6.3 Managing Policies

The following sections contain more information:

6.3.1 Show Usage

Changes made to shared policy components will affect all policies they are associated with. Prior to updating or otherwise changing a policy component, it is recommended that you run the Show Usage command to determine which policies will be affected by the change.

  1. Right-click the component and select Show Usage

  2. A pop-up window will display, showing each instance of this component in other policies (see Figure 6-35).

    Figure 6-35 Show Usage Window

6.3.2 Error Notification

When the administrator attempts to save a policy with incomplete or incorrect data in a component, the Validation pane will display at the bottom of the Management console, highlighting each error. The errors MUST be corrected before the policy can be saved.

Double-click each validation row to navigate to the screen with the error. Errors are highlighted as shown in the figure below (see Figure 6-36).

Figure 6-36 Error Notification Pane

6.3.3 Custom User Messages

Custom User Messages allow the ZENworks Endpoint Security Management Administrator to create messages which directly answer security policy questions as the user encounters policy enforced security restrictions, or provide specific instructions to the user. User messages controls (see Figure 6-37) are available in various components of the policy.

Figure 6-37 Custom User Message with a Hyperlink

To create a custom user message, perform the following steps (Figure 6-38 for an example of the control):

  1. Enter a title for the message. This displays on the top bar of the message box (see example in Figure 6-36 above)

  2. Enter the message. The message is limited to 1000 characters

  3. If a hyperlink is required, check the hyperlinks box and enter the necessary

    Figure 6-38 Custom Message and Hyperlink Controls

NOTE:Changing the Message or Hyperlink in a shared component will change in all other instances of that component. Use the Show Usage command to view all other policies associated with this component.

6.3.4 Hyperlinks

An administrator can incorporate hyperlinks in custom messages to assist in explaining security policies or provide links to software updates to maintain integrity compliance. Hyperlinks are available in several policy components. A VPN hyperlink can be created which can point to either the VPN client executable, or to a batch file which can run and fully log the user in to the VPN (see VPN Enforcement for more details).

Figure 6-39 Custom User Message with a Hyperlink

To create a hyperlink, perform the following steps (see Figure 6-40 for an example of the control):

  1. Enter a name for the link. This is the name that will display below the message (required for Advanced VPN hyperlinks as well).

  2. Enter the hyperlink

  3. Enter any switches or other parameters for the link (use for VPN enforcement)

    Figure 6-40 Custom Message and Hyperlink Controls

NOTE:Changing the Message or Hyperlink in a shared component will change in all other instances of that component. Use the Show Usage command to view all other policies associated with this component.

6.3.5 Defined Location Settings

 

Setting the Location Icon

The location icon provides a visual cue to the user which identifies their current location. The location icon displays on the taskbar in the notification area. Use the pull-down list to view and select from the available location icons:

Select an icon which will help the end-user easily identify their location at a glance.

Update Interval

This setting determines the frequency the Endpoint Security Client will check for a policy update when it enters this location. The frequency time is set in minutes, hours, or days. Unchecking this parameter means the Endpoint Security Client will NOT check for an update at this location.

User Permissions

User permissions within a location include:

  • Change Location - this permits the end-user to change to and out of this location. For non-managed locations (i.e., hot-spots, airports, hotels, etc.), this permission should be granted. In controlled environments, where the network parameters are known, this permission can be disabled. The user will NOT be able to switch to, or out of any locations when this permission is disabled, rather the Endpoint Security Client will rely on the network environment parameters entered for this location

  • Change Firewall Settings - this allows the user to change their firewall settings

  • Save Network Environment - this allows the user to save the network environment to this location, to permit automatic switching to the location when the user returns. Recommended for any locations the user will need to switch to. Multiple network environments may be saved for a single location. For example, if a Location defined as Airport is part of the current policy, each airport visited by the user can be saved as a network environment for this location. This way, a mobile user can return to a saved airport environment, and the Endpoint Security Client will automatically switch to the Airport location, and apply the defined security settings. A user may, of course, change to a location and not save the environment.

  • Show Location in Client Menu - this setting allows the location to display in the client menu. If this is unchecked, the location will not display at any time.

Use Location Message

This setting allows an optional Custom User Message to display when the Endpoint Security Client switches to this location. This message can provide instructions for the end-user, details about policy restrictions under this location, or include a Hyperlink to more information.

6.3.6 Network Environments

If the network parameters (Gateway server(s), DNS server(s), DHCP server(s), WINS server(s), available access points, and/or specific adapter connections) are known for a location, the service details (IP and/or MAC), which identify the network, can be entered into the policy to provide immediate location switching without requiring the user having to save the environment as a location.

To access this control, open the Locations tab and click the Network Environments folder in the policy tree on the left.

Figure 6-41 Network Environments

The lists provided allow the administrator to define which network services are present in the environment. Each network service may contain multiple addresses. The administrator determines how many of the addresses are required to match in the environment to activate the location switch.

It is required that 2 or more location parameters be used in each network environment definition.

To define a network environment, perform the following steps:

  1. Select Network Environments in the components tree and click the New Component button

  2. Name the network environment and provide a description

  3. Select which adapter type is permitted to access this Network Environment from the drop-down list

  4. Enter the following information for each service:

    • The IP address(es) - Limited to 15 characters, and only containing the numbers 0-9 and periods (example: 123.45.6.789)

    • MAC address(es) (Optional) - Limited to 12 characters, and only containing the numbers 0-9 and the letters A-F (upper and lower case); separated by colons example: 00:01:02:34:05:B6

    • Check whether identification of this service is required to define the network environment

  5. The Dialup Connections, and Adapters tabs have the following requirements:

    • For Dialup Connections, the RAS Entry name from the phone book or the dialed number may be entered. Phone book entries MUST contain alpha characters and cannot contain only special characters (@, #, $,%, -, etc.) or numeric characters (1-9). Entries that only contain special and numeric characters are assumed to be dialed numbers.

    • Adapters can be entered to restrict exactly which adapters, specifically, are permitted access to this network environment (see Step 3 regarding setting adapter limitations). Enter the SSID for each allowed adapter. If no SSIDs are entered, all adapters of the permitted type are granted access

  6. Each Network Environment has a minimum number of addresses the Endpoint Security Client uses to identify it. The number set in Minimum Match must not exceed the total number of network addresses identified as being required in the tabbed lists. Enter the minimum number of network services required to identify this network environment

To associate an existing Network Environment to this location:

  1. Select Network Environments in the components tree and click the Associate Component button

  2. Select the network environment from the list

  3. The environment parameters may be re-defined. However, changing the settings in a shared component will affect all other instances of this same component. Use the Show Usage command to view all other policies associated with this component.

  4. Click Save

You can associate additional Network Environments to the location if desired. If you have multiple locations in the same security policy, be aware that associating a single network environment to two or more locations within in the same security policy will cause unpredictable results and is not recommended.

6.3.7 Firewall Settings

Firewall Settings control the connectivity of all networking ports, Access Control lists, network packets (ICMP, ARP, etc.), and which applications are permitted to get a socket out or function, when the firewall setting is applied.

NOTE:This feature is only available in the ZENworks Endpoint Security Management installation, and cannot be used for UWS security policies.

To access this control, open the Locations tab and click the Firewall Settings icon in the policy tree on the left.

Each component of a firewall setting is configured separately, with only the default behavior of the TCP/UDP ports required to be set. This setting affects all TCP /UDP ports when this firewall setting is used. Individual or grouped ports may be created with a different setting.

Figure 6-42 Firewall Settings

To create a new firewall setting:

  1. Select Firewall Settings in the components tree and click the New Component button

  2. Name the firewall setting and provide a description

  3. Select the default behavior for all TCP/UDP ports

    Additional ports and lists may be added to the firewall settings, and given unique behaviors which will override the default setting.

    Example: The default behavior for all ports is set as All Stateful. The ports lists for Streaming Media and Web Browsing are added to the firewall setting. The Streaming Media port behavior is set as Closed, and the Web Browsing port behavior is set as Open. Network traffic through TCP Ports 7070, 554, 1755, and 8000 would be blocked. Network traffic through ports 80 and 443 would be open and visible on the network. All other ports would operate in Stateful mode, requiring the traffic through them be solicited first.

  4. Select whether to display this firewall in the Endpoint Security Client menu (if unchecked, the user will not see this firewall setting)

  5. Click Save. Repeat the above steps to create another firewall setting

To associate an existing firewall setting:

  1. Select Firewall Settings in the components tree and click the Associate Component button

  2. Select the desired firewall setting(s) from the list

  3. The default behavior setting may be re-defined. However, cChanging the settings in a shared component will affect all other instances of this same component. Use the Show Usage command to view all other policies associated with this component.

  4. Click Save

Multiple firewall settings can be included within a single location. One is defined as the default setting, with the remaining settings available as options for the user to switch to. Having multiple settings are useful when a user may normally need certain security restrictions within a network environment and occasionally needs those restrictions either lifted or increased for a short period of time, for specific types of networking (i.e., ICMP Broadcasts).

