Protecting Devices

ZENworks Endpoint Security Management protects Windows devices from security risks regardless of their location. This protection is provided through security policies that you create and assign to devices and users.

Activating Endpoint Security Management

If you did not activate Endpoint Security Management during installation of the Management Zone, either by providing a license key or by turning on the evaluation, complete the following steps:

  1. In ZENworks Control Center, click Configuration.

  2. In the Licenses panel, click ZENworks 11 Endpoint Security Management.

  3. Select Evaluate/Activate product, then fill in the following fields:

    Use Evaluation: Select this option to enable a 60-day evaluation period. After the 60-day period, you must apply a product license key to continue using the product.

    Product License Key: Specify the license key you purchased for Endpoint Security Management. To purchase a product license, see the Novell ZENworks Endpoint Security Management product site.

  4. Click OK.

Enabling the Endpoint Security Agent

The ZENworks Adaptive Agent is responsible for device registration, content distribution, and software updates for a device.

In addition to the ZENworks Adaptive Agent, the Endpoint Security Agent is installed on devices when ZENworks Endpoint Security Management is activated (full license or evaluation). The Endpoint Security Agent is responsible for enforcing security policy settings on the device.

You should verify that the Endpoint Security Agent is enabled. To do so:

  1. Click Configuration to display the Configuration page.

  2. In the Management Zone Settings panel, click Device Management, then click ZENworks Agent.

  3. In the Agent Features panel, make sure that the Installed and Enabled options are selected.

  4. Click OK.

Creating Locations

Security requirements for a device can differ from location to location. For example, you might have different personal firewall restrictions for a device located in an airport terminal than for a device located in an office inside your corporate firewall.

To make sure that a device’s security requirements are appropriate for whatever location it is in, Endpoint Security Management supports both global policies and location-based polices. A global policy is applied regardless of the device’s location. A location-based policy is applied only when the device’s current location meets the criteria for a location associated with the policy. For example, if you create a location-based policy for your corporate office and assign it to a laptop, that policy is applied only when the laptop’s location is the corporate office.

If you want to use location-based policies, you must first define the locations that make sense for your organization. A location is a place, or type of place, for which you have specific security requirements. For example, you might have different security requirements for when a device is used in the office, at home, or in an airport.

Locations are defined by network environments. Assume that you have an office in New York and an office in Tokyo. Both offices have the same security requirements. Therefore, you create an Office location and associate it with two network environments: New York Office Network and Tokyo Office Network. Each of these environments is explicitly defined by a set of gateway, DNS server, and wireless access point services. Whenever the Endpoint Security Agent determines that its current environment matches the New York Office Network or Tokyo Office Network, it sets its location to Office and applies the security policies associated with the Office location.

The following sections explain how to create locations:

Defining a Network Environment

Network environment definitions are the building blocks for locations. You can define a network environment while you are creating a location, but we recommend that you define network environments first and then add them as you are creating locations.

To create a location:

  1. Click Configuration > Locations.

  2. In the Network Environments panel, click New to launch the Create New Network Environment Wizard.

  3. On the Define Details page, specify a name for the network environment, then click Next.

    As you complete the wizard, if you need more information about any fields or options, click the Help button located in the upper-right corner of ZENworks Control Center.

  4. On the Network Environment Details page, fill in the following fields:

    Limit to Adapter Type: By default, the network services you define on this page are evaluated against a device’s wired, wireless, and dial-up network adapters. If you want to limit the evaluation to a specific adapter type, select Wired, Wireless, or Dial Up.

    Minimum Match: Specify the minimum number of defined network services that must be matched in order to select this network environment.

    For example, if you define one gateway address, three DNS servers, and one DHCP server, you have a total of five services. You can specify that at least three of those services must match in order to select this network environment.

    When specifying a minimum match number, keep the following in mind:

    • The number cannot be less than the number of services marked as Match Required.

    • The number should not exceed the total number of defined services. If so, the minimum match would never be reached, resulting in the network environment never being selected.

    Network Services: The Network Services panel lets you define the network services that the Endpoint Security Agent evaluates to see if it’s current network environment matches this network environment. Select the tab for the network service you want to define, click Add, then fill in the required information. If a network service includes a Match Required option, select the option to require that the network service exist in order to match this network environment.

