power-on sequence, after inactivity for a specified time, or at a specified time. ZENworks enforces this on the device. ZENworks also remembers the last eight passwords to make them unique.
The Self-Destruct tab allows you to specify when the data and applications should be destroyed on the device through a system reset. The self-destruct can be set to occur should the user fail to enter the correct password after a specified number of attempts and/or number of days since the last time the device has synchronized. Should the device not be synchronized after the specified time, or the password fails, the device will be reset and factory restored—removing all data and installed applications.
NOTE
The self-destruct feature causes the WinCE device to perform a factory reset, removing all data and applications that have been placed on the device. This could result in all or some of your data being lost. You can restore from your last synchronization, but any changes since then will be lost.
The policy status can display how this policy has been deployed across associated devices. The policy schedule allows the specification of when the policy will be enforced.
This policy can be effective in protecting any sensitive corporate data from being lost or stolen. Should some problem arise and the device be reset inadvertently, the user need only resynchronize with ZENworks to have all associated applications and data restored either through ZENworks or HotSync features.
The File Retrieval policy is included in the package by clicking the Add button. You can have multiple file retrieval policies in the package.
On the Files tab the policy allows the specification of the files that should be collected from the handheld device. The filenames are case sensitive and can include wildcards. Additionally, this policy specifies the destination directory of the files. As part of the destination path, the policy may refer to specific values, including
Device CN—Common name in eDirectory for the handheld device.
Device DN—Distinguished name of the eDirectory object for the device.
Device User—Username of the device.
Retrieval Date—Date when the file was retrieved from the device.
Retrieval Time—Time stamp of when the file was retrieved from the device.
Device GUID—Unique GUID of the device that is automatically generated when the agents are placed on the device and the device is imported into the system.
Server Name—Windows Name of the server that received the data.
The destination filename may also be set as the same as the original or the renamed to another name.
The BlackBerry policies include the BlackBerry Configuration policy, the BlackBerry Inventory policy, and the BlackBerry Security policy, as shown in Figure 16.6.
The Policies tab allows for the configuration and activation of these policies. The Associations tab allows you to assign this policy to a device, container, or group of handheld devices.
The BlackBerry Configuration policy allows the setting of the owner name and owner contact information on the device.
The policy status can display how this policy has been deployed across associated devices. The policy schedule allows the specification of when the policy will be enforced.
The inventory policy configures whether the hardware and software components of the BlackBerry device should be collected and included in the ZENworks inventory system.
The policy status can display how this policy has been deployed across associated devices. The policy schedule allows the specification of when the inventory will be collected.
The Security policy configures whether the BlackBerry device should require a password. When activated, the associated devices require that a password be set and entered on the device.
The policy status can display how this policy has been deployed across associated devices. The policy schedule allows the specification of when the policy will be enforced.
The Handheld Service package is one of the three types of handheld policy packages. The Handheld Service package is associated with a handheld service object and contains policies enforced as part of the ZENworks Handheld server. The Associations tab allows you to assign this policy to a set of service objects, as shown in Figure 16.7.
The only policy currently available for the service is the Handheld Import policy.
The Handheld Import policy configures the behavior of the ZENworks Handheld service when a new handheld device is presented to the system and a handheld object needs to be created in eDirectory.
After you choose the properties of the import policy, the Platforms tab allows the specification as to whether the configuration should be applied to all platforms (General) or to the Palm, WinCE, or BlackBerry devices. Each platform may be individually configured. Regardless of the platform, the configuration is done in the same manner.
The Location tab within the Platforms screen allows the specification of the following:
Allow Importing of Handhelds—Specifies whether the policy should be active and devices be imported into eDirectory.
Create Handheld Objects In—Allows you to select the container where the newly created handheld objects should reside. The choices are
Selected Container—If chosen, an additional field is activated that allows you to browse to and select the container.
Server Container—Places the handheld object in the container where the handheld service object is located. An additional field is activated that allows the specification of a relative path from the server container.
Associated Object Container—Places the handheld device object in the container where the policy is associated. An additional field is activated that allows the specification of a relative path from the associated container.
The Naming tab on this screen allows configuration of the automatically generated name for the handheld device object. The following can be selected as part of the name:
Device—The type of device—Palm, WinCE, or BlackBerry.
Owner—The name entered into the device as owner.
Computer—The name of the synchronized computer. With the BlackBerry device, this is the email service name.
User Defined—A defined string.
A combination of these components can be configured to generate the name of the device.
The Groups tab allows you to specify the groups into which this device should automatically be placed as a member. This allows newly introduced devices to be automatically part of a group, which may have associated policies or applications.
The Handheld User package contains the following policies: Palm Access Point Configuration policy, Palm Configuration policy, Palm Security policy, WinCE Access Point Configuration policy, WinCE Configuration policy, WinCE Remote Management policy, WinCE Security policy, BlackBerry Configuration policy, BlackBerry Inventory policy, and BlackBerry Security policy. Each of these policies is described in other sections earlier in the chapter.
The Handheld User package policies will be enforced over handheld policies should the same policies be activated in each package.
ZENworks provides several handheld policies that strengthen the security of these devices. Over the last year, more than 250,000 handheld devices were lost in U.S. airports alone. Think of how much corporate confidential information was exposed with these losses. ZENworks helps to manage these devices and keeps your data safe.
Additionally, with ZENworks you can retrieve information and deliver content and applications to handheld devices throughout your corporation, to individual devices, or even to a particular user.