Three firewall settings are included at installation, they are:

  • All Adaptive - This firewall setting sets all networking ports as stateful (all unsolicited inbound network traffic is blocked. All outbound network traffic is allowed), ARP and 802.1x packets are permitted, and all network applications are permitted a network connection, all.

  • All Open - This firewall setting sets all networking ports as open (all network traffic is allowed), all packet types are permitted. All network applications are permitted a network connection

  • All Closed - This firewall setting closes all networking ports, and restricts all packet types.

A new location will have the single firewall setting, All Open, set as the default. To set a different firewall setting as the default, right click the desired Firewall Setting and choose Set as Default.

6.3.8 TCP/UDP Ports

Endpoint data is primarily secured by controlling TCP/UDP port activity. This feature allows you to create a list of TCP/UDP ports which will be uniquely handled in this firewall setting. The lists contain a collection of ports and port ranges, together with their transport type, which defines the function of the range.

NOTE:This feature is only available in the ZENworks Endpoint Security Management installation, and cannot be used for UWS security policies.

To access this control, open the Locations tab, click the “+” symbol next to Firewall Settings, click the “+” symbol next to the desired Firewall, and click the TCP/UDP Ports icon in the policy tree on the left.

Figure 6-43 TCP/UDP Ports Settings

New TCP/UDP port lists can be defined with individual ports or as a range (1-100) per each line of the list.

To create a new TCP/UDP port setting:

  1. Select TCP/UDP Ports from the components tree and click the Add New button

  2. Name the port list and provide a description

  3. Select the port behavior from the drop-down list. The optional behaviors are:

    • Open - All network inbound and outbound traffic is allowed. Because all network traffic is allowed your computer identity is visible for this port or port range.

    • Closed - All inbound and outbound network traffic is blocked. Because all network identification requests are blocked your computer identity is concealed for this port or port range.

    • Stateful - All unsolicited inbound network traffic is blocked. All outbound network traffic is allowed over this port or port range.

  4. Enter the transport type:

    • All (all port types listed below)

    • Ether

    • IP

    • TCP

    • UDP

  5. Enter Ports and Port Ranges as either:

    • Single ports

    • A range of ports with the first port number, followed by a dash, and the last port number

      Example: 1-100 would add all ports between 1 and 100

      Please visit the Internet Assigned Numbers Authority pages for a complete Ports and transport types list.

Click Save. Repeat the above steps to create a new setting

To associate an existing TCP/UDP port to this firewall setting:

  1. Select TCP/UDP Ports from the component tree and click the Associate Component button

  2. Select the desired port(s) from the list

  3. The default behavior setting may be re-defined. However, changing the settings in a shared component will affect ALL OTHER instances of this same component. Use the Show Usage command to view all other policies associated with this component.

  4. Click Save

Several TCP/UDP port groups have been bundled and are available at installation:

Name

Description

Transport

Value

All Ports

All Ports

All

1-65535

BlueRidge VPN

Ports used by the BlueRidge VPN Client

UDP

820

Cisco VPN

Ports used by the Cisco VPN Client

IP

UDP

UDP

UDP

UDP

UDP

50,51

500,4500

1000-1200

62514,62515,62517

62519-62521

62532,62524

Common Networking

Commonly required Networking Ports for building firewalls

TCP

UDP

UDP

TCP

UDP

TCP

UDP

53

53

67,68

546, 547

546, 547

647, 847

647, 847

Database Communication

Microsoft, Oracle, Siebel, Sybase, SAP Database Ports

TCP

TCP

TCP

UDP

TCP

TCP

TCP

TCP

4100

1521

1433

1444

2320

49998

3200

3600

File Transfer Protocol (FTP)

File Transfer Protocol Port

TCP/UDP

21

Instant Messaging

Microsoft, AOL, Yahoo Instant Messaging Ports

TCP

TCP

UDP

UDP

TCP

UDP

TCP

UDP

TCP

UDP

TCP

TCP

6891-6900

1863,443

1863,443

5190

6901

6901

5000-5001

5055

20000-20059

4000

4099

5190

Internet Key Exchange Compatible VPN

Ports used by Internet Key Exchange Compatible VPN Clients

UDP

500

Microsoft Networking

Common File Sharing / Active Directory Ports

TCP/UDP

135-139, 445

Open Ports

Ports that are opened for this firewall

TCP/UDP

80

Streaming Media

Common Microsoft/Real Streaming Media Ports

TCP

7070, 554, 1755, 8000

Web Browsing

Common Web Browser Ports, including SSL

All

80, 443

6.3.9 Access Control Lists

There may be some addresses which require unsolicited traffic be passed regardless of the current port behavior (i.e., enterprise back-up server, exchange server, etc.). In instances where unsolicited traffic needs to be passed to and from trusted servers, an Access Control List (ACL) can be created to resolve this issue.

NOTE:This feature is only available in the ZENworks Endpoint Security Management installation, and cannot be used for UWS security policies.

To access this control, open the Locations tab, click the “+” symbol next to Firewall Settings, click the “+” symbol next to the desired Firewall, and click the Access Control Lists icon in the policy tree on the left.

Figure 6-44 Access Control Lists Settings

To create a new ACL setting:

  1. Select Access Control List from the components tree and click the Add New button

  2. Name the ACL and provide a description

  3. Enter the ACL address or Macro

  4. Enter the ACL type:

    • IP - This type limits the address to 15 characters, and only containing the numbers 0-9 and periods (example: 123.45.6.189). IP addresses may also be entered as a range (example: 123.0.0.0 - 123.0.0.255)

    • MAC - This type limits the address to 12 characters, and only containing the numbers 0-9 and the letters A-F (upper and lower case); separated by colons (example: 00:01:02:34:05:B6)

  5. Select the ACL Behavior drop-down box and determine whether the ACLs listed should be Trusted (allow it always even if all TCP/UDP ports are closed) or Non-Trusted (block access)

  6. If Trusted, select the Optional Trusted Ports (TCP/UDP) this ACL will use. These ports will permit all ACL traffic, while other TCP/UDP ports will maintain their current settings. Selecting ‹None› means any port may be used by this ACL

  7. Click Save. Repeat the above steps to create a new setting

To associate an existing ACL/Macro to this firewall setting:

  1. Select Access Control List from the component tree and click the Associate Component button

  2. Select the ACL(s)/Macro(s) from the list

  3. The ACL behavior settings may be re-defined. However, changing the settings in a shared component will affect ALL OTHER instances of this same component. Use the Show Usage command to view all other policies associated with this component.

  4. Click Save

Network Address Macros List

The following is a list of special Access Control macros. These can be associated individually as part of an ACL in a firewall setting.

Table 6-1 Network Address Macros

Macro

Description

[Arp]

Allow ARP (Address Resolution Protocol) packets. The term Address Resolution refers to the process of finding an address of a computer in a network. The address is Resolved using a protocol in which a piece of information is sent by a client process executing on the local computer to a server process executing on a remote computer. The information received by the server allows the server to uniquely identify the network system for which the address was required and therefore to provide the required address. The address resolution procedure is completed when the client receives a response from the server containing the required address.

[Icmp]

Allow ICMP (Internet Control Message Protocol) packets. ICMPs are used by routers, intermediary devices, or hosts to communicate updates or error information to other routers, intermediary devices, or hosts. ICMP messages are sent in several situations: for example, when a datagram cannot reach its destination, when the gateway does not have the buffering capacity to forward a datagram, and when the gateway can direct the host to send traffic on a shorter route.

[IpMulticast]

Allow IP Multicast packets. Multicast is a bandwidth-conserving technology that reduces traffic by simultaneously delivering a single stream of information to thousands of corporate recipients and homes. Applications that take advantage of multicast include videoconferencing, corporate communications, distance learning, and distribution of software, stock quotes, and news. Multicast packets may be distributed using either IP or Ethernet addresses.

[EthernetMulticast]

Allow Ethernet Multicast packets.

[IpSubnetBrdcast]

Allow Subnet Broadcast packets. Subnet broadcasts are used to send packets to all hosts of a subnetted, supernetted, or otherwise nonclassful network. All hosts of a nonclassful network listen for and process packets addressed to the subnet broadcast address.

[Snap]

Allow Snap encoded packets.

[LLC]

Allow LLC encoded packets.

[Allow8021X]

Allow 802.1x packets. To overcome deficiencies in Wired Equivalent Privacy (WEP) keys, Microsoft and other companies are utilizing 802.1x as an alternative authentication method. 802.1x is a port-based, network access control, which uses Extensible Authentication Protocol (EAP), or certificates. Currently, most major wireless card vendors and many access point vendors support 802.1x. This setting also allows Light Extensible Authentication Protocol (LEAP) and WiFi Protected Access (WPA) authentication packets.

[Gateway]

Represents the current IP configuration Default Gateway address. When this value is entered, the Endpoint Security Client allows all network traffic from the current IP configuration Default Gateway as a trusted ACL.

[GatewayAll]

Same as [Gateway] but for ALL defined gateways.

[Wins]

Represents current client IP configuration Default WINS Server address. When this value is entered, the Endpoint Security Client allows all network traffic from the current IP configuration Default WINS server as a trusted ACL.