  5. Click Next to display the Summary page, then click Finish to add the network environment definition to the list.

Creating Locations

When you create a location, you provide a location name and then associate the desired network environments with the location.

  1. Click Configuration > Locations.

  2. In the Locations panel, click New to launch the Create New Location Wizard.

  3. On the Define Details page, specify a name for the location, then click Next.

    As you complete the wizard, if you need more information about any fields or options, click the Help button located in the upper-right corner of ZENworks Control Center.

  4. On the Assign Network Environments page:

    1. Select Assign existing Network Environments to the Location.

    2. Click Add, select the network environments you want to define the location, then click OK to add them to the list.

    3. Click Next when you are finished adding network environments.

  5. On the summary page, click Finish to create the location and add it to the Locations list.

As you add multiple locations, the order of the list determines which location is used if the Adaptive Agent matches more than one location. The location listed first is used. You can use the Move Up and Move Down options to reorder the list.

Creating a Security Policy

There are 10 different security policies:

A device’s security settings are controlled through security policies applied by the Endpoint Security Agent. There are eight security policies that control a range of security-related functionality. You can use all or some of the policies depending on your organization’s needs.

Policy

Purpose

Application Control

Blocks execution of applications or denies Internet access to applications. You specify the applications that are blocked or denied Internet access.

Communication Hardware

Disables the following communication hardware: 1394-Firewire, IrDA-Infrared, Bluetooth, serial/parallel, dialup, wired, and wireless. Each communication hardware is configured individually, which means that you can disable some hardware types (for example, Bluetooth and dialup) while leaving others enabled

Data Encryption

Enables data encryption of files on fixed disks and removable storage devices. With fixed disks, you specify the folders (referred to as safe harbor folders) that provide encryption; all other fixed disk folders are unaffected.

Firewall

Controls network connectivity by disabling ports, protocols, and network addresses (IP and MAC).

Scripting

Runs a script (JScript or VBScript) on a device. You can specify the triggers that cause the script to run. Triggers can be based on Endpoint Security Agent actions, location changes, or time intervals.

Storage Device Control

Controls access to CD/DVD drives, floppy drives, and removable storage drives. Each storage device type is configured individually, which means that you can disable some and enable others.

USB Connectivity

Controls access to USB devices such as removable storage devices, printers, input devices (keyboards, mice, etc). You can specify individual devices or groups of devices. For example, you can disable access to a specific printer and enable access to all Sandisk USB devices.

VPN Enforcement

Enforces a VPN connection based on the device’s location. For example, if the device’s location is unknown, you can force a VPN connection through which all Internet traffic is routed.

Wi-Fi

Disables wireless adapters, blocks wireless connections, controls connections to wireless access points, and so forth.

In addition to the above security policies, the following security policies help protect and configure the Endpoint Security Agent. Because of the nature of these two policies, we recommend that you create and assign them first.

Policy

Purpose

Security Settings

Protects the Endpoint Security Agent from being tampered with and uninstalled.

This policy is included primarily to maintain support for devices running the ZENworks 11 and ZENworks 11 SP1 agent. Beginning with ZENworks 11 SP2, the security settings are configured through the ZENworks Agent settings in the Management Zone Settings (Configuration > Management Zone Settings > Device Management > ZENworks Agent). After the security settings are configured, the ZENworks 11 SP2 agent (and newer agents) use those settings and ignore the Security Settings policy.

Location Assignment

Provides the list of allowed locations for a device or user. The Endpoint Security Agent evaluates its current network environment to see if it matches any of the allowed locations. If so, the location becomes the security location and the agent applies any security policies associated with the location. If none of the locations in the list are matched, the security policies associated with the Unknown location are applied.

If you plan to use location-based policies, you should make sure a Location Assignment policy is assigned to each device or user. If a device, or the device’s user, does not have an assigned Location Assignment policy, the Endpoint Security Agent cannot apply any location-based policies to the device.

To create a security policy:

  1. Click Policies to display the Policies page.

  2. In the Policies panel, click New > Policy to launch the Create New Policy Wizard.

  3. On the Select Platform page, select Windows, then click Next.

  4. On the Select Policy Category page, select Windows Endpoint Security Policies, then click Next.

  5. On the Select Policy Type page, select the type of policy you want to create, then click Next.

    If you created locations and plan to use location-based policies, you need to create at least one Location Assignment policy and assign it to devices or the devices’ users. Otherwise, none of the locations you created will be available to the devices, which means that none of the location-based polices can be applied.

