7.5 Running the Endpoint Security Client 3.5

The Endpoint Security Client 3.5 runs automatically at system startup. For user operation of the Endpoint Security Client, see the ZENworks Endpoint Security Client 3.5 User Guide.

You can distribute the guide to all users to help them better understand the operation of their new security software.

The following sections contain more information:

7.5.1 Multiple User Support

For machines that have multiple users logging on to them, each user account has its own, separate Novell environment. Users can have separate policies and saved network environments. Each account needs to log in to the Management Service separately to receive its credential in order to download its published policy.

If a user can’t log in or refuses to do so, that user gets the initial policy that was included at Endpoint Security Client installation. This helps discourage a user from creating a different account to avoid policy restrictions.

Multiple user support is set at the time you install the client, and can only be changed through an MSI property (POLICYTYPE 0=user or 1=computer) when you upgrade the client (see MSI Installation the ZENworks Endpoint Security Management Installation Guide for details).

Because only one policy can be enforced at a time, the Microsoft Fast User Switching (FUS) is not supported. The Endpoint Security Client turns off FUS at installation.

For an unmanaged client, the first policy that is pushed to one of the users is applied to all users until the other users enforce their policies.

The users on a single computer must all be managed or unmanaged. If they are managed, all the users must use the same Management and Policy Distribution Service.

7.5.2 Machine-Based Policies (Active Directory Only)

The option for using machine-based rather than user-based policies is set at Endpoint Security Client installation (see the ZENworks Endpoint Security Management Installation Guide for details). When this option is selected, the machine is assigned the policy from the Management Service, and the policy is applied to all users who log on to that machine. Users who have a policy assigned to them on another machine do not have that policy accompany them when they log on to a machine with a machine-based policy. Instead, the machine-based policy is enforced.

NOTE:The machine must be a member of the Policy Distribution Service's domain for the first policy sent down. Occasionally, Microsoft does not immediately generate the SID, which can prevent the Endpoint Security Client on that machine from receiving its credential from the Management Service. When this occurs, reboot the machine when the Endpoint Security Client installation is finished to receive the credentials.

When you switch an Endpoint Security Client from accepting user-based policies to accepting machine-based policies, the client continues to enforce and use the last policy downloaded by the current user, until credentials are provided. If multiple users exist on the machine, the machine uses only the policy assigned to the currently logged-in user. If a new user logs in, and the SID is unavailable, the machine uses the default policy included at installation, until the SID is available. After the SID is available for the endpoint, all users have the machine-based policy applied.

7.5.3 Distributing Unmanaged Policies

To distribute polices to unmanaged Endpoint Security Clients:

  1. Locate and copy the Management Console's setup.sen file to a separate folder. The setup.sen file is generated at installation of the Management Console, and placed in the \Program Files\Novell\ESM Management Console\ directory.

  2. Create a policy in the Management Console. For more information, see Section 6.0, Creating and Distributing Security Policies.

  3. Use the Export command (see Section 6.4.3, Exporting Policies to Unmanaged Users) to export the policy to the same folder containing the setup.sen file. All policies distributed must be named policy.sen for an unmanaged Endpoint Security Client to accept them.

  4. Distribute the policy.sen and setup.sen files. These files must be copied to the \Program Files\Novell ZENworks\Endpoint Security Client\ directory for all unmanaged clients.

The setup.sen file must be copied to the unmanaged Endpoint Security Clients only once, along with the first policy. Afterwards, only new policies need to be distributed.