[WinsAll]

Same as [Wins] but for ALL defined WINS servers.

[Dns]

Represents current client IP configuration Default DNS server address. When this value is entered, the Endpoint Security Client allows all network traffic from the current IP configuration Default DNS server as a trusted ACL.

[DnsAll]

Same as [Dns] but for ALL defined DNS servers.

[Dhcp]

Represents current client IP configuration Default DHCP server address. When this value is entered, the Endpoint Security Client allows all network traffic from the current IP configuration Default DHCP server as a trusted ACL.

[DhcpAll]

Same as [Dhcp] but for ALL defined DHCP servers.

6.3.10 Application Controls

This feature allows the administrator to block applications either from gaining network access, or from simply executing at all.

NOTE:This feature is only available in the ZENworks Endpoint Security Management installation, and cannot be used for UWS security policies.

To access this control, open the Locations tab, click the “+” symbol next to Firewall Settings, click the “+” symbol next to the desired Firewall, and click the Applications Controls icon in the policy tree on the left.

Figure 6-45 Application Control Settings

To create a new application control setting:

  1. Select Application Controls in the components tree and click the Add New button

  2. Name the application control list and provide a description

  3. Select an execution behavior. This behavior will be applied to all applications listed. If multiple behaviors are required (example: some networking applications are denied network access, while all file sharing applications are denied execution), multiple application controls will need to be defined. Select one of the following:

    • All Allowed - all applications listed will be permitted to execute and have network access

    • No Execution - all applications listed will not be permitted to execute

    • No Network Access - all applications listed will be denied network access. Applications (such as web-browsers) launched from an application will also be denied network access

    NOTE:Blocking network access for an application does not affect saving files to mapped network drives. Users will be permitted to save to all network drives available to them.

  4. Enter each application to block. One application must be entered per row

    WARNING:Blocking execution of critical applications could have an adverse affect on system operation. Blocked Microsoft Office applications will attempt to run their installation program.

  5. Click Save. Repeat the above steps to create a new setting

To associate an existing application control list to this firewall setting:

  1. Select Application Controls in the components tree and click the Associate Component button

  2. Select an application set from the list

  3. The applications and the level of restriction may be re-defined

    NOTE:Changing the settings in a shared component will affect ALL OTHER instances of this same component. Use the Show Usage command to view all other policies associated with this component.

  4. Click Save

The available application controls are identified below, the default execution behavior is No Network Access:

Table 6-2 Application Controls

Name

Applications

Web Browsers

explore.exe; netscape.exe; netscp.exe

Instant Messaging

aim.exe; icq.exe; msmsgs.exe; msnmsgr.exe; trillian.exe; ypager.exe

File Sharing

blubster.exe; grokster.exe; imesh.exe; kazaa.exe; morpheus.exe; napster.exe; winmx.exe

Internet Media

mplayer2.exe; wmplayer.exe; naplayer.exe; realplay.exe; spinner.exe; QuickTimePlayer.exe

If the same application is added to two different application controls in the same firewall setting (i.e., kazaa.exe is blocked from executing in one application control, and blocked from gaining network access in another defined application control under the same firewall setting), the most stringent control for the given executable will be applied (i.e., kazaa would be blocked from executing)

6.3.11 Rule Scripting Parameters

The ZENworks Endpoint Security Management (ZENworks Endpoint Security Management) supports standard Jscript and VBScript coding methods readily available, with the following exceptions:

  1. WScript.Echo - Not supported - (displaying return values back to a parent window are not support (since the parent window is unavailable)). Use the Action.Message ZENworks Endpoint Security Management API instead.

  2. Access to Shell Objects - Use the following modified nomenclature/call:

    [JScript] 
       Use: 
       var WshShell = new ActiveXObject("WScript.Shell");
       Instead of: 
       var WshShell = WScript.CreateObject ("WScript.Shell");
    
    [VBScript] 
       Use:
       Dim WshShell
       Set WshShell = CreateObject("WScript.Shell")
       Instead of:
       Dim WshShell
       Set WshShell = WScript.CreateObject("WScript.Shell")
    
  3. All scripts are executed in the "system context" unless the following comment is added to the top of the script:

    [Jscript] 
    //@ImpersonateLoggedOnUser
    [VBScript] 
    '@ImpersonateLoggedOnUser
    

Rule Scripting

A rule consists of two parts. The first part is the Trigger Events which determine when to execute the rule. The second part is the scripting code which contains the logic of the rule. The Endpoint Security Client provides three namespaces and five interfaces for the script, which allows the script to control or access the client.

The namespaces are as follows:

  1. Query. This namespace provides methods to get the current state of the client. For example, information about the adapters, shield states and location.

  2. Action. This namespace provides methods that get the client to do something. For example, a call that puts the client into a quarantined shield state.

  3. Storage. This namespace provides a mechanism for the script to store variables for the session or permanently. These could be used to tell the script if the rule had failed the last time it was run. It could be used to store when this rule last ran.

The interfaces are as follows:

  1. IClientAdapter. This interface describes an adapter in the client network environment.

  2. IClientEnvData. This interface returns environment data about a Server or Wireless Access Point.

  3. IClientNetEnv. Provides Network Environment Information.

  4. IClientWAP. Provides information about a Wireless Access Point.

  5. IClientAdapterList. A list of adapters in the client network environment.

Trigger Events

Triggers are events that cause the Endpoint Security Client to determine when and if a rule should be executed. These events can either be internal to the client or some external event monitored by the client.

  • AdapterArrival

    Desc: Adapter arrival has occurred.

    Parameters: None.

  • AdapterRemoval

    Desc: Adapter had been removed.

    Parameters: None.

  • DownloadFailed

    Desc: This event is triggered in response to Action.DownloadAsync if the file was not successfully downloaded.

    Parameters: None.

  • DownloadSuccess

    Desc: This event is triggered in response to Action.DownloadAsync if the file was successfully downloaded

    Parameters: None.

  • LocationChange

    Desc: Run the rule when entering or leaving a particular location or all locations.

    Parameters:

    OldLocation (opt):

    Uuid of a Location

    NewLocation (opt):

    Uuid of a Location

    ManualChange(opt):

    (true/false). User manually changed location.

  • MediaConnect

    Desc: Adapter has connection.

    Parameters: None.

  • MediaDisconnect

    Desc: Adapter has lost its connection.

    Parameters: None.

  • PolicyUpdated

    Desc: Called when client is first started and whenever a new policy is applied.

    Parameters: None.

  • ProcessChange

    Desc: Trigger whenever a process is created or deleted.

    Parameters: None.

  • Startup

    Desc: Run the rule when the engine is started.

    Parameters: None.

  • TimeOfDay

    Desc: Run the rule at a particular time or times of day. Or at least once a day. This will store the last time this was triggered.

    Parameters:

    Time:

    HH:MM (Example: 04:00,15:10) Military time. Lowest to highest. Max=5.

    Days:

    (Sun,Mon,Tue,Wed,Thu,Fri,Sat) One or more. Comma separated.

    Type:

    (Local/UTC).

  • Timer

    Desc: Run the rule every n milliseconds.

    Parameters:

    Interval:

    Number of milliseconds

  • UserChangeShield

    Desc: The user had manually changed the shield state.

    Parameters: None.

  • WithinTime

    Desc: Run the rule every n minutes starting from the last time the rule was executed. If the computer has been turned off it will execute the rule if the specified time has past since the last time the rule was executed.

    Parameters:

    WithinMinutes:

    Number of seconds

Script Namespaces

 

General Enumerations and File substitutions
EAccessState
eApplyGlobalSetting = -1
eDisableAccess = 0
eAllowAccess = 1
EAdapterType
                eWIRED
                eWIRELESS
                eDIALUPCONN
EComparison
                eEQUAL
                eLESS
                eGREATER
                eEQUALORLESS
                eEQUALORGREATER?
ESTDisplayMsg
                eONLYONCE
                eEVERYTIME
                eSECONDS
                eNOMSG
EHardwareDeviceController 
eIrDA = 0
e1394
eBlueTooth
eSerialPort
eParrallelPort
ELogLevel
                eALARM
                eWARN
                eINFO
EMATCHTYPE
                eUNDEFINED
                eLOCALIP
                eGATEWAY
                eDNS
                eDHCP
                eWINS
                eWAP
                eDIALUP
                eUNKNOWN
                eDOMAIN
                eRULE
                eUSERSELECTED
EMinimumWiFiSecurityState
eNoEncryptionRequired = 0
eWEP64
eWEP128
eWPA
ERegKey
                eCLASSES_ROOT
                eCURRENT_USER
                eLOCAL_MACHINE
                eUSERS
                eCURRENT_CONFIG
ERegType
                eSTRING
                eDWORD
                eBINARY
                eMULTI_SZ
                eEXPAND_SZ
EServiceState
                eRUN
                eSTOP
                ePAUSE
                ePENDING
                eNOTREG
EVariableScope
ePolicyChange = 0   // reset on a policy update
eLocationChange = 1   // reset on a location change
TRIGGEREVENT
                eTIMER 
                eSTARTUP
                eLOCATIONCHANGE
                eTIMEOFDAY
                eADAPTERARRIVAL
                eADAPTERREMOVAL
                eMEDIACONNECT
                eMEDIADISCONNECT
                ePOLICYUPDATED
                eUSERCHANGEDSHIELD
                ePROCESSCHANGE
                eWITHINTIME
                eRUNNOW
                eDOWNLOADFAILED
                eDOWNLOADSUCCESS