  6. On the Define Details page, enter a name for the policy and select the folder in which to place the policy.

    The name must be unique among all other policies located in the selected folder.

  7. (Conditional) If the Configure Inheritance and Location Assignments page is displayed, configure the following settings, then click Next.

    • Inheritance: Leave the Inherit from policy hierarchy setting selected if you want to enable this policy to inherit settings from same-type policies that are assigned higher in the policy hierarchy. For example, if you assign this policy to a device and another policy (of the same type) to the device’s folder, enabling this option allows this policy to inherit settings from the policy assigned to the device’s folder. Deselect the Inherit from policy hierarchy setting if you don’t want to allow this policy to inherit policy settings.

    • Location Assignments: Policies can be global or location-based. A global policy is applied regardless of location. A location-based policy is applied only when the device detects that it is within the locations assigned to the policy.

      Select whether this is a global or location-based policy. If you select location-based, click Add, select the locations to which you want to assign the policy, then click OK to add them to the list.

  8. Configure the policy specific settings, then click Next until you reach the Summary page.

    For information about a policy’s settings, click Help > Current Page in ZENworks Control Center.

  9. On the Summary page, review the information to make sure it is correct. If it is incorrect, click the Back button to revisit the appropriate wizard page and make changes. If it is correct, select either of the following options (if desired), then click Finish.

    • Create as Sandbox: Select this option to create the policy as a sandbox version. The sandbox version is isolated from users and devices until you publish it. For example, you can assign it to users and devices, but it is applied only after you publish it.

    • Define Additional Properties: Select this option to display the policy’s property pages. These pages let you modify policy settings and assign the policy to users and devices.

Assigning a Policy to Users and Devices

After you create a policy, you need to apply it to devices by assigning the policy to devices or to device users.

  1. In the Policies panel, select the check box next to the policy you want to assign.

  2. Click Action > Assign to Device.

    or

    Click Action > Assign to User.

  3. Follow the prompts to assign the policy.

    Click the Help button on each wizard page for detailed information about the page.

    When you complete the wizard, the assigned devices or users are added to the policy’s Relationships page. You can click the policy to view the assignments.

Assigning a Policy to the Zone

You can assign security policies to the Management Zone. When determining the effective policies to be enforced on a device, the Zone policies are evaluated after all user-assigned and device-assigned policies. Consider the following situations:

  • No Firewall policies are assigned to a device or the device’s user (either directly or through a group or folder). The Zone Firewall policy becomes the effective policy for the device and is enforced on the device.

  • Firewall policies are assigned to a device and the device’s user. Both policies are evaluated and merged to determine the effective Firewall policy to apply to the device. After the effective policy is determined from the user-assigned and device-assigned policies, the Zone Firewall policy is used to supply any values that 1) are unset in the effective Firewall policy and 2) are additive (such as the multi-valued Port/Protocol Rules tables).

You can define Zone policies at three levels. This enables you to assign different Zone policies to different devices within your Management Zone.

  • Management Zone: The policies you assign at the Management Zone become the Zone policies for all devices, unless you specify different Zone policies at the device folder or device level.

  • Device Folder: The policies you define at a device folder override the Management Zone (and any parent device folders) and become the Zone policies for all devices contained within the folder structure, unless you specify different Zone policies for a subfolder or an individual device.

  • Device: The policies you define for an individual device override the Management Zone and device folder and become the Zone policies for the device.

The following steps provide instructions for assigning policies at the Management Zone.

  1. Click Configuration to display the Configuration page.

  2. In the Management Zone Settings panel, click Endpoint Security Management.

  3. Click Zone Policy Settings to display the Zone Policy Settings page.

  4. Click Add, browse for and select the policies you want to assign to the zone, then click OK to add them to the list.

  5. When you are finished adding policies, click OK.

Where to Find More Information

For more information about ZENworks Endpoint Security Management, see the ZENworks 11 Endpoint Security Management Policies Reference.

For trademark and copyright information, see Legal Notices.