1.2 Types of Security Policies

There are 13 security policies that control a range of security-related functionality for Windows workstation devices. You can use all or some of the policies, depending on your organization’s needs.



Antimalware Enforcement

Installs the Antimalware Agent and configures the base on-access and on-demand scans that protect managed devices from malware threats. Because it is the base policy and installs the agent, it must be assigned to devices before any optional policies (Custom Scan Policy, Network Scan Policy, and Scan Exclusions Policy) can be assigned and enforced.

Antimalware Custom Scan

Defines and schedules scans on local and network drives, other than the Full and Quick scans already defined in the Antimalware Policy. Provides the capability to target specific threats that may not be covered in the regularly scheduled scan using the Antimalware Policy.

Antimalware Network Scan

Defines and schedules scans on files from network drives only. This policy gives you the capability to target a network drive from a specific device. For example, you could use this policy to scan a file storage disk in an array of disks. Network credentials must be configured in the policy to access network files.

Antimalware Scan Exclusions

Customizes scan exclusions beyond those already configured in other Antimalware policies. Once this policy is created, you can add the Exclusions Policy option to the Custom Exclusions details of any of the three other Antimalware policies. The policy is then enforced based on having the same device assignment of the Exclusions Policy and the Antimalware policy that this option is configured in.

Application Control

Blocks execution of applications or denies Internet access to applications. You specify the applications that are blocked or denied Internet access.

Communication Hardware

Disables the following communication hardware: 1394-Firewire, IrDA-Infrared, Bluetooth, serial/parallel, dialup, wired, and wireless. Each communication hardware is configured individually, which means that you can disable some hardware types (for example, Bluetooth and dialup) while leaving others enabled.


Controls network connectivity by disabling ports, protocols, and network addresses (IP and MAC).

Microsoft Data Encryption

Manages Microsoft’s BitLocker and Encrypting File System (EFS) tools to encrypt removable drives and fixed disk folders, respectively.


Runs a script (JScript or VBScript) on a device. You can specify the triggers that cause the script to run. Triggers can be based on Endpoint Security Agent actions, location changes, or time intervals.

Storage Device Control

Controls access to CD/DVD drives, floppy drives, and removable storage drives. Each storage device type is configured individually, which means that you can disable some and enable others.

USB Connectivity

Controls access to USB devices such as removable storage devices, printers, input devices (keyboards, mice, etc). You can specify individual devices or groups of devices. For example, you can disable access to a specific printer and enable access to all SanDisk USB devices.

VPN Enforcement

Enforces a VPN connection based on the device’s location. For example, if the device’s location is unknown, you can force a VPN connection through which all Internet traffic is routed.


Disables wireless adapters, blocks wireless connections, controls connections to wireless access points, and so forth.

In addition to the above security policies, the following security policies help protect and configure the ZENworks Endpoint Security Agent. The Endpoint Security Agent enforces security policies on a workstation device.



Security Settings

Protects the Endpoint Security Agent from being tampered with and uninstalled.

This policy is not used with the current Endpoint Security Agent. The ZENworks Endpoint Security Agent’s security settings are not applied as a policy; instead, they are applied as ZENworks Agent settings (ZENworks Control Center > Configuration > Management Zone Settings > Device Management > ZENworks Agent).

This policy is retained to provide support for devices that are still running the ZENworks 11 or ZENworks 11 SP1 Endpoint Security Agent. Those versions of the agent continue to use the Security Settings policy.

Location Assignment

Provides a list of predefined locations for the Endpoint Security Agent. ZENworks Endpoint Security Management lets you associate different security policies with different locations. For example, you might have an Office location and a Remote Office location; you also have a default Unknown location. The Endpoint Security Agent evaluates its current network environment to see if it matches any of the locations included in the Location Assignment policy. If so, the security policies associated with the matched location are applied. If not, the security policies associated with the Unknown location are applied.