Table 6-3 Shell Folder Names

%windows%

C:\Windows

%system%

%windows%\System32

%startup%

%programs%\Startup

%startmenu%

%profile%\Start Menu

%programs%

%startmenu%\Programs

%commonprogramfiles%

%programfiles%\Common

%programfiles%

C:\Program Files

%profile%

C:\Documents and Settings\username

%localappdata%

%profile%\Local Settings\Application Data

%appdata%

%profile%\Application Data

%commonappdata%

C:\Documents and Settings\All Users\Application Data

%commonprograms%

C:\Documents and Settings\All Users\Start Menu\Programs

%cookie%

%profile%\Cookies

Action Namespace

 

CheckForUpdate

JScript:

Action.CheckForUpdate();

VBScript:

Action.CheckForUpdate()

ClearFixedShieldState, SetShieldStateByName, Trace, Sleep

NOTE:When setting the ShieldState (firewall) by name, the name specified MUST EXACTLY match the firewall specified in the policy. Three firewall settings are always available regardless of the policy ("All Closed", "All Adaptive", and "All Open").

JScript:

   Action.SetShieldStateByName("Closed",true);
   Action.Trace("Start 20 second sleep");
   Action.Sleep(20000);
   var ret = Action.ClearFixedShieldState();
   if(ret == true)
     Action.Trace("ret = true");
   else
     Action.Trace("ret = false");

VBScript:

   Action.SetShieldStateByName "Closed",true
   Action.Trace("Start 20 second sleep")
   Action.Sleep(20000)
   dim ret
   ret = Action.ClearFixedShieldState()
   if(ret = true) then
     Action.Trace("ret = true")
   else
     Action.Trace("ret = false")
   end if

ClearStamp, SwitchLocationByName, Stamp

NOTE:When setting the Location by name, the name specified MUST EXACTLY match the location specified in the policy.

JScript:

   Action.SwitchLocationByName("Base");
   Action.Stamp();
   Action.Trace("Begin 20 second sleep");
   Action.Sleep(20000);
   Action.SwitchLocationByName("Base");
   Action.ClearStamp();

VBScript:

   Action.SwitchLocationByName("Base")
   Action.Stamp()
   Action.Trace("Begin 20 second sleep")
   Action.Sleep(20000)
   Action.SwitchLocationByName("Base")
   Action.ClearStamp()

Example 6-1 Details:

Base must be the name of a valid location which can be stamped. This script will then switch to location Base, then stamp it, sleep for 20 seconds, make sure we didn't spin out of the location by switching back to base and then clear the stamp. This script performed all actions as expected.

CreateRegistryKey

JScript:

   var ret = Action.CreateRegistryKey(eLOCAL_MACHINE,"Software\\Novell","Tester");
   if(ret == true)
     Action.Trace("Create Key is Successful");
   else
     Action.Trace("Create Key did not work");

VBScript:

dim ret
   ret = Action.CreateRegistryKey(eLOCAL_MACHINE,"Software\\Novell","Tester")
   if(ret = true) then
     Action.Trace("Create Key is Successful")
   else
     Action.Trace("Create Key did not work")
   end if

DeleteRegistryKey

JScript:

   var ret = Action.DeleteRegistryKey(eLOCAL_MACHINE,"Software\\Novell\\Tester");
   if(ret == true)
     Action.Trace("Delete Key is Successful");
   else
     Action.Trace("Delete Key did not work");

VBScript:

   dim ret
   ret = Action.DeleteRegistryKey(eLOCAL_MACHINE,"Software\\Novell\\Tester")
   if(ret = true) then
     Action.Trace("Delete Key is Successful")
   else
     Action.Trace("Delete Key did not work")
   end if

DeleteRegistryValue

JScript:

   Action.DeleteRegistryValue(eLOCAL_MACHINE,"Software\\Novell\\Tester","val1");
   Action.DeleteRegistryValue(eLOCAL_MACHINE,"Software\\Novell\\Tester","val2");

VBScript:

   Action.DeleteRegistryValue eLOCAL_MACHINE,"Software\\Novell\\Tester","val1"
   Action.DeleteRegistryValue eLOCAL_MACHINE,"Software\\Novell\\Tester","val2"

DisplayMessage, DisplayMessageByName

NOTE:The first parameter of the DisplayMessage call is a unique integer identifier for each action. When calling the Message by name, the name specified MUST EXACTLY match the DisplayMessage specified in the policy.

JScript:

   Action.DisplayMessage("40","Message40", "Message Here", "question", "");
   Action.Sleep(10000);
   Action.DisplayMessageByName("Message40");

VBScript:

   Action.DisplayMessage "40","Message40", "Message Here", "question", ""
   Action.Sleep(10000)
   Action.DisplayMessageByName "Message40"

Example 6-2 Details:

This script will create a Message Box with all parameters and then wait 10 seconds, (during which the tester should click Ok to end box display) and then it will be displayed by the ID and wait 10 seconds, (again, the tester should click Ok to end box display) and then it will display the Message Box by

EnableAdapterType

JScript:

   Action.EnableAdapterType(false, eWIRELESS);
   Action.EnableAdapterType(true, eWIRELESS);
   Action.EnableAdapterType(false, eWIRED);
   Action.EnableAdapterType(true, eWIRED);
   Action.EnableAdapterType(false, eDIALUPCONN);
   Action.EnableAdapterType(true, eDIALUPCONN);

VBScript:

   Action.EnableAdapterType false, eWIRELESS
   Action.EnableAdapterType true, eWIRELESS
   Action.EnableAdapterType false, eWIRED
   Action.EnableAdapterType true, eWIRED
   Action.EnableAdapterType false, eDIALUPCONN
   Action.EnableAdapterType true, eDIALUPCONN

Launch

NOTE:The first parameter of the Launch call is a unique integer identifier for each action.

JScript:

   Action.Launch("50","C:\calco.exe","");

VBScript:

   Action.Launch "51","C:\calco.exe",""

LaunchAsSystem

JScript:

   Action.LaunchAsSystem("C:\calco.exe"," sParameters ", "sWorkingDir",true);

VBScript:

   Action.LaunchAsSystem "C:\calco.exe"," sParameters"," sWorkingDir",true

LaunchAsUserWithCode

This launches in the user context and returns the exit code of the application launched.

JScript:

Action.LaunchAsUserWithCode(appToLaunch, "sParameters", "sWorkingDir", bShow, bWait, nExitCode);

VBScript:

Action.LaunchAsUserWithCode appToLaunch, "sParameters", "sWorkingDir", bShow, bWait, nExitCode

Example 6-3 Details:

Preliminary setup required creating a policy which included a new Integrity rule with a custom message. The custom message included a launch link which was added to the SCC menu bar.

LaunchLinkByName

NOTE:When setting the LaunchLink by name, the name specified MUST EXACTLY match the launch link specified in the policy.

JScript:

   Action.LaunchLinkByName("MyLink");

VBScript:

   Action.LaunchLinkByName "MyLink"

LogEvent

JScript:

   Action.LogEvent("MyEvent", eALARM, "This is a log test message");

VBScript:

   Action.LogEvent "MyEvent", eALARM, "This is a vb log test message"

Example 6-4 Details:

Pre-requisite is that logging needs to be enabled.

Message

Asynchronous Message (displayed and script continues):

JScript:

Action.Message("Display sync message");

VBScript:

Action.Message "Display sync message"

Synchronous Message (displayed and waits for user respond before the script continues):

NOTE:nTimeoutSeconds values of -1 or 0 will NEVER timeout

nMessageType (buttons shown):

  1. Ok/Cancel

  2. Abort/Retry/Ignore

  3. Yes/No/Cancel

Currently, the return value which of these buttons pressed by the user is NOT returned, so it is NOT helpful for conditional logic control.

JScript:

Action.Message("Message Title Bar", nMessageType, nTimeoutSeconds);

VBScript:

Action.Message "Message Title Bar", nMessageType, nTimeoutSeconds

PauseService

JScript:

Action.PauseService("lanmanworkstation");

VBScript:

Action.PauseService "lanmanworkstation"

Example 6-5 Details:

Make sure you use the actual service name, not the display name.

Prompt

This API creates dialog boxes and user interfaces. It will be covered in a future revision given the complexity and need for examples.

StartService

JScript:

Action.StartService("lanmanworkstation","");

VBScript:

Action.StartService "lanmanworkstation",""

Example 6-6 Details:

Make sure you use the actual service name, not the display name.

StopService

JScript:

Action.StopService("lanmanworkstation");

VBScript:

Action.StopService "lanmanworkstation"

Example 6-7 Details:

Make sure you use the actual service name, not the display name.

