10.3.1 Policy Packages

Desktop Management policies are grouped into policy packages for ease of administration. You create and manage policy packages using ConsoleOne.

The property page for each policy package contains one or more platform-specific tabs that list one or more policies specific to that platform and package. These pages each identify an operating platform, such as General, NetWare, Windows (9x/NT/2000/XP), or Windows Terminal Server (2000/XP). Any policy that you enable on a General page applies to all platforms indicated by the other pages. However, any policy configurations you set on a specific platform page override similar settings on the General page.

The Desktop Management policy packages are:

•    Container Package
•    Server Package
•    Service Location Package
•    User Package
•    Workstation Package

The Container Package and Service Location Package are identical to the policy packages used in ZENworks Server Management. The Server Package also exists in ZENworks Server Management; however, in ZENworks Desktop Management it contains different polices. The User Package and Workstation Package are unique to Desktop Management. For more information, see Section 11.0, Creating Policy Packages.

10.3.2 ZENworks Desktop Management Policies

A policy is a set of rules that defines how workstations, users, and servers can be configured and controlled, including application availability and access, file access, and the appearance and contents of individual desktops. Policies are contained within policy packages, where they are also administered and customized. Desktop Management policies provide you with automated management of server, user, and workstation configurations, processes, and behaviors. For example, you could set up a user policy that determines how a certain user's desktop looks, regardless of the machine that users logs in from. Or, you could set up a workstation policy that determines how a certain machine's desktop looks, regardless of which user logs in.

You can use policies to define the following:

Each policy's properties contains one or more tabs where you can specify settings or configurations related to User, Workstation, Group, or container objects, depending on the type of policy. For more information, see Section 11.0, Creating Policy Packages.

10.3.3 Plural Policies

Plural policies allow you to have multiple instances of the same policy type within the same policy package or as effective policy. Desktop Management has one plural policy in both the User and Workstation Policy packages with the default name of Scheduled Action.

Because you can have several different actions that you might want to run on different schedules, when you add a Scheduled Action policy to the policy package you should name it to reflect the action being scheduled.

For Desktop Management, the Scheduled Action plural policy is available for all platforms in the User Package and Workstation Package. For more information about the Scheduled Action policy in the User Package, see Section 15.6, Scheduled Action Policy (User and Workstation Packages).

10.3.4 Enabling Policies

As your Workstation Management needs change, you can enable, disable, or modify a policy using any of the three states for policy settings:

When you create a policy package, its policies are disabled by default. After you enable a policy, some default settings are still in place.

A policy can be enabled when you:

A policy can also be enabled anytime from within most of the lists where the policy is displayed.

10.3.5 Policy Scheduling

Some policies can be scheduled to run at a certain time. During creation, all policy packages are given a default run schedule. This means that all applicable policies in this package run according to the default schedule. However, you can change the entire policy package schedule, or you can set a policy within the package to run at a different time from the rest of the package.

If you enable a policy but fail to schedule it, it runs according to the schedule currently defined in the Default Package Schedule.

10.3.6 Policy Package Associations

When you have enabled a policy, you must then associate it to make it effective. Configuring, enabling, and scheduling a policy only sets it up. A policy is enforced through its association with a directory object, such as a Server, Container, User, Group, or Workstation object.

Because policy package associations flow down a tree like inherited rights flow in the directory, you can associate a policy package directly with an object. You can also associate a policy package indirectly, such as with the object's parent container.

When you view the associated policy packages for an object, Desktop Management starts at the object and searches up the tree in the following order for the associated policy packages to be displayed (unless the search order has been changed with a Search policy):

Similar to assigning different rights for different users in the directory, you can set a general policy for most users and unique policies for unique users.

You must have the Write right to both the policy package and the object in order to associate one with the another.

You can associate a policy package with Server, Container, User, Group, or Workstation objects when you:

10.3.7 Search Policy

The Search policy is used to prevent tree-walking. Unless specified differently in a Search policy, when Desktop Management starts searching for an object's associated policy packages, it starts at the object and works its way up the tree. If Desktop Management does not have any Search policies defined, it walks the tree until it finds the root object. This can cause unnecessary network traffic. Therefore, plan to use Search policies wherever needed.

Unless otherwise specified in a Search policy, all enabled policies in a policy package that is associated directly with an object have precedence over contradicting policies in policy packages higher in the tree.

For more information about configuring the Search policy, see Setting Up the Search Policy in the Container Package.

10.3.8 Effective Policies

Effective policies for a directory object are those that have been configured, enabled, and associated with the object. Just as the effective rights in the directory flow down the tree, policy package associations also flow down the tree.

The following sections provide more information on effective policies:

How Package Associations Are Resolved to Determine Effective Policies

Because Desktop Management policies provide management-by-exception through policy package associations, a lower package association overrides an upper package association. In other words, a package associated to a User object overrides any similar settings in a package associated to the user's container object.

The following illustrates policy package associations:

Figure 10-1 Directory Tree Showing Policy Package Associations

Suppose that in this illustration, User Package 1 contains three enabled policies: Windows Desktop Preferences, Inventory, and Remote Control. User Package 2 contains one enabled policy: Windows Desktop Preferences. For the User object, the Windows Desktop Preferences policy settings in User Package 2 overrides the similar policy settings in User Package 1.

The effective policies for the user are the Windows Desktop Preferences policy in Policy Package 2 and the Inventory and Remote Control policies in Policy Package 1. The Associations tab for this User object lists the one policy in User Package 2 that has been enabled. The two enabled policies in User Package 1 are also listed on the User object's Associations tab. In other words, effective policies are the sum of all enabled policies in all policy packages associated directly or indirectly to an object.