A.7 Security Settings Policy

This policy is not used with ZENworks 11 SP2 Endpoint Security Agents. The ZENworks 11 SP2 Endpoint Security Agent’s security settings are not applied as a policy; instead, they are applied as ZENworks Agent settings (ZENworks Control Center > Configuration > Management Zone Settings > Device Management > ZENworks Agent).

This policy is retained in ZENworks 11 SP2 to provide support for devices that are still running the ZENworks 11 or ZENworks 11 SP1 Endpoint Security Agent. Those versions of the agent continue to use the Security Settings policy.

The following instructions assume that you are on the Configure Security Settings page in the Create New Security Settings Policy Wizard (see Section 9.0, Creating Security Policies) or that you are on the Details page for an existing Security Settings policy (see Section 13.0, Editing a Policy’s Details).

The ZENworks Endpoint Security Agent (referred to as the Endpoint Security Agent) is the ZENworks Adaptive Agent module that manages and enforces security policies on a device. This panel lets you configure the security settings for the Endpoint Security Agent.

A.7.1 Enable Client Self Defense for Endpoint Security Agent

Client Self Defense protects the Endpoint Security Agent from being shut down, disabled, or tampered with in any way. If a user performs any of the following activities, the device is automatically rebooted to restore the correct system configuration:

  • Using Windows Task Manager to terminate any Endpoint Security Agent processes.

  • Stopping or pausing any Endpoint Security Agent services.

  • Removing critical files and registry entries. If a change is made to any registry keys or values associated with the Endpoint Security Agent, the registry keys or values are immediately reset.

  • Disabling NDIS filter driver binding to adapters.

Select one of the following options:

  • Yes: Enables Client Self Defense.

  • No: Disables Client Self Defense.

  • Inherit: Inherits this setting value from other Security Setting policies assigned higher in the policy hierarchy. For example, if you assign this policy to a user, the setting value is inherited from any Security Setting policies assigned to the user’s groups, folders, or zone.

A.7.2 Enable Uninstall Password for Endpoint Security Agent

Client Self Defense does not prevent the Endpoint Security Agent from being uninstalled by the agent installation program. If you want to prevent users from removing the Endpoint Security Agent without permission, you must enable an uninstall password.

The uninstall password applies only when a user tries to uninstall the agent at the device. If you use the ZENworks Adaptive Agent features (Configuration tab > Management Zone Settings > Device Management > ZENworks Agent) to uninstall the Endpoint Security Agent, the uninstall password is not used.

Select one of the following options:

  • Yes: Enables an uninstall password. To specify the password, click Change, specify and confirm the password, then click OK to save it.

  • No: Disables an uninstall password.

  • Inherit: Inherits this setting value from other Security Setting policies assigned higher in the policy hierarchy. For example, if you assign this policy to a user, the setting value is inherited from any Security Setting policies assigned to the user’s groups, folders, or zone.

A.7.3 Enable Password Override for Endpoint Security Agent

Password Override lets you specify a password that overrides the device’s currently applied security policies. All policies revert to the Endpoint Security Agent’s default policies.

You should not distribute the password to users. Instead, you should use the Override Password Key Generator utility to generate a temporary password key (based on the override password) for a user who needs to override security policies. The password key functions the same as the override password with the added benefit that you can specify when the key expires.

Select one of the following options:

  • Yes: Enables an override password. To specify the password, click Change, enter and confirm the password, then click OK to save it.

  • No: Disables the override password.

  • Inherit: Inherits this setting value from other Security Setting policies assigned higher in the policy hierarchy. For example, if you assign this policy to a user, the setting value is inherited from any Security Setting policies assigned to the user’s groups, folders, or zone.