WriteRegistryDWORD, WriteRegistryString

JScript:

      var ret = Action.CreateRegistryKey(eLOCAL_MACHINE,"Software\\Novell","Tester");
      if(ret == true)
        Action.Trace("Create Key is Successful");
      else
        Action.Trace("Create Key did not work");
Action.WriteRegistryDWORD(eLOCAL_MACHINE,"Software\\Novell\\Tester","val1",24);
Action.WriteRegistryString(eLOCAL_MACHINE,"Software\\Novell\\Tester","val2","Novell");

VBScript:

dim ret
ret = Action.CreateRegistryKey(eLOCAL_MACHINE,"Software\\Novell","Tester")
if(ret = true) then
  Action.Trace("Create Key is Successful")
else
  Action.Trace("Create Key did not work")
end if

Action.WriteRegistryDWORD eLOCAL_MACHINE,"Software\\Novell\\Tester","val1",24
Action.WriteRegistryString eLOCAL_MACHINE,"Software\\Novell\\Tester","val2","Novell"

Query Namespace, FileExistsVersion

JScript:

var ret;
ret = Query.FileExistsVersion("C:","ocalco.exe",eEQUAL,"5","1","2600","0");
if(ret == 1)
  Action.Trace("File is Equal");
else
  Action.Trace("File is Not Equal");

VBScript:

dim ret
ret = Query.FileExistsVersion("C:\","ocalco.exe",eEQUAL,"5","1","2600","0")
if(ret = true) then
  Action.Trace("File is Equal")
else
  Action.Trace("File is Not Equal")
end if

NOTE:Not all files have file version information.

Script as above performed correctly.

GetAdapters

JScript:

var adplist;
var adplength;
var adp;

adplist = Query.GetAdapters();
adplength = adplist.Length;

Action.Trace("adplength = " + adplength);

if(adplength > 0)
{
  adp = adplist.Item(0);
  Action.Trace("DeviceID = " + adp.DeviceID);
  Action.Trace("Enabled = " + adp.Enabled);
  Action.Trace("IP = " + adp.IP);
  Action.Trace("MAC = " + adp.MAC);
  Action.Trace("MaxSpeed = " + adp.MaxSpeed);
  Action.Trace("Name = " + adp.Name);
  Action.Trace("SubNetMask = " + adp.SubNetMask);
  Action.Trace("Type = " + adp.Type);
}

VBScript:

dim adplist
dim adplength
dim adp

set adplist = Query.GetAdapters()
adplength = CInt(adplist.Length)

Action.Trace("adplength = " & adplength)

if(adplength > 0) then
  set adp = adplist.Item(0)
  Action.Trace("DeviceID = " & adp.DeviceID)
  Action.Trace("Enabled = " & adp.Enabled)
  Action.Trace("IP = " & adp.IP)
  Action.Trace("MAC = " & adp.MAC)
  Action.Trace("MaxSpeed = " & CLng(adp.MaxSpeed))
  Action.Trace("Name = " & adp.Name)
  Action.Trace("SubNetMask = " & adp.SubNetMask)
  Action.Trace("Type = " & adp.Type)
end if

Example 6-8 Details:

This script will get a list of adapters, the length of the list (number of adapters) and enumerate the properties of the first index in the list.

GetCheckinTime

JScript:

var ret;
ret = Query.GetCheckinTime();
Action.Trace("LastCheckIn = " + ret);

VBScript:

dim ret
ret = Query.GetCheckinTime()
Action.Trace("LastCheckIn = " & ret)

GetLocationMatchData, LocationMatchCount

JScript:

var envdata;
var envdatalength;

envdatalength = Query.LocationMatchCount;

Action.Trace("MatchCount = " + envdatalength);

if(envdatalength > 0)
{
  envdata = Query.GetLocationMatchData(0);
  Action.Trace("IP = " + envdata.IP);
  Action.Trace("MAC = " + envdata.MAC);
  Action.Trace("SSID = " + envdata.SSID);
  Action.Trace("Type = " + envdata.Type);
}

VBScript:

dim envdata
dim envdatalength

envdatalength = Query.LocationMatchCount

Action.Trace("MatchCount = " & envdatalength)

if(envdatalength > 0) then
  set envdata = Query.GetLocationMatchData(0)
  Action.Trace("IP = " & envdata.IP)
  Action.Trace("MAC = " & envdata.MAC)
  Action.Trace("SSID = " & envdata.SSID)
  Action.Trace("Type = " & envdata.Type)
end if

Example 6-9 Details:

This script requires an environment to be defined for a location in the policy in order to provide useful data. This script will then get the Location Match Count and if it is greater than 0, then it will enumerate the attributes for the first Location Match Data.

IsAdapterTypeConnected

JScript:

var ret;
ret = Query.IsAdapterTypeConnected(eWIRED);
Action.Trace("IsWiredConnected = " + ret);
ret = Query.IsAdapterTypeConnected(eWIRELESS);
Action.Trace("IsWirelessConnected = " + ret);
ret = Query.IsAdapterTypeConnected(eDIALUPCONN);
Action.Trace("IsModemConnected = " + ret);

VBScript:

dim ret
ret = Query.IsAdapterTypeConnected(eWIRED)
Action.Trace("IsWiredConnected = " & ret)
ret = Query.IsAdapterTypeConnected(eWIRELESS)
Action.Trace("IsWirelessConnected = " & ret)
ret = Query.IsAdapterTypeConnected(eDIALUPCONN)
Action.Trace("IsModemConnected = " & ret)

IsAuthenticated

JScript:

var ret = Query.IsAuthenticated();
Action.Trace("Is authenticated = " + ret);

VBScript:

dim ret
ret = Query.IsAuthenticated()
Action.Trace("Is authenticated = " & ret)

IsWindowsXP

JScript:

var ret = Query.IsWindowsXP();
Action.Trace("Is XP = " + ret);

VBScript:

dim ret
ret = Query.IsWindowsXP()
Action.Trace("Is XP = " & ret)

IsWindows2000

JScript:

var ret = Query.IsWindows2000();
Action.Trace("Is Win2000 = " + ret);

VBScript:

dim ret
ret = Query.IsWindows2000()
Action.Trace("Is Win2000 = " & ret)

ProcessIsRunning

JScript:

var ret = Query.ProcessIsRunning("STEngine.exe",eEQUAL,"","","","");
Action.Trace("Is Running = " + ret);

VBScript:

dim ret
ret = Query.ProcessIsRunning("STEngine.exe",eEQUAL,"","","","")
Action.Trace("Is Win2000 = " & ret)

RegistryKeyExists

JScript:

var ret;
ret = Query.RegistryKeyExists(eLOCAL_MACHINE,"Software\\Novell");
Action.Trace("Reg Key Exists = " + ret);

VBScript:

dim ret
ret = Query.RegistryKeyExists(eLOCAL_MACHINE,"Software\\Novell")
Action.Trace("Reg Key Exists = " & ret)

RegistryValueDWORD

JScript:

      var ret;
      ret = Query.RegistryKeyExists(eLOCAL_MACHINE,"Software\\Novell\\Logging");
      Action.Trace("Reg Key Exists = " + ret);

      ret = Query.RegistryValueDWORD(eLOCAL_MACHINE,"Software\\Novell\\Logging","Enabled");
      Action.Trace("Reg Value = " + ret);

VBScript:

      dim ret
      ret = Query.RegistryKeyExists(eLOCAL_MACHINE,"Software\Novell\Logging")
      Action.Trace("Reg Key Exists = " & ret)

      ret = Query.RegistryValueDWORD(eLOCAL_MACHINE,"Software\Novell\Logging","Enabled")
      Action.Trace("Reg Value = " & CLng(ret))

RegistryValueExists

JScript:

        var ret;
        ret = Query.RegistryKeyExists(eLOCAL_MACHINE,"Software\\Novell\\Logging");
        Action.Trace("Reg Key Exists = " + ret);

        ret = Query.RegistryValueExists(eLOCAL_MACHINE,"Software\\Novell\\Logging","Enabled",eDWORD);
        Action.Trace("Reg Value Exists = " + ret);

VBScript:

        dim ret
        ret = Query.RegistryKeyExists(eLOCAL_MACHINE,"Software\\Novell\\Logging")
        Action.Trace("Reg Key Exists = " & ret)

        ret = Query.RegistryValueExists(eLOCAL_MACHINE,"Software\\Novell\\Logging","Enabled",eDWORD)
        Action.Trace("Reg Value Exists = " & ret)

RegistryValueString

JScript:

var ret;
ret = Query.RegistryKeyExists(eLOCAL_MACHINE,"Software\\Novell\\Logging");
Action.Trace("Reg Key Exists = " + ret);

ret = Query.RegistryValueString(eLOCAL_MACHINE,"Software\\Novell\\Logging","test");
Action.Trace("Reg Value Is = " + ret);

VBScript:

dim ret
ret = Query.RegistryKeyExists(eLOCAL_MACHINE,"Software\\Novell\\Logging")
Action.Trace("Reg Key Exists = " & ret)

ret = Query.RegistryValueString(eLOCAL_MACHINE,"Software\\Novell\\Logging","test")
Action.Trace("Reg Value Is = " & ret)

