2.3 Creating the Remote Management Policy

The Remote Management policy lets you configure the behavior or execution of a Remote Management session on the managed device. The policy includes settings for Remote Management operations such as Remote Control, Remote View, Remote Execute, Remote Diagnostics, and File Transfer, and also allows you to control settings for security.

By default, a secure Remote Management policy is created on the managed device when the ZENworks Adaptive Agent is deployed with the Remote Management component on the device. You can use the default policy to remotely manage a device. To override the default policy, you can explicitly create a Remote Management policy for the device.

  1. In ZENworks Control Center, click the Policies tab.

  2. In the Policies list, click New, then click Policy to display the Select Policy Type page.

  3. Select Remote Management Policy, click Next to display the Define Details page, then fill in the fields:

    Policy Name: Provide a unique name for the policy. The policy name must be different than the name of any other item (group, folder, and so forth) that resides in the same folder.

    Folder: Type the name or browse to the ZENworks Control Center folder where you want the policy to reside. The default is /policies, but you can create additional folders to organize your policies.

    Description: Provide a short description of the policy’s content. This description displays in the summary page of the policy in ZENworks Control Center.

  4. Click Next to display the Remote Management General Settings page. To accept the default settings, proceed to the next step, or use the information specified in the following table to change the default settings.

    Field

    Details

    Allow User to Request a Remote Session

    Enables the user on the managed device to request a remote operator to perform a remote session. The remote operator must ensure that the Remote Management Listener is running.

    Terminate the Remote Session When Permission Is Required from a New User Logging In to the Managed Device

    Terminates an ongoing remote session when permission is required from a new user who has logged into a remotely managed device.

    Display Remote Session Audit Information to the User on the Managed Device

    Allows the user on the managed device to view the audit information for remote sessions from the ZENworks icon.

    Display Remote Management Properties in the ZENworks Icon

    Allows the user on the managed device to view the properties associated with the Remote Management policy in the ZENworks icon.

    Edit

    To edit the message displayed to the user on the managed device before starting a remote session:

    1. Click Edit to display the Edit Message dialog box.

    2. Edit the message.

    3. Click OK.

    Restore default

    To restore the default message:

    1. Click Restore default to revert to the default message.

    Add a Remote Listener

    To add a Remote Listener:

    1. Click Add.

    2. In the Add Remote Listener dialog box, specify the DNS name or IP address of the management console and the port number on which the Remote Management Listener will listen for remote session requests.

    3. Click OK.

    Delete a Remote Listener

    To delete a Remote Listener:

    1. Select the Remote Listener you want to delete.

    2. Click Delete.

  5. Click Next to display the Remote Control Settings page. To accept the default settings, proceed to the next step, or use the information specified in the following table to change the default settings.

    Field

    Details

    Allow Managed Device to be Controlled Remotely

    Allows Remote Control sessions on the managed device. Selecting this option enables the subsequent options on the page. Deselecting the option disables the Remote Control operation on the device.

    Ask Permission from User on Managed Device Before Starting Remote Control

    Allows you to request permission from the user on the managed device before starting a Remote Control session.

    Give Visible Signal to User on Managed Device During Remote Control

    Displays a visible signal in the top right corner of the managed device desktop during the Remote Control session. The visible signal lets the user on the managed device know that a Remote Control session is in progress.

    Give Audible Beep to User on Managed Device Every [ ] Seconds During Remote Control

    Generates a beep on the managed device during a Remote Control session. The beep is generated periodically after the specified number of seconds.

    Allow Managed Device Screen to be Blanked During Remote Control

    Enables blanking of the screen of the managed device during a Remote Control session. Selecting this option also locks the keyboard and the mouse controls of the managed device.

    Allow Managed Device Mouse and Keyboard to be Locked During Remote Control

    Enables locking of the managed device mouse and keyboard during a Remote Control session.

    Allow Screen Saver to be Automatically Unlocked During Remote Control

    Enables the unlocking of a password-protected screen saver from the Remote Control Viewer before the start of a Remote Control session on the managed device.

    Automatically Terminate Remote Control Session After Inactivity of [ ] Minutes

    Terminates a Remote Control session on the managed device if it has been inactive for the specified duration.

