10.4 Creating a Security Policy

There are 12 different security policies:

A device’s security settings are controlled through security policies applied by the Endpoint Security Agent. There are eight security policies that control a range of security-related functionality. You can use all or some of the policies depending on your organization’s needs.



Application Control

Blocks execution of applications or denies Internet access to applications. You specify the applications that are blocked or denied Internet access.

Communication Hardware

Disables the following communication hardware: 1394-Firewire, IrDA-Infrared, Bluetooth, serial/parallel, dialup, wired, and wireless. Each communication hardware is configured individually, which means that you can disable some hardware types (for example, Bluetooth and dialup) while leaving others enabled

Data Encryption

Enables data encryption of files on removable storage devices.


Controls network connectivity by disabling ports, protocols, and network addresses (IP and MAC).

Microsoft Data Encryption

Manages encryption of removable data drives and fixed disk folders using Microsoft BitLocker and Microsoft Encrypting File System (EFS), respectively.


Runs a script (JScript or VBScript) on a device. You can specify the triggers that cause the script to run. Triggers can be based on Endpoint Security Agent actions, location changes, or time intervals.

Storage Device Control

Controls access to CD/DVD drives, floppy drives, and removable storage drives. Each storage device type is configured individually, which means that you can disable some and enable others.

USB Connectivity

Controls access to USB devices such as removable storage devices, printers, input devices (keyboards, mice, etc). You can specify individual devices or groups of devices. For example, you can disable access to a specific printer and enable access to all Sandisk USB devices.

VPN Enforcement

Enforces a VPN connection based on the device’s location. For example, if the device’s location is unknown, you can force a VPN connection through which all Internet traffic is routed.


Disables wireless adapters, blocks wireless connections, controls connections to wireless access points, and so forth.

In addition to the above security policies, the following security policies help protect and configure the Endpoint Security Agent. Because of the nature of these two policies, we recommend that you create and assign them first.



Security Settings

Protects the Endpoint Security Agent from being tampered with and uninstalled.

For information about configuring the ZENworks Agent Security settings, see Configuring ZENworks Agent Security.

Location Assignment

Provides the list of allowed locations for a device or user. The Endpoint Security Agent evaluates its current network environment to see if it matches any of the allowed locations. If so, the location becomes the security location and the agent applies any security policies associated with the location. If none of the locations in the list are matched, the security policies associated with the Unknown location are applied.

If you plan to use location-based policies, you should make sure a Location Assignment policy is assigned to each device or user. If a device, or the device’s user, does not have an assigned Location Assignment policy, the Endpoint Security Agent cannot apply any location-based policies to the device.

To create a security policy:

  1. In ZENworks Control Center, click Policies to display the Policies page.

  2. In the Policies panel, click New > Policy to launch the Create New Policy Wizard.

  3. On the Select Platform page, select Windows, then click Next.

  4. On the Select Policy Category page, select Windows Endpoint Security Policies, then click Next.

  5. On the Select Policy Type page, select the type of policy you want to create, then click Next.

    If you created locations and plan to use location-based policies, you need to create at least one Location Assignment policy and assign it to devices or the devices’ users. Otherwise, none of the locations you created will be available to the devices, which means that none of the location-based polices can be applied.

  6. On the Define Details page, enter a name for the policy and select the folder in which to place the policy.

    The name must be unique among all other policies located in the selected folder.

  7. (Conditional) If the Configure Inheritance and Location Assignments page is displayed, configure the following settings, then click Next.

    • Inheritance: Leave the Inherit from policy hierarchy setting selected if you want to enable this policy to inherit settings from same-type policies that are assigned higher in the policy hierarchy. For example, if you assign this policy to a device and another policy (of the same type) to the device’s folder, enabling this option allows this policy to inherit settings from the policy assigned to the device’s folder. Deselect the Inherit from policy hierarchy setting if you don’t want to allow this policy to inherit policy settings.

    • Location Assignments: Policies can be global or location-based. A global policy is applied regardless of location. A location-based policy is applied only when the device detects that it is within the locations assigned to the policy.

      Select whether this is a global or location-based policy. If you select location-based, click Add, select the locations to which you want to assign the policy, then click OK to add them to the list.

  8. Configure the policy specific settings, then click Next until you reach the Summary page.

    For information about a policy’s settings, click Help > Current Page in ZENworks Control Center.

  9. On the Summary page, review the information to make sure it is correct. If it is incorrect, click the Back button to revisit the appropriate wizard page and make changes. If it is correct, select either of the following options (if desired), then click Finish.

    • Create as Sandbox: Select this option to create the policy as a sandbox version. The sandbox version is isolated from users and devices until you publish it. For example, you can assign it to users and devices, but it is applied only after you publish it.

    • Define Additional Properties: Select this option to display the policy’s property pages. These pages let you modify policy settings and assign the policy to users and devices.