In addition to user and workstation policies discussed in previous chapters, a container policy package can also be created. This package is associated with a container and affects the understanding of policies below the container level. This chapter discusses the container policy package.
A container policy package contains a set of policies associated only with containers. These policies affect the behavior of other ZENworks user and workstation policies and are therefore associated only with containers.
ZENworks agents work in a standard way to search out policies within a tree, starting at either the user or the device object depending on the application of the policy. After the user or device object is located, the ZENworks agents seek out a container policy package. The first container policy package found while the agent is walking up the tree is used to modify the behavior of the search for all other policies. After the container policy package is discovered, the agents use the information in the package to seek other user or device policy packages.
To have a container package affect policies, you must first create it. To create a container policy package, do the following:
1. Start ConsoleOne.
2. Browse to the container where you want to have the policy package.
NOTE
Remember that you do not have to create the policy package in the container where you are doing the associations. You can associate the same policy package with many containers in your tree.
3. Create the policy package by right-clicking and choosing New→Policy Package or by selecting the Policy Package icon on the toolbar.
4. Select the container package object in the wizard panel and click Next.
5. Enter the desired name of the package in the Policy Package Name field and select the container where you want the package to be located. The Container field is already filled in with the selected container, so you should not have to browse to complete this field. If not, click the browse icon button next to the field, browse to and select the container where you want the policy object stored, and click Next.
6. Select the Define Additional Attributes field to go into the properties of your new object and activate some policies and then click Finish.
7. Check and set any policies you want for this container policy package and click OK.
The following sections describe each of the tabs, panels, and options available on the Properties of Container Package window.
The Policies tab on the Properties of Container Package window lists the set of available policies and those that are active (see Figure 17.1). Because no platform-specific policies currently exist in the container package, only the General panel of the Policies tab is available.
FIGURE 17.1 The Policies tab on the Properties of Container Package page, showing the General panel.
After you have created a container package, you can activate policies. By clicking a policy within the policy package, that policy becomes active. An active policy is designated by a check in the check box (refer to Figure 17.1). The details of any particular policy can be modified by selecting the policy and clicking the Properties button. The Reset button resets the selected policy back to its system defaults.
The Associations tab on the Properties of Container Package page displays all the locations in the tree (containers) where the policy package has been associated. These associations do not necessarily reflect where the policy package is located in the directory. The agents associated with users or workstations that are in or below those containers have this policy package enforced. Clicking the Add or Remove buttons enables you to add or remove containers in the list associated with this policy.
A search policy governs the behavior of the ZENworks Desktop agents as they search for user and workstation policies. With all the ZENworks agents, there could be some significant walking of the tree as it searches for the policies of the identified user and workstations, especially if the tree is of a significant depth. This is the reason why ZENworks Desktop Management has this search policy.
Often the performance of your network searching with ZENworks is not significant until you cross a partition boundary. When you cross a partition boundary, the system must make a connection and authenticate to another server. This is particularly time consuming should the system need to cross a WAN link.
With the ZENworks Middle Tier, the agents cannot determine where a partition boundary is located. Consequently, in the newer version of ZENworks the policy has been changed to remove the partition boundary option and replace it with the associated container.
The search policy tells the ZENworks agent how far up the tree it should search and what order (object, group, container) should be followed to find the policies.
NOTE
The order is significant because often the first policy found governs the behavior of the system.
This tab on the Search Policy window (see Figure 17.2) enables the administrator to identify how far up the tree the ZENworks Desktop Management agents should travel in their search for policies.
The following fields may be administered in the search level features on the Search Level tab:
Search for Policies Up To—Enables you to specify the container in the tree at which searching will complete. The choices that can be made through the drop-down list may be any of the following:
[Root]—Search up to the root of the tree.
Object Container—Search up to the container that holds the object associated with the policy. For example, if you were searching for a user policy package, the object container would be the context of the user object.
Associated Container—Search up the tree to the container where the policy is associated.
Selected Container—Searches up to the specified container. When this option is chosen, the Selected Container field is activated, and you can browse in this field to the desired container.
Search Level—Enables you to specify an additional level of container beyond that given in the Search for Policies Up To field. A search level value of 0 causes searches to be limited to the specified container. A search level of a positive numerical value enables searching the number of containers specified. Should the search level be a negative number, the search proceeds at the specified level minus the number specified. For example, if the Object Container value is selected, the object is in the Provo.Utah.Novell container, and the search level is 0, the searching stops at the Provo.Utah.Novell container. If the search level is 2, the searching continues to the Novell container. If the search level is –1, no policy will be found because the object container is already above the search level.
At first it may not be apparent why a negative search level exists, but this value does have a purpose. Suppose, for example, that your tree is set up as Organization.Region.Company, where the organization is the container given to each organization in the company, and the region represents the area of the company. Now suppose that you want policies to be effective only for each organization; you could set up one single search policy at the Region.Company level with a selected container as Region.Company and a search level of –1. This would enable each organization to have a customized policy and ensure that no one organization’s policies would impact another’s because the search would stop at the organization level.
This tab enables the administrator to identify the order that the agents should go looking for policies. The default order is always object, group, and then container. This policy enables the administrator to change this order.
You can modify the search order by selecting the item in the Search Order list and then selecting the up or down arrows to rearrange the list. Clicking the Remove button removes the selected order. Clicking the Add button adds that search order item, if any have been previously deleted.
NOTE
Because the first policy found has the greatest significance in the behavior of the system, make sure that you have the order set (from top to bottom) in the way that you want to find that first policy.
Be aware of when it is a good idea to use the search order policy. Because many ZENworks features stop walking up the tree when a policy is found, it would be wise to make policies search in order of object, container, and then group. This is because the proximity of these objects in the tree is always going to be closer to the partition on the server. The object is, obviously, always the closest in the tree to the workstation or user object. Next the container is the closest in the tree-walking scenario because the container must be known for the object to be found in the tree. Consequently, the container is very close in the local replica to the object. Groups, however, can be stored in any container, and they could be in a completely different part of the tree than the object. Therefore, the amount of walking of the tree that is potential with a group is significant. Any significant walking of the tree has a corresponding performance cost, and this should be considered as you manage your tree and search policies.
The Refresh Interval tab on the Search Policy window enables the administrator to identify whether the policy manager should refresh the set of policies from eDirectory and how often to check eDirectory for new or changed policies. The policy manager in ZENworks Server Management is an agent that resides on the server and is responsible for getting ZENworks Server Management policies and enforcing them on the server. An option on the Refresh Interval tab gives this refresh interval configuration to this agent. If the check box is off, meaning that the agent should not refresh from eDirectory, the agent gets the policies only at initialization time, or should the server or the agent be restarted. If the check box is on, the agent checks for any changes or new policies every time the interval has passed.
This same behavior is also available in Workstation Manager, the agent that enforces policies on the workstation. It also looks for new policies and scheduled actions, and only does that at boot time and at the identified intervals.
A separate Handheld Application Search policy has been created to manage the way that the handheld device agents search the tree for their applications. This policy has the same options as the general search policy.