  6. Click Next to display the Remote View Settings page. To accept the default settings, proceed to the next step, or use the information specified in the following table to change the default settings.

    Field

    Details

    Allow Managed Device to be Viewed Remotely

    Allows Remote View sessions on the managed device. Selecting this option enables the subsequent options on the page. Deselecting the option disables the Remote View operation on the device.

    Ask Permission from User on Managed Device Before starting Remote View

    Allows you to request permission from the user on the managed device before starting a Remote View session.

    Give Visible Signal to User on Managed Device During Remote View

    Displays a visible signal in the top right corner of the managed device desktop during the Remote View session.The visible signal lets the user on the managed device know that a Remote View session is in progress.

    Give Audible Beep to User on Managed Device Every [ ] Seconds During Remote View

    Generates a beep on the managed device during the Remote View session. The beep is generated periodically after the specified number of seconds.

  7. Click Next to display the Remote Diagnostics Settings page. To accept the default settings, proceed to the next step, or use the information specified in the following table to change the default settings.

    Field

    Details

    Allow Managed Device to be Diagnosed Remotely

    Allows Remote Diagnostics sessions on the managed device. Selecting this option enables the subsequent options on the page. Deselecting the option disables the Remote Diagnostics operation on the device.

    Ask Permission from User on Managed Device Before starting Remote Diagnostics

    Ensures that the remote operator requests permission from the user on the managed device before starting a Remote Diagnostics session.

    Give Visible Signal to User on Managed Device During Remote Diagnostics

    Displays a visible signal in the top right corner of the managed device desktop during the Remote Diagnostics session.The visible signal lets the user on the managed device know that a Remote Diagnostics session is in progress.

    Give Audible Beep to User on Managed Device Every [ ] Seconds During Remote Diagnostics

    Generate a beep on the managed device during the Remote Diagnostics session. The beep is generated periodically after the specified number of seconds.

    Allow Managed Device Screen to be Blanked During Remote Diagnostics

    Enables blanking of the screen of the managed device during a Remote Diagnostics session. The managed device keyboard and mouse are always locked during a Remote Diagnostics session. Selecting this option also disables the visible signal on the managed device.

    Display Warning Message Before Reboot for [ ] Seconds

    Displays a warning message on the managed device at the start of the Remote Diagnostics session, reminding the user to save all existing applications. This warning message is displayed for the specified duration to prevent the user from losing any unsaved data, because the remote operator might initiate a system reboot during the Remote Diagnostics session.

    Automatically Terminate Remote Diagnostics Session After Inactivity of [ ] Minutes

    Terminates the Remote Diagnostics session if it is inactive for the specified duration.

  8. Click Next to display the Remote Execute Settings page. To accept the default settings, proceed to the next step, or use the information specified in the following table to change the default settings.

    Field

    Details

    Allow programs to be remotely executed on the managed device

    Allows programs to be executed remotely on the managed device. Selecting this option enables the subsequent options on the page. Deselecting the option disables the Remote Execute operation on the device.

    Ask permission from User on Managed Device Before Starting Remote Execute

    Ensures that the remote operator requests permission from the user on the managed device before starting a Remote Execute session.

    Give Visible Signal to User on Managed Device During Remote Execute

    Displays a visible signal in the top right corner of the managed device desktop during the Remote Execute session. The visible signal lets the user on the managed device know that a Remote Execute session is in progress.

    Automatically Terminate Remote Diagnostics Session After Inactivity of [ ] Minutes

    Terminates the Remote Execute session if it is inactive for the specified duration.

  9. Click Next to display the File Transfer Settings page. To accept the default settings, proceed to the next step, or use the information specified in the following table to change the default security settings.

    Field

    Details

    Allow Transferring Files on Managed Device

    Enables transfer of files between the management console and the managed device. Selecting this option enables the subsequent options on the page. Deselecting the option disables the File Transfer operation on the device

    Ask permission from User on Managed Device Before Starting File Transfer

    Ensures that the remote operator requests permission from the user on the managed device before starting a File Transfer session.

    Give Visible Signal to User on Managed Device During File Transfer

    Displays a visible signal in the top right corner of the managed device desktop during the File Transfer session. The visible signal lets the user on the managed device know that a File Transfer session is in progress.