LocationName, LocationUuid, MaxConnectionSpeed, OSServicePack, PolicyName, PolicyTime, PolicyUuid, LocationIsStamped, TriggerEvent, TriggerEventData1

JScript:

var ret;
ret = Query.LocationName;
Action.Trace("Location Name = " + ret);
ret = Query.LocationUuid;
Action.Trace("Location Uuid = " + ret);
ret = Query.MaxConnectionSpeed;
Action.Trace("MaxConnectionSpeed = " + ret);
ret = Query.OSServicePack;
Action.Trace("OSServicePack = " + ret);
ret = Query.PolicyName;
Action.Trace("PolicyName = " + ret);
ret = Query.PolicyTime;
Action.Trace("PolicyTime = " + ret);
ret = Query.PolicyUuid;
Action.Trace("PolicyUuid = " + ret);
ret = Query.LocationIsStamped;
Action.Trace("LocationIsStamped = " + ret);
ret = Query.TriggerEvent;
Action.Trace("TriggerEvent = " + ret);
ret = Query.TriggerEventParameter;
Action.Trace("TriggerEventParameter = " + ret);

VBScript:

dim ret
ret = Query.LocationName
Action.Trace("Location Name = " & ret)
ret = Query.LocationUuid
Action.Trace("Location Uuid = " & ret)
ret = Query.MaxConnectionSpeed
Action.Trace("MaxConnectionSpeed = " & CLng(ret))
ret = Query.OSServicePack
Action.Trace("OSServicePack = " & ret)
ret = Query.PolicyName
Action.Trace("PolicyName = " & ret)
ret = Query.PolicyTime
Action.Trace("PolicyTime = " & ret)
ret = Query.PolicyUuid
Action.Trace("PolicyUuid = " & ret)
ret = Query.LocationIsStamped
Action.Trace("LocationIsStamped = " & ret)
ret = Query.TriggerEvent
Action.Trace("TriggerEvent = " & ret)
ret = Query.TriggerEventParameter
Action.Trace("TriggerEventParameter = " & ret)

RemovableMediaState, CDMediaState, HDCState, WiFiDisabledState, WiFiDisabledWhenWiredState, AdHocDisabledState, AdapterBridgeDisabledState, MinimumWiFiSecurityState, DialupDisabledState

JScript:

var ret;

Action.Trace("Reset Policy Change");
ret = Action.RemovableMediaState(-1, ePolicyChange);
Action.Trace("RemovableMediaState = " + ret);
ret = Action.CDMediaState(-1, ePolicyChange);
Action.Trace("CDMediaState = " + ret);
ret = Action.HDCState(eApplyGlobalSetting, eIrDA, ePolicyChange);
Action.Trace("\nHDCState(eApplyGlobalSetting, eIrDA) = " + ret);
ret = Action.HDCState(eApplyGlobalSetting, e1394, ePolicyChange);
Action.Trace("HDCState(eApplyGlobalSetting, e1394) = " + ret);
ret = Action.HDCState(eApplyGlobalSetting, eBlueTooth, ePolicyChange);
Action.Trace("HDCState(eApplyGlobalSetting, eBlueTooth) = " + ret);
ret = Action.HDCState(eApplyGlobalSetting, eSerialPort, ePolicyChange);
Action.Trace("HDCState(eApplyGlobalSetting, eSerialPort) = " + ret);
ret = Action.HDCState(eApplyGlobalSetting, eParrallelPort, ePolicyChange);
Action.Trace("HDCState(eApplyGlobalSetting, eParrallelPort) = " + ret);
   ret = Action.WiFiDisabledState(eApplyGlobalSetting, ePolicyChange);
Action.Trace("\n WiFiDisabledState = " + ret);
ret = Action.WiFiDisabledWhenWiredState(eApplyGlobalSetting, ePolicyChange);
Action.Trace("WiFiDisabledWhenWiredState = " + ret);
ret = Action.AdHocDisabledState(eApplyGlobalSetting, ePolicyChange);
Action.Trace("AdHocDisabledState = " + ret);
ret = Action.AdapterBridgeDisabledState(eApplyGlobalSetting, ePolicyChange);
Action.Trace("AdapterBridgeDisabledState = " + ret);
ret = Action.MinimumWiFiSecurityState(eGlobalSetting, ePolicyChange);
Action.Trace("MinimumWiFiSecurityState = " + ret);
ret = Action.WiredDisabledState(eGlobalSetting, ePolicyChange);
Action.Trace("WiredDisabledState = " + ret);
ret = Action.DialupDisabledState(eGlobalSetting, ePolicyChange);
Action.Trace("DialupDisabledState = " + ret);
Action.Trace("Reset Location Change state");
ret = Action.RemovableMediaState(-1, eLocationChange);
Action.Trace("RemovableMediaState = " + ret);
ret = Action.CDMediaState(-1, eLocationChange);
Action.Trace("CDMediaState = " + ret);
ret = Action.HDCState(eApplyGlobalSetting, eIrDA, eLocationChange);
Action.Trace("\n HDCState(eApplyGlobalSetting, eIrDA) = " + ret);
ret = Action.HDCState(eApplyGlobalSetting, e1394, eLocationChange);
Action.Trace("HDCState(eApplyGlobalSetting, e1394) = " + ret);
ret = Action.HDCState(eApplyGlobalSetting, eBlueTooth, eLocationChange);
Action.Trace("HDCState(eApplyGlobalSetting, eBlueTooth) = " + ret);
ret = Action.HDCState(eApplyGlobalSetting, eSerialPort, eLocationChange);
Action.Trace("HDCState(eApplyGlobalSetting, eSerialPort) = " + ret);
ret = Action.HDCState(eApplyGlobalSetting, eParrallelPort, eLocationChange);
Action.Trace("HDCState(eApplyGlobalSetting, eParrallelPort) = " + ret);
   ret = Action.WiFiDisabledState(eApplyGlobalSetting, eLocationChange);
Action.Trace("\n WiFiDisabledState = " + ret);
ret = Action.WiFiDisabledWhenWiredState(eApplyGlobalSetting, eLocationChange);
Action.Trace("WiFiDisabledWhenWiredState = " + ret);
ret = Action.AdHocDisabledState(eApplyGlobalSetting, eLocationChange);
Action.Trace("AdHocDisabledState = " + ret);
ret = Action.AdapterBridgeDisabledState(eApplyGlobalSetting, eLocationChange);
Action.Trace("AdapterBridgeDisabledState = " + ret);
ret = Action.MinimumWiFiSecurityState(eGlobalSetting, eLocationChange);
Action.Trace("MinimumWiFiSecurityState = " + ret);
ret = Action.WiredDisabledState(eGlobalSetting, eLocationChange);
Action.Trace("WiredDisabledState = " + ret);
ret = Action.DialupDisabledState(eGlobalSetting, eLocationChange);
Action.Trace("DialupDisabledState = " + ret);

VBScript:

