10.3 Configuring the Agent Security

You can configure whether or not to allow users to uninstall the ZENworks Adaptive Agent. In addition, you can require a password for the uninstall, define an override password to provide access to restricted administrative features in the agent, and enable self-defense to protect agent files from being removed.

The following sections explain how to configure the security settings both before the Adaptive Agent is deployed and after:

10.3.1 Customizing Security before Deployment

  1. In ZENworks Control Center, click the Configuration tab.

  2. In the Management Zone Settings panel, click Device Management, then click ZENworks Agent.

  3. In the Agent Security panel:

    The following setting applies to all ZENworks 11 versions of the Adaptive Agent (version 11, version 11 SP1, and version 11 SP2):

    • Allow Users to Uninstall the ZENworks Adaptive Agent: Enable this option to allow users to perform a local uninstall of the ZENworks Adaptive Agent. If this option is disabled, the agent can only be uninstalled through the ZENworks Control Center.

    The following settings apply only to the ZENworks 11 SP2 and newer versions of the Adaptive Agent. For older versions of the agent, use the Security Settings policy (one of the Windows Endpoint Security policies) to configure these settings.

    • Require an Uninstall Password for the ZENworks Adaptive Agent: Enable this option to require users to enter a password in order to uninstall the ZENworks Adaptive Agent. Click Change to set the password.

      To avoid distributing the uninstall password to users, we recommend that you use the Password Key Generator utility to generate a key for the uninstall password. The key, which is based on the uninstall password, functions the same as the uninstall password but can be tied to a single device or user so that its use is limited.

      You access the Password Key Generator utility in the Configuration Tasks list in the left navigation pane.

    • Enable an Override Password for the ZENworks Adaptive Agent: An override password can be used in the ZENworks Adaptive Agent to:

      • Access information about the device’s current location and how the location was assigned.

      • Access the Administrative options in the Endpoint Security Agent. These options let you disable the currently applied security policies (with the exception of the Data Encryption policy), view detailed policy information, and view agent status information.

      • Access the Administrative options in the Full Disk Encryption Agent. These options let you view detailed policy information, view agent status information, and perform functions such as

      • Uninstall the ZENworks Adaptive Agent.

      To enable an override password, select the check box, then click Change to set the password.

      To avoid distributing the override password to users, we recommend that you use the Password Key Generator utility to generate a key for the override password. The key, which is based on the override password, functions the same as the override password but can be tied to a single device or user and can have a usage or time limit.

      You access the Password Key Generator utility in the Configuration Tasks list in the left navigation pane

    • Enable Self Defense for the ZENworks Adaptive Agent Currently, self-defense functionality protects only the ZENworks Endpoint Security Agent. It does not protect the other ZENworks Adaptive Agent modules.

      Self defense protects the Endpoint Security Agent from being shut down, disabled, or tampered with in any way. If a user performs any of the following activities, the device is automatically rebooted to restore the correct system configuration:

      • Using Windows Task Manager to terminate any Endpoint Security Agent processes.

      • Stopping or pausing any Endpoint Security Agent services.

      • Removing critical files and registry entries. If a change is made to any registry keys or values associated with the Endpoint Security Agent, the registry keys or values are immediately reset.

      • Disabling NDIS filter driver binding to adapters.

      Select the check box to enable self defense.

  4. To save the changes, click OK.

10.3.2 Customizing Security after Deployment

The ZENworks Adaptive Agent is deployed with the features selected at the Management Zone level. After deploying the agent to a device, you can do any of the, following:

  • Change the agent settings configured at the Management Zone level

  • Override the Management Zone settings at the device folder or device level

The new settings are applied to the agent on a device refresh.

For more information on how to override and configure the settings for an existing agent, see Configuring Adaptive Agent Settings after Deploymentin the ZENworks 11 SP3 Adaptive Agent Reference.