10.4 Creating a Security Policy

A device’s security settings are controlled through security policies applied by the Endpoint Security Agent. Security policies control a range of security-related functionality. You can use all or some of the policies depending on your organization’s needs. The Antimalware policies require an Antimalware Update Entitlement and configuration of the Antimalware Server. Several configuration steps are also required to use Antimalware monitoring capabilities. For more information, see the ZENworks Endpoint Security Antimalware Reference.



Antimalware Enforcement

Installs the Antimalware Agent and configures the base on-access and on-demand scans that protect managed devices from malware threats. Because it is the base policy and installs the agent, it must be assigned to devices before any optional policies (Custom Scan Policy, Network Scan Policy, and Scan Exclusions Policy) can be assigned and enforced.

Antimalware Custom Scan

Defines and schedules scans on local drives, in addition to the Full and Quick scans already defined in the Antimalware Enforcement Policy. Provides the capability to target specific threats that may not be covered in the regularly scheduled scans using the Antimalware Enforcement Policy.

Antimalware Network Scan

Defines and schedules scans on files from network drives only. This policy gives you the capability to target a network drive from a specific device. For example, you could use this policy to scan a file storage disk in an array of disks. Network credentials must be configured in the policy to access network files.

Antimalware Scan Exclusions

Customizes scan exclusions beyond those already configured in other Antimalware policies. Once this policy is created, you can add the Exclusions Policy option to the Custom Exclusions details of any of the three other Antimalware policies. The policy is then enforced based on having the same device assignment of the Exclusions Policy and the Antimalware policy that this option is configured in.

Application Control

Blocks execution of applications or denies Internet access to applications. You specify the applications that are blocked or denied Internet access.

Communication Hardware

Disables the following communication hardware: 1394-Firewire, IrDA-Infrared, Bluetooth, serial/parallel, dialup, wired, and wireless. Each communication hardware is configured individually, which means that you can disable some hardware types (for example, Bluetooth and dialup) while leaving others enabled


Controls network connectivity by disabling ports, protocols, and network addresses (IP and MAC).

Microsoft Data Encryption

Manages encryption of removable data drives and fixed disk folders using Microsoft BitLocker and Microsoft Encrypting File System (EFS), respectively.


Runs a script (JScript or VBScript) on a device. You can specify the triggers that cause the script to run. Triggers can be based on Endpoint Security Agent actions, location changes, or time intervals.

Storage Device Control

Controls access to CD/DVD drives, floppy drives, and removable storage drives. Each storage device type is configured individually, which means that you can disable some and enable others.

USB Connectivity

Controls access to USB devices such as removable storage devices, printers, input devices (keyboards, mice, etc). You can specify individual devices or groups of devices. For example, you can disable access to a specific printer and enable access to all Sandisk USB devices.

VPN Enforcement

Enforces a VPN connection based on the device’s location. For example, if the device’s location is unknown, you can force a VPN connection through which all Internet traffic is routed.


Disables wireless adapters, blocks wireless connections, controls connections to wireless access points, and so forth.

In addition to the above security policies, the following security policies help protect and configure the Endpoint Security Agent. Because of the nature of the Location Assignment Policy, we recommend that you create and assign it first.



Security Settings

Designed to protect the Endpoint Security Agent from being tampered with and uninstalled. However, This policy is retained to provide support for devices that are still running the ZENworks 11 or ZENworks 11 SP1 Endpoint Security Agent and is not used with the current Endpoint Security Agent. Those versions of the agent continue to use the Security Settings policy.

For information about configuring the ZENworks Agent Security settings after ZENworks 11 SP1, see Configuring ZENworks Agent Security.

Location Assignment

Provides the list of allowed locations for a device or user. The Endpoint Security Agent evaluates its current network environment to see if it matches any of the allowed locations. If so, the location becomes the security location and the agent applies any security policies associated with the location. If none of the locations in the list are matched, the security policies associated with the Unknown location are applied.

If you plan to use location-based policies, you should make sure a Location Assignment policy is assigned to each device or user. If a device, or the device’s user, does not have an assigned Location Assignment policy, the Endpoint Security Agent cannot apply any location-based policies to the device.

To create a security policy:

  1. In ZENworks Control Center, click Policies to display the Policies page.

  2. In the Policies panel, click New > Policy to launch the Create New Policy Wizard.

  3. On the Select Platform page, select Windows, then click Next.

  4. On the Select Policy Category page, select Windows Endpoint Security Policies, then click Next.

  5. On the Select Policy Type page, select the type of policy you want to create, then click Next.

    If you created locations and plan to use location-based policies, you need to create at least one Location Assignment policy and assign it to devices or the devices’ users. Otherwise, none of the locations you created will be available to the devices, which means that none of the location-based polices can be applied.

  6. On the Define Details page, enter a name for the policy and select the folder in which to place the policy.

    The name must be unique among all other policies located in the selected folder.

  7. (Conditional) If the Configure Inheritance and Location Assignments page is displayed, configure the following settings, then click Next.

    • Inheritance: Leave the Inherit from policy hierarchy setting selected if you want to enable this policy to inherit settings from same-type policies that are assigned higher in the policy hierarchy. For example, if you assign this policy to a device and another policy (of the same type) to the device’s folder, enabling this option allows this policy to inherit settings from the policy assigned to the device’s folder. Deselect the Inherit from policy hierarchy setting if you don’t want to allow this policy to inherit policy settings.

    • Location Assignments: Policies can be global or location-based. A global policy is applied regardless of location. A location-based policy is applied only when the device detects that it is within the locations assigned to the policy.

      Select whether this is a global or location-based policy. If you select location-based, click Add, select the locations to which you want to assign the policy, then click OK to add them to the list.

  8. Configure the policy specific settings, then click Next until you reach the Summary page.

    For information about a policy’s settings, click Help > Current Page in ZENworks Control Center.

  9. On the Summary page, review the information to make sure it is correct. If it is incorrect, click the Back button to revisit the appropriate wizard page and make changes. If it is correct, select either of the following options (if desired), then click Finish.

    • Create as Sandbox: Select this option to create the policy as a sandbox version. The sandbox version is isolated from users and devices until you publish it. For example, you can assign it to users and devices, but it is applied only after you publish it.

    • Define Additional Properties: Select this option to display the policy’s property pages. These pages let you modify policy settings and assign the policy to users and devices.