    Allow Files to be Downloaded from Managed Device

    Allows a remote operator to open files on the managed device and transfer them to the management console. If this option is not selected, the remote operator can only transfer files from the management console to the managed device.

    File Transfer Root Directory

    Specify the managed device directory to be seen by the remote operator during a File Transfer session. The remote operator can only transfer files to and from this directory and its subdirectories. The default directory is My Computer, which means that the remote operator can see and transfer files in the entire file system of the managed device.

  10. Click Next to display the Security Settings page. To accept the default settings, proceed to the next step, or use the information specified in the following table to change the default security settings.

    Password Authentication

    Field

    Details

    Enable Password Based Authentication

    Allows the remote operator to use a password to authenticate to the managed device. Select this option to configure the password type settings.

    Minimum Password Length

    Allows you to specify the minimum length for the password. By default, it is 6 characters.

    Session Password

    Select this option to prompt the user on the managed device to set a password before the start of a new remote session. This option is recommended because the password is not stored on the managed device and is valid only for the current session.

    Persistent Password

    Select this option to set the ZENworks and VNC passwords. Setting the ZENworks Password is recommended because it is safer and more secure than the VNC Password. This password can be set by the administrator through the Remote Management policy or by the managed device user from the ZENworks icon. Selecting this option enables the subsequent options.

    To enable the user to set the password through the ZENworks icon, select the Allow user to override default passwords on managed device option.

    ZENworks Password

    To clear the ZENworks password:

    1. Click Clear Password.

    2. Click Apply, then click OK.

    To set the ZENworks password:

    1. Click Set Password.

    2. Enter the password. The maximum length of the password is 255 characters.

    3. Click Apply, then click OK.

    VNC Password

    To clear the VNC password:

    1. Click Clear Password.

    2. Click Apply, then click OK.

    To set the VNC password:

    1. Click Set Password.

    2. Enter the password. The maximum length of the password is 8 characters.

    3. Click Apply, then click OK.

    Intruder Detection

    Field

    Details

    Enable Intruder Detection

    Select this option to enable the detection of invalid or unauthorized attempts to launch a remote session on the managed device. Selecting this option enables the subsequent options in the Intruder Detection section.

    Suspend Accepting Connections After [ ] Successive Invalid Attempts

    Specify the maximum number of consecutive invalid attempts a remote operator can make before the Remote Management service on the managed device is blocked. By default, it is five attempts.

    Automatically Start Accepting Connections After [ ] Minutes

    Specify the time in minutes after which the Remote Management Agent automatically accepts a connection to the managed device. To manually unblock the Remote Management service, double-click the ZENworks Adaptive Agent icon, click Security Settings, then click Enable Accepting Connections if Currently Blocked Due to Intruder Detection. By default, it is 10 minutes.

    Session Security

    Field

    Details

    Enable Session Encryption

    Enables session encryption using SSL encryption (TLSv1 protocol). Selecting this option enables the subsequent options in the Session Security section.

    Allow Connection When Remote Management Console Does Not Have SSL Certificate

    When a remote session is launched from the ZENworks Control Center, a certificate is automatically generated for a remote operator. This certificate is used during authentication. Select this option to allow connections from a Remote Management console launched outside ZENworks Control Center that might not have an SSL certificate.

    Allow up to [ ] levels in Viewer certificate chain

    The Novell rights-based and password-based authentication schemes are played over an SSL encrypted channel. The establishment of this channel requires the viewer to present a certificate. This certificate can be signed by an intermediate or a root certificate authority, thereby creating a certificate chain.

    This property defines the maximum number of levels that are allowed in the viewer's certificate chain. When the ZENworks internal certificate authority is employed (it is installed by default), a two-level viewer certificate chain is automatically created while launching a remote session from ZENworks Control Center.

    Abnormal Termination

    Field

    Details

    Lock Device

    Locks the managed device when the remote session is terminated abnormally.

    Log Off User

    Logs off the user on the managed device when the remote session is terminated abnormally.

  11. Click Next to display the Summary page.

  12. Click Finish to create the policy now, or select Define Additional Properties to specify additional information, such as policy assignment, enforcement, status, and which group the policy is a member of.