Novell Doc: Novell ZENworks 7 Desktop Management Administration Guide

5.3 Accessing Policy and Application Files

After users are authenticated, the ZENworks Desktop Management can access the policy and application files that you have defined for their use, making it possible for their workstations to be configured, managed remotely, or inventoried, and the appropriate software applications pushed to their desktops.

5.3.1 Policy Files

Policies define the capabilities or configuration of a Windows workstation. You can manage these capabilities or configurations according to the user or workstation that is authenticated to eDirectory and associated to the policy. For the most part, when you configure a policy for a workstation or user, these configurations are stored in eDirectory as attributes. These attributes are read by various .dlls in the client or agent, and pulled to the workstation at login time by the Workstation Manager. These configurations are stored on the workstation in its registry.

Some workstation configurations, however, are not stored in eDirectory. The iPrint, Group Policies, and Desktop Preferences policies require a defined path to files that must be accessed by the client or Desktop Management Agent and applied to the workstation. For more information about the policies that require file access, see Section 10.0, Understanding Workstation Management.

5.3.2 Application Files

ZENworks 7 Desktop Management lets you manage 32-bit Windows Application objects that are associated to users or workstations. Using ConsoleOne®, you can configure numerous Application objects and associate them to users, workstations, groups, or containers.

The Novell Application Launcher™ uses either the Novell Client or the ZENworks Middle Tier Server to access the application files on NetWare or Windows servers so the files can be distributed, launched, cached, or uninstalled. For more information, see Section 23.0, Novell Application Launcher: Managing Authentication and File System Access.

5.3.3 Accessing Files by Using a Client Inside the Firewall

The process of using a client inside the firewall to access policy or application files (from a path defined in eDirectory) is illustrated in the following diagram:

Figure 5-4 Using the Novell Client Inside a Firewall to Access Policy or Application Files

Table 5-3 Steps in the Process for Using the Novell Client Inside a Firewall to Access Policy or Application Files

Step	Explanation
	A user with the appropriate rights enters eDirectory credentials in the login fields of Novell Client GINA and is authenticated to eDirectory through an NDAP/LDAP connection. For details, see Section 5.1, Authenticating to eDirectory.
	The Workstation Manager or the Application Launcher installed on the workstation determines the need to access files and sends a request from the Novell Client to eDirectory in an NCP or CIFS packet.
	The files are sent to the workstation through an NCP or CIFS packet.

Step

Explanation

A user with the appropriate rights enters eDirectory credentials in the login fields of Novell Client GINA and is authenticated to eDirectory through an NDAP/LDAP connection.

For details, see Section 5.1, Authenticating to eDirectory.

The Workstation Manager or the Application Launcher installed on the workstation determines the need to access files and sends a request from the Novell Client to eDirectory in an NCP or CIFS packet.

The files are sent to the workstation through an NCP or CIFS packet.

5.3.4 Accessing Files by Using the Desktop Management Agent Outside the Firewall

The process of using the Desktop Management Agent outside the firewall to access policy or application files (from a path defined in eDirectory) is illustrated in the following diagram:

Figure 5-5 The Process of Using the Desktop Management Agent to Access Policy or Application Files Outside a Firewall

Table 5-4 Steps in the Process of Using the Desktop Management Agent to Access Policy or Application Files Outside a Firewall

Step	Explanation
	A user with the appropriate rights enters eDirectory credentials in the login fields of the Novell Client GINA or the Microsoft Client GINA and is authenticated to eDirectory through an NDAP/LDAP connection. For details, see Section 5.1, Authenticating to eDirectory.
	The Workstation Manager (or one of its helper .dlls) or the Application Launcher installed on the workstation determines the need to access files and sends a request to the ZENworks Middle Tier Server in an XML packet, using the HTTP or HTTPS protocol to pass it through a designated port in the corporate firewall to the ZENworks Middle Tier Server.
	The ZENworks Middle Tier Server Web service receives the request, unparses it, converts it to an NDAP/LDAP packet, and then uses NDAP/LDAP to connect the request to eDirectory.
	The file location is accessed and the files are sent back to the ZENworks Middle Tier Server in an NCP or CIFS packet. CIFS can be used only if the Middle Tier Server is running on a Windows server.
	The ZENworks Middle Tier Server converts the returned NCP or CIFS packet containing the files to XML format again, then sends the XML packet over HTTP or HTTPS to the ZENworks Management Agent.
	The Desktop Management Agent unparses the XML packet containing the files and converts them to binary format to be applied at the workstation.

For more information about users inside the firewall accessing files, see Section 4.0, Understanding the ZENworks Multiple UNC Provider.

Workstation Management Does Not Use the Middle Tier if the Novell Client is Installed on the Workstation

If the Novell Client and the Desktop Management Agent are installed on a workstation (for example, a laptop workstation) and that workstation is taken outside the corporate firewall, only the traditional Novell Client login is displayed at login, and the user can log in locally by choosing Workstation Only.

In this scenario, Desktop Management Workstation Management does not utilize the Middle Tier to access eDirectory, and therefore Workstation Manager is in disconnected mode. This means that only cached policies are applied because Workstation Manager does not have an eDirectory connection for the User or the Workstation object. This is similar to the way Application Management works: if users log in Workstation Only, they see only the installed applications that are marked “disconnectable” or applications that were force-cached when they were connected.

There is one difference in this scenario between Application Management and Workstation Management. If both the Desktop Management Agent and the Novell Client are installed, and if the agent is configured with a Middle Tier Server address, users can log in to the Middle Tier through the Application Launcher after logging in Workstation Only using the Novell Client. In this case, the Application Launcher works in connected mode as it accesses eDirectory and the file system through the Middle Tier Server instead of the Novell Client. However, workstation associated applications do not work because Workstation Manager has already started the NAL Workstation Helper at system startup in order for cached applications to function.

NOTE:If a connection to eDirectory is established through the Novell Client after a user logs in using Workstation Only, within 60 seconds of the connection being made, Workstation Manager logs in as the Workstation Object and policies from the Workstation Package are retrieved.