ZENworks Configuration Management uses Secure Socket Layer (SSL) to secure remote sessions. However, the remote sessions launched using the VNC password-based authentication are not secured. The authentication process happens over a secure channel as the SSL handshake takes place regardless of whether session encryption is configured in the Remote Management policy or not.
After the authentication is complete, the remote session switches to an insecure mode if theoption is disabled in the Remote Management policy and if the option is disabled by the remote operator while initiating a remote session on the managed device. However, we recommend that you continue the session in a secure mode because there is no major impact on the performance of the session.
When the ZENworks Adaptive Agent is installed on a managed device, the Remote Management service generates a self-signed certificate that is valid for 10 years.
When a remote operator initiates a remote session on the managed device, the Remote Management viewer prompts the remote operator to verify the managed device certificate. The certificate displays details such as name of the managed device, certificate issuing authority, the validity of the certificate, and the fingerprint. For security reasons, the remote operator must verify the credentials of the managed device by matching the fingerprint of the certificate against the fingerprint communicated by the managed device user through out-of-band means. Then, the remote operator can do one of the following:
Accept the certificate permanently: If a user who has logged in to the management console accepts the certificate permanently, then the certificate is not displayed in the subsequent remote sessions initiated by the users logged in that console.
Accept the certificate temporarily: If a user who has logged in to the management console accepts the certificate temporarily, the certificate is accepted only for the current session. The user is prompted to verify the certificate the next time a connection is initiated to the managed device.
Reject the certificate: If a user who has logged in to the management console rejects the certificate, the remote session terminates.
The managed device regenerates a new self-signed certificate if:
The name of the managed device has changed
The certificate is postdated and is not currently valid
The certificate has expired
The certificate is about to expire
The certificate is missing
By default, the certificate is regenerated once in every 10 years.