The security enhancements introduced in this release enable you to securely register and communicate with devices even in a DMZ environment.
If you have newly installed ZENworks 2020 Update 2, then, by default, the Security settings will be enabled on all the Primary Servers.
If you are upgrading the Primary Servers, then the Security settings will be disabled by default.
If you have added a new Primary Server to the zone, after upgrading to ZENworks 2020 Update 2, then, by default, the Security Setting will be enabled in the newly added Primary Server. Ensure that you disable the Security Setting temporarily until all the agents in the zone are updated to ZENworks 2020 Update 2, else the older agents stop communicating or the device registration might not work.
You need to run the following zman command to enable or disable the setting:
zman ssassc (Security-Set-Agent-Server-Secure-Communication) is introduced to enable or disable authentication for communication between the ZENworks Agent and the ZENworks servers. After modifying this setting on a Primary Server, you need to restart the ZENworks Server Service (microfocus-zenworks-configure -c Start) to apply the changes.
NOTE:Ensure that you run this command on Primary Servers in which you want to enable or disable the security setting.
For more information, see Security Commands in the ZENworks Command Line Utilities Reference and Security Administrator in the ZENworks Best Practices Guide.
Pre-approved devices are those devices that are approved by the administrators to be part of the zone. This is particularly useful when you have to pre-approve devices while bulk enrolling a known set of devices. It can also be used to allow known devices to reconcile, if required.
For more information, see Adding Pre-approved Devices in the ZENworks Discovery, Deployment, and Retirement Reference
An Authorization key can be used by the ZENworks agent to authorize itself to register to the zone and for any communication with the server during installation.
For more information, see Creating Authorization Key in the ZENworks Discovery, Deployment, and Retirement Reference
To register newer Inventory-Only Agents (IOA) or Managed Device to the zone, you need to either specify an Authorization key during device registration or ensure that the device is a part of the pre-approved devices list.
For more information, see Secure Communication between Managed Devices and ZENworks Servers.
For most features, ZENworks has switched to using the O-Auth protocol for establishing user identity. Therefore, a new service called the OSP has been introduced and it is used for logging in to ZCC, inter-service communication and for communication between device and servers.
With the introduction of this new security feature, the end to end collection and transfer of content between managed devices, Primary Servers and Satellite Servers is through SSL. This can be achieved by configuring the setting within ZCC or by using the newly introduced zman commands. For more information, see Adding and Configuring Satellite Devices in the ZENworks Primary Server and Satellite Reference.
To further secure webservice communication between the ZENworks Agent and the ZENworks Primary and Satellite servers, security enhancements have been introduced to the web service calls in this release.
Removable data drives can now be excluded from encryption by drive type in the Microsoft Data Encryption Policy when the policy is enforced on managed devices.