16.5 Machine-Based Policies

The option for using machine-based rather than user-based policies is set at Security Client installation (see the ZENworks Endpoint Security Management 4.1 Installation Guide for details). When this option is selected, the machine is assigned the policy from the Management Service, and the policy is applied to all users who log on to that machine. Users who have a policy assigned to them on another machine do not have that policy accompany them when they log on to a machine with a machine-based policy. Instead, the machine-based policy is enforced.

NOTE:The machine must be a member of the Policy Distribution Service's domain for the first policy sent down. Occasionally, Microsoft does not immediately generate the SID, which can prevent the Endpoint Security Client on that machine from receiving its credential from the Management Service. When this occurs, reboot the machine when the Endpoint Security Client installation is finished to receive the credentials.

When you switch a Security Client from accepting user-based policies to accepting machine-based policies, the client continues to enforce and use the last policy downloaded by the current user, until credentials are provided. If multiple users exist on the machine, the machine uses only the policy assigned to the currently logged-in user. If a new user logs in, and the SID is unavailable, the machine uses the default policy included at installation, until the SID is available. After the SID is available for the endpoint, all users have the machine-based policy applied.