dim ret;
Action.Trace("Reset Policy Change")
ret = Action.RemovableMediaState(-1, ePolicyChange)
Action.Trace("RemovableMediaState = " & ret)
ret = Action.CDMediaState(-1, ePolicyChange)
Action.Trace("CDMediaState = " & ret)
ret = Action.HDCState(eApplyGlobalSetting, eIrDA, ePolicyChange)
Action.Trace("\n HDCState(eApplyGlobalSetting, eIrDA) = " & ret)
ret = Action.HDCState(eApplyGlobalSetting, e1394, ePolicyChange)
Action.Trace("HDCState(eApplyGlobalSetting, e1394) = " & ret)
ret = Action.HDCState(eApplyGlobalSetting, eBlueTooth, ePolicyChange)
Action.Trace("HDCState(eApplyGlobalSetting, eBlueTooth) = " & ret)
ret = Action.HDCState(eApplyGlobalSetting, eSerialPort, ePolicyChange)
Action.Trace("HDCState(eApplyGlobalSetting, eSerialPort) = " & ret)
ret = Action.HDCState(eApplyGlobalSetting, eParrallelPort, ePolicyChange)
Action.Trace("HDCState(eApplyGlobalSetting, eParrallelPort) = " & ret)
   ret = Action.WiFiDisabledState(eApplyGlobalSetting, ePolicyChange)
Action.Trace("\nWiFiDisabledState = " & ret)
ret = Action.WiFiDisabledWhenWiredState(eApplyGlobalSetting, ePolicyChange)
Action.Trace("WiFiDisabledWhenWiredState = " & ret)
ret = Action.AdHocDisabledState(eApplyGlobalSetting, ePolicyChange)
Action.Trace("AdHocDisabledState = " & ret)
ret = Action.AdapterBridgeDisabledState(eApplyGlobalSetting, ePolicyChange)
Action.Trace("AdapterBridgeDisabledState = " & ret)
ret = Action.MinimumWiFiSecurityState(eGlobalSetting, ePolicyChange)
Action.Trace("MinimumWiFiSecurityState = " & ret)
ret = Action.WiredDisabledState(eGlobalSetting, ePolicyChange)
Action.Trace("WiredDisabledState = " & ret)
ret = Action.DialupDisabledState(eGlobalSetting, ePolicyChange)
Action.Trace("DialupDisabledState = " & ret)
Action.Trace("Reset Location Change state")
ret = Action.RemovableMediaState(-1, eLocationChange)
Action.Trace("RemovableMediaState = " & ret)
ret = Action.CDMediaState(-1, eLocationChange)
Action.Trace("CDMediaState = " & ret)
ret = Action.HDCState(eApplyGlobalSetting, eIrDA, eLocationChange)
Action.Trace("\nHDCState(eApplyGlobalSetting, eIrDA) = " & ret)
ret = Action.HDCState(eApplyGlobalSetting, e1394, eLocationChange)
Action.Trace("HDCState(eApplyGlobalSetting, e1394) = " & ret)
ret = Action.HDCState(eApplyGlobalSetting, eBlueTooth, eLocationChange)
Action.Trace("HDCState(eApplyGlobalSetting, eBlueTooth) = " & ret)
ret = Action.HDCState(eApplyGlobalSetting, eSerialPort, eLocationChange)
Action.Trace("HDCState(eApplyGlobalSetting, eSerialPort) = " & ret)
ret = Action.HDCState(eApplyGlobalSetting, eParrallelPort, eLocationChange)
Action.Trace("HDCState(eApplyGlobalSetting, eParrallelPort) = " & ret)
   ret = Action.WiFiDisabledState(eApplyGlobalSetting, eLocationChange)
Action.Trace("\nWiFiDisabledState = " & ret)
ret = Action.WiFiDisabledWhenWiredState(eApplyGlobalSetting, eLocationChange)
Action.Trace("WiFiDisabledWhenWiredState = " & ret)
ret = Action.AdHocDisabledState(eApplyGlobalSetting, eLocationChange)
Action.Trace("AdHocDisabledState = " & ret)
ret = Action.AdapterBridgeDisabledState(eApplyGlobalSetting, eLocationChange)
Action.Trace("AdapterBridgeDisabledState = " & ret)
ret = Action.MinimumWiFiSecurityState(eGlobalSetting, eLocationChange)
Action.Trace("MinimumWiFiSecurityState = " & ret)
ret = Action.WiredDisabledState(eGlobalSetting, eLocationChange)
Action.Trace("WiredDisabledState = " & ret)
ret = Action.DialupDisabledState(eGlobalSetting, eLocationChange)
Action.Trace("DialupDisabledState = " & ret)

RemovableMediaState, CDMediaState, HDCState, IsWiFiDisabled, IsWiFiDisabledWhenWired, IsAdHocDisabled, IsAdapterBridgeDisabled, MinimumWiFiSecurityState, IsWiredDisabled, IsDialupDisabled

JScript:

var ret;
   Action.Trace("Status");
   ret = Query.RemovableMediaState();
   Action.Trace(   "RemovableMediaState = " + ret);
   ret = Query.CDMediaState();
   Action.Trace( "CDMediaState = " + ret);
   ret = Query.HDCState(eIrDA);
   Action.Trace("\n HDCState(eIrDA) = " + ret);
   ret = Query.HDCState(e1394);
   Action.Trace( "HDCState(e1394) = " + ret);
   ret = Query.HDCState(eBlueTooth);
   Action.Trace( "HDCState(eBlueTooth) = " + ret);
   ret = Query.HDCState(eSerialPort);
   Action.Trace( "HDCState(eSerialPort) = " + ret);
   ret = Query.HDCState(eParrallelPort);
   Action.Trace( "HDCState(eParrallelPort) = " + ret);
      ret = Query.IsWiFiDisabled();
   Action.Trace("\n IsWiFiDisabled = " + ret);
   ret = Query.IsWiFiDisabledWhenWired();
   Action.Trace( "IsWiFiDisabledWhenWired = " + ret);
   ret = Query.IsAdHocDisabled();
   Action.Trace( "IsAdHocDisabled = " + ret);
   ret = Query.IsAdapterBridgeDisabled();
   Action.Trace( "IsAdapterBridgeDisabled = " + ret);
   ret = Query.MinimumWiFiSecurityState();
   Action.Trace( "MinimumWiFiSecurityState = " + ret);
   ret = Query.IsWiredDisabled();
   Action.Trace( "IsWiredDisabled = " + ret);
   ret = Query.IsDialupDisabled();
   Action.Trace( "IsDialupDisabled = " + ret);

VBScript:

dim ret;
   Action.Trace("Status")
   ret = Query.RemovableMediaState()
   Action.Trace( "RemovableMediaState = " & ret)
   ret = Query.CDMediaState()
   Action.Trace( "CDMediaState = " & ret)
   ret = Query.HDCState(eIrDA)
   Action.Trace("\n HDCState(eIrDA) = " & ret)
   ret = Query.HDCState(e1394)
   Action.Trace( "HDCState(e1394) = " & ret)
   ret = Query.HDCState(eBlueTooth)
   Action.Trace( "HDCState(eBlueTooth) = " & ret)
   ret = Query.HDCState(eSerialPort)
   Action.Trace( "HDCState(eSerialPort) = " & ret)
   ret = Query.HDCState(eParrallelPort)
   Action.Trace( "HDCState(eParrallelPort) = " & ret)
      ret = Query.IsWiFiDisabled()
   Action.Trace("\n IsWiFiDisabled = " & ret)
   ret = Query.IsWiFiDisabledWhenWired()
   Action.Trace( "IsWiFiDisabledWhenWired = " & ret)
   ret = Query.IsAdHocDisabled()
   Action.Trace( "IsAdHocDisabled = " & ret)
   ret = Query.IsAdapterBridgeDisabled()
   Action.Trace( "IsAdapterBridgeDisabled = " & ret)
   ret = Query.MinimumWiFiSecurityState()
   Action.Trace( "MinimumWiFiSecurityState = " & ret)
   ret = Query.IsWiredDisabled()
   Action.Trace( "IsWiredDisabled = " & ret)
   ret = Query.IsDialupDisabled()
   Action.Trace( "IsDialupDisabled = " & ret)
Storage Namespace

There are two kinds of storage in the Endpoint Security Client storage space. Persistent storage remains between sessions of the client, while transient storage exists only for the duration of the client. Transient values can be accessed in each rule script invocation. Also, persistent storage can only store and retrieve string values, while transient storage store and retrieve those values that a VARIANT can hold.

NOTE:Each script variable stored in the "secure store" is preceded by a "rule id" (one for each script). Variables that need to be shared between scripts MUST have a forward slash BEFORE the variable name in EACH "persist" function accessing them to make that variable global, or accessible, to each script:

Example - "global" variable between scripts: "boolWarnedOnPreviousLoop"

Storage.PersistValueExists("/boolWarnedOnPreviousLoop");

SetNameValue, NameValueExists, GetNameValue

JScript:

var ret;
Storage.SetNameValue("testval",5);
ret = Storage.NameValueExists("testval");
Action.Trace("NameValueExists = " + ret);
ret = Storage.GetNameValue("testval");
Action.Trace("GetNameValue = " + ret);

VBScript:

dim ret
Storage.SetNameValue "testval",5
ret = Storage.NameValueExists("testval")
Action.Trace("NameValueExists = " & ret)
ret = Storage.GetNameValue("testval")
Action.Trace("GetNameValue = " & ret)

SetPersistString, PersistValueExists, GetPersistString

JScript:

var ret;
Storage.SetPersistString("teststr","pstring");
ret = Storage.PersistValueExists("teststr");
Action.Trace("PersistValueExists = " + ret);
ret = Storage.GetPersistString("teststr");
Action.Trace("GetPersistString = " + ret);

VBScript:

dim ret
Storage.SetPersistString "teststr", "pstring"
ret = Storage.PersistValueExists("teststr")
Action.Trace("PersistValueExists = " & ret)
ret = Storage.GetPersistString("teststr")
Action.Trace("GetPersistString = " & ret)

RuleState

JScript:

Storage.RuleState = true;
var ret = Storage.RuleState;
Action.Trace("RuleState = " + ret);

VBScript:

dim ret
Storage.RuleState = true
ret = Storage.RuleState
Action.Trace("RuleState = " & ret)

RetrySeconds

JScript:

var ret;
Storage.RetrySeconds = 30;
ret = Storage.RetrySeconds;
Action.Trace("RetrySeconds = " + ret);

VBScript:

dim ret
Storage.RetrySeconds = 30
ret = Storage.RetrySeconds
Action.Trace("RetrySeconds = " & ret)

Interfaces

These interfaces are returned by one of the methods of the namespaces described in section 3 or by one of the methods or properties of the following interfaces.

IClientAdapter Interface

This interface returns information about an adapter.

