2.4 Assigning Security Policies

You can assign security policies to users, workstation devices, and the Management Zone. Security policies do not apply to server devices; if you assign a security policy to a server or server folder, the policy is not applied.

When you assign a policy to a user, it is applied when the user is logged in to a ZENworks Server. When you assign a policy to a device, it is applied when the device starts, regardless of whether or not a user is logged in. When you assign a policy to the Management Zone, it becomes a default policy that is only applied after user-assigned and device-assigned policies.

2.4.1 Assign Policies to Users

You can assign policies and policy groups to users. This section assumes that you have already created any policy groups you want to assign. If not, see Managing Policy Groups.

The policy assignment can be directly to a user or indirectly to a user through a group or folder in which the user is a member.

  1. In ZENworks Control Center, click the Policies tab.

  2. In the Policies list, select the check box next to policies and policy groups you want to assign.

  3. Click Action > Assign to User.

  4. Browse for and select the user, user groups, and user folders to which you want to assign the group:

    1. Click The Navigate icon next to a folder to navigate through the folders until you find the user, group, or folder you want to select.

      If you are looking for a specific item, such as a User or a User Group, you can use the Items of type list to limit the types of items that are displayed. If you know the name of the item you are looking for, you can use the Item name box to search for the item.

    2. Click the underlined link in the Name column to select the user, group, or folder and display its name in the Selected list box.

    3. Click OK to add the selected devices, folders, and groups to the Users list.

  5. Click Next to display the Finish page.

  6. Review the information and, if necessary, use the Back button to make corrections to the information.

  7. If you want the selected policies to be immediately enforced, select the Enforce policies immediately on all assigned devices.

    This option causes the policy to be immediately distributed to the assigned users’ devices and enforced. If you don’t select this option, the policy is distributed and enforced the next time the users’ device refreshes its policy information from the ZENworks system, either through a manual refresh or a scheduled refresh.

  8. Click Finish.

The policies or policies groups are assigned to the selected users, user groups, and user folders. You can view the assignments on the Relationships page of the policies or policy groups.

2.4.2 Assign Policies to Devices

Security policies apply to workstation devices only. If you assign a security policy to a server device, it is not applied.

  1. In ZENworks Control Center, click the Policies tab.

  2. In the Policies list, select the check box next to the policies and policy groups you want to assign.

  3. Click Action > Assign to Device.

  4. Browse for and select the devices, device groups, and device folders to which you want to assign the group:

    1. Click The Navigate icon next to a folder to navigate through the folders until you find the device, group, or folder you want to select.

      If you are looking for a specific item, such as a Workstation or a Workstation Group, you can use the Items of type list to limit the types of items that are displayed. If you know the name of the item you are looking for, you can use the Item name box to search for the item.

    2. Click the underlined link in the Name column to select the device, group, or folder and display its name in the Selected list box.

    3. Click OK to add the selected devices, folders, and groups to the Devices list.

  5. Click Next to display the Policy Conflict Resolution page.

    This page lets you select how to resolve conflicts if another policy of the same policy type is assigned to one of the selected devices’ users. For example, assume that UserA is assigned WirelessPolicy1. You are now assigning WirelessPolicy2 to DeviceA. If UserA logs in to DeviceA, a decision must be made about which policy (WirelessPolicy1 or WirelessPolicy2) to apply.

  6. Select one of the following policy conflict resolution methods:

    User Precedence: The user-associated policies override device-associated policies. This means that the user-assigned policies have a higher priority than the device-assigned policies.

    Device Precedence: The device-associated policies override the user-associated policies. This means that the device-assigned policies have a higher priority than the user assigned policies.

    Device Only: Applies the device-associated policy only. If a user-associated policy exists, it is not applied.

    User Only: If a user-associated policy exists, applies the user-associated policy. If no user-associated policy exists, applies the device-associated policy.

  7. Click Next to display the Finish page, review the information and, if necessary, use the Back button to make changes to the information.

    If you want the policies to be immediately enforced on all the assigned devices, select Enforce Policies Immediately on all Assigned Devices.

  8. Click Finish.

    The policies or policies groups are assigned to the selected devices, device groups, and device folders. You can view the assignments on the Relationships page of the policies or policy groups.

2.4.3 Assign Policies to the Management Zone

You can assign security policies to the Management Zone. When determining the effective policies to be enforced on a device, the Zone policies are evaluated after all other assigned policies. For more information about how an effective policy is determined, see How the Effective Policy is Determined.

Consider the following situations:

  • No Firewall policies are assigned to a device or the device’s user (either directly or through a group or folder). The Zone Firewall policy becomes the effective policy for the device and is enforced on the device.

  • Firewall policies are assigned to a device and the device’s user. Both policies are evaluated and manipulated to determine the effective Firewall policy to apply to the device. After the effective policy is determined from the user-assigned and device-assigned policies, the Zone Firewall policy is used to supply any values that 1) are unset in the effective Firewall policy and 2) are additive (such as the multi-valued Port/Protocol Rules tables).

You can assign Zone policies at three levels. This enables you to assign different Zone policies to different devices within your Management Zone.

  • Management Zone: The policies you assign at the Management Zone become the Zone policies for all devices, unless you assign different Zone policies at the device folder or device level.

  • Device Folder: The policies you assign at a device folder override the Management Zone (and any parent device folders) and become the Zone policies for all devices contained within the folder structure, unless you assign different Zone policies for a subfolder or an individual device.

    Security policies apply to workstation devices only. If you assign a security policy to a Server device folder, the policy is not applied to any servers located in the folder.

  • Device: The policies you assign for an individual device override the Management Zone and device folder and become the Zone policies for the device.

    Security policies apply to workstation devices only. If you assign a security policy to a server device, it is not applied.

NOTE:System requirements that are defined in a security policy are ignored when the policy is assigned as a Zone policy.

In ZENworks Control Center:

  1. To assign a Zone policy to the Management Zone, click the Configuration tab, click Endpoint Security Management (in the Management Zone Settings panel), then click Zone Policy Settings.

    or

    To assign a Zone policy to a device folder, click the Devices tab, locate the folder in the Devices list, then click Details > Settings > Endpoint Security Management > Zone Policy Settings.

    or

    To assign a Zone policy to a device, click the Devices tab, click the device in the Devices list, then click Settings > Endpoint Security Management > Zone Policy Settings.

  2. If you are assigning a Zone policy to a device folder or device, click Override settings to activate the panel.

  3. In the list, click Add, browse for and select the policy you want to add as a default policy, then click OK to add it to the list.

  4. After you finish adding default policies, click Apply to save the settings.

    By default, Management Zone settings are cached on the ZENworks Server and the cache is updated every 10 minutes. Because of this, if a change is made to a zone setting, devices do not receive the changes until the next cache update, which might be as long as 10 minutes.

    For ZENworks Endpoint Security Management, the following are stored as zone settings:

    • Zone security policies

    • Location and network environment settings

    • Effective policy report settings

    • Data encryption keys

    If you change any of these settings and you want to apply them immediately to a device, you must use the zac command line utility on the device to bypass the ZENworks Server cache and retrieve the new settings. To do so, run the following command on the device:

    zac ref general bypasscache