GetNetworkEnvironment

JScript:

var adplist;
var adplength;
var adp;
var env;
var ret;

adplist = Query.GetAdapters();
adplength = adplist.Length;

Action.Trace("adplength = " + adplength);

if(adplength > 0)
{
  adp = adplist.Item(0);
  env = adp.GetNetworkEnvironment();
  ret = env.DHCPCount;
  Action.Trace("DHCPCount = " + ret);
  ret = env.DNSCount;
  Action.Trace("DNSCount = " + ret);
  ret = env.GatewayCount;
  Action.Trace("GatewayCount = " + ret);
  ret = env.WINSCount;
  Action.Trace("WINSCount = " + ret);
}

VBScript:

dim adplist
dim adplength
dim adp
dim env
dim ret

set adplist = Query.GetAdapters()
adplength = adplist.Length

Action.Trace("adplength = " & CInt(adplength))

if(CInt(adplength) > 0) then
  set adp = adplist.Item(0)
  set env = adp.GetNetworkEnvironment()
  ret = env.DHCPCount
  Action.Trace("DHCPCount = " & ret)
  ret = env.DNSCount
  Action.Trace("DNSCount = " & ret)
  ret = env.GatewayCount
  Action.Trace("GatewayCount = " & ret)
  ret = env.WINSCount
  Action.Trace("WINSCount = " & ret)
end if

DeviceID

See Query Namespace - GetAdapters

Enabled

See Query Namespace - GetAdapters

IP

See Query Namespace - GetAdapters

MAC

See Query Namespace - GetAdapters

MaxSpeed

See Query Namespace - GetAdapters

Name

See Query Namespace - GetAdapters

SubNetMask

See Query Namespace - GetAdapters

Type

See Query Namespace - GetAdapters

IClientEnvData Interface

This interface returns environment data about a Server or Wireless Access Point.

IP

See Query Namespace - GetLocationMatchData

MAC

See Query Namespace - GetLocationMatchData

SSIP

See Query Namespace - GetLocationMatchData

Type

See Query Namespace - GetLocationMatchData

IClientNetEnv Interface

This interface provides Network Environment Information.

GetDHCPItem

JScript:

var adplist;
var adplength;
var adp;
var env;
var ret;
var item;

adplist = Query.GetAdapters();
adplength = adplist.Length;

Action.Trace("adplength = " + adplength);

if(adplength > 0)
{
  adp = adplist.Item(0);
  env = adp.GetNetworkEnvironment();

  ret = env.DHCPCount;
  Action.Trace("DHCPCount = " + ret);
  if(ret > 0)
  {
    item = env.GetDHCPItem(0); 
    ret = item.IP;
    Action.Trace("IP = " + ret);
  }
}

VBScript:

dim adplist
dim adplength
dim adp
dim env
dim ret
dim item

set adplist = Query.GetAdapters()
adplength = adplist.Length

Action.Trace("adplength = " & CInt(adplength))

if(CInt(adplength) > 0) then
  set adp = adplist.Item(0)
  set env = adp.GetNetworkEnvironment()

  ret = env.DHCPCount
  Action.Trace("DHCPCount = " & ret)
  if(ret > 0) then
    set item = env.GetDHCPItem(0)
    ret = item.IP
    Action.Trace("IP = " & ret)
  end if
end if

GetDNSItem

JScript:
var adplist;
var adplength;
var adp;
var env;
var ret;
var item;

adplist = Query.GetAdapters();
adplength = adplist.Length;

Action.Trace("adplength = " + adplength);

if(adplength > 0)
{
  adp = adplist.Item(0);
  env = adp.GetNetworkEnvironment();

  ret = env.DNSCount;
  Action.Trace("DNSCount = " + ret);
  if(ret > 0)
  {
    item = env.GetDNSItem(0); 
    ret = item.IP;
    Action.Trace("IP = " + ret);
  }
}

VBScript:

dim adplist
dim adplength
dim adp
dim env
dim ret
dim item

set adplist = Query.GetAdapters()
adplength = adplist.Length

Action.Trace("adplength = " & CInt(adplength))

if(CInt(adplength) > 0) then
  set adp = adplist.Item(0)
  set env = adp.GetNetworkEnvironment()

  ret = env.DNSCount
  Action.Trace("DNSCount = " & ret)
  if(ret > 0) then
    set item = env.GetDNSItem(0)
    ret = item.IP
    Action.Trace("IP = " & ret)
  end if
end if

GetGatewayItem

JScript:

var adplist;
var adplength;
var adp;
var env;
var ret;
var item;

adplist = Query.GetAdapters();
adplength = adplist.Length;

Action.Trace("adplength = " + adplength);

if(adplength > 0)
{
  adp = adplist.Item(0);
  env = adp.GetNetworkEnvironment();

  ret = env.GatewayCount;
  Action.Trace("GatewayCount = " + ret);
  if(ret > 0)
  {
    item = env.GetGatewayItem(0); 
    ret = item.IP;
    Action.Trace("IP = " + ret);
  }
}

VBScript:

dim adplist
dim adplength
dim adp
dim env
dim ret
dim item

set adplist = Query.GetAdapters()
adplength = adplist.Length

Action.Trace("adplength = " & CInt(adplength))

if(CInt(adplength) > 0) then
  set adp = adplist.Item(0)
  set env = adp.GetNetworkEnvironment()

  ret = env.GatewayCount
  Action.Trace("GatewayCount = " & ret)
  if(ret > 0) then
    set item = env.GetGatewayItem(0)
    ret = item.IP
    Action.Trace("IP = " & ret)
  end if
end if

GetWINSItem

JScript:

var adplist;
var adplength;
var adp;
var env;
var ret;
var item;

adplist = Query.GetAdapters();
adplength = adplist.Length;

Action.Trace("adplength = " + adplength);

if(adplength > 0)
{
  adp = adplist.Item(0);
  env = adp.GetNetworkEnvironment();

  ret = env.WINSCount;
  Action.Trace("WINSCount = " + ret);
  if(ret > 0)
  {
    item = env.GetWINSItem(0); 
    ret = item.IP;
    Action.Trace("IP = " + ret);
  }
}

VBScript:

dim adplist
dim adplength
dim adp
dim env
dim ret
dim item

set adplist = Query.GetAdapters()
adplength = adplist.Length

Action.Trace("adplength = " & CInt(adplength))

if(CInt(adplength) > 0) then
  set adp = adplist.Item(0)
  set env = adp.GetNetworkEnvironment()

  ret = env.WINSCount
  Action.Trace("WINSCount = " & ret)
  if(ret > 0) then
    set item = env.GetWINSItem(0)
    ret = item.IP
    Action.Trace("IP = " & ret)
  end if
end if

GetWirelessAPItem, WirelessAPCount

JScript:

var adplist;
var adplength;
var adp;
var env;
var apitem;
var adptype;
var adpname;
var apcount;
var i;

adplist = Query.GetAdapters();
adplength = adplist.Length;
Action.Trace("adplength = " + adplength);

if(adplength > 0)
{
   for(i=0;i < adplength;i++)
  {
    adp = adplist.Item(i);
    adptype = adp.Type;
    if(adptype == eWIRELESS)
    {
      Action.Trace("Wireless index = " + i);
      adpname = adp.Name;
      Action.Trace("adp = " + adpname);

      env = adp.GetNetworkEnvironment();
      apcount = env.WirelessAPCount;
      Action.Trace("WirelessAPCount = " + apcount);
      if(apcount > 0)
      {
        apitem = env.GetWirelessAPItem(0);
        Action.Trace("apitem.SSID = " + apitem.SSID);
      }
    }    
  }
}

VBScript:

dim adplist
dim adplength
dim adp
dim env
dim apitem
dim adptype
dim adpname
dim apcount
dim i

set adplist = Query.GetAdapters()
adplength = adplist.Length
Action.Trace("adplength = " & CInt(adplength))

if(CInt(adplength) > 0) then
  For i = 0 To (CInt(adplength) - 1)
    set adp = adplist.Item(i)
    adptype = adp.Type
    if(adptype = eWIRELESS) then
      Action.Trace("Wireless index = " & i)
      adpname = adp.Name
      Action.Trace("adp = " & adpname)

      set env = adp.GetNetworkEnvironment()
      apcount = env.WirelessAPCount
      Action.Trace("WirelessAPCount = " & apcount)
      if(apcount > 0) then
        set apitem = env.GetWirelessAPItem(0)
        Action.Trace("apitem.SSID = " & apitem.SSID)
      end if
    end if    
  Next
end if

DHCPCount

See ICLIENTADAPTER Interface - GetNetworkEnvironment

DNSCount

See ICLIENTADAPTER Interface - GetNetworkEnvironment

GatewayCount

See ICLIENTADAPTER Interface - GetNetworkEnvironment

WINSCount

See ICLIENTADAPTER Interface - GetNetworkEnvironment

WirelessAPCount

See ICLIENTADAPTER Interface - GetNetworkEnvironment

IClientWAP Interface

This interface provides information about a Wireless Access Point.

AvgRssi

See IClientNetEnv Interface - GetWirelessAPItem

MAC

See IClientNetEnv Interface - GetWirelessAPItem

MaxRssi

See IClientNetEnv Interface - GetWirelessAPItem

MinRssi

See IClientNetEnv Interface - GetWirelessAPItem

Rssi

See IClientNetEnv Interface - GetWirelessAPItem

SSID

See IClientNetEnv Interface - GetWirelessAPItem

IClientAdapterList Interface

This interface is a list of adapters in the network environment.

Item & Length

See Query Namespace - GetAdapters