Configure Security Settings
The ZENworks Endpoint Security Management Agent (referred to as the Endpoint Security Agent) is the ZENworks Adaptive Agent module that enforces security policies on a device. This page lets you configure the security settings for the Endpoint Security Agent.
Inherit from Policy Hierarchy
ZENworks utilizes a management hierarchy, or structure, that is ordered as follows:
-
Management Zone
-
Folder/Group
-
Device/User
Polices can be assigned at each level. Assignments flow down, which means that policy assignments made at the Management Zone apply to all devices or users in the zone. Likewise, policy assignments made to a folder or group apply to all members of the folder or group. As a result of hierarchical assignments, it is possible for a device or user to be assigned multiple policies of the same type.
The Inherit from Policy Hierarchy option determines whether or not this policy can inherit settings from other policies (of the same type) that are above it in the hierarchy. Consider the following table:
|
Hierarchy Level |
Policy (same type) |
Inherit from Policy Hierarchy |
Policy Setting 1 (Single-Value) |
Policy Setting 2 (Single Value) |
Policy Setting 3 (Multi-Value) |
|---|---|---|---|---|---|
|
Zone |
Policy_3 |
Yes |
10 |
False |
Device4,Device5 |
|
User Group 1 |
Policy_2 |
Yes |
Inherit |
Inherit |
Device2;Device3 |
|
User A |
Policy_1 |
Yes |
Inherit |
True |
Device1;Device2 |
User A is directly assigned Policy_1. Because User A is a member of User Group 1 and the Zone, User A is indirectly assigned Policy_2 and Policy_3.
All three of the policies allow for inheritance. As a result, the final policy settings are determined by using the following method:
-
Evaluation of policy settings begins with the lowest policy in the hierarchy (the policy closest to the user). In this case, Policy_1 is the lowest policy (because it is assigned directly to User A) and is evaluated first.
-
If one of the Policy_1 settings is configured as Inherit, then the setting is inherited from Policy_2; if the Policy_2 setting is configured as Inherit, then the setting is inherited from the next policy in the hierarchy, which is Policy_3.
-
Multi-value policy settings, such as tables, do not have an Inherit setting. With multi-value settings, all values from the assigned policies are combined.
Applying the inheritance methodology to the example in the above table, the resulting Policy_1 settings for User A are:
|
Hierarchy Level |
Policy (same type) |
Inherit from Policy Hierarchy |
Policy Setting 1 (Single-Value) |
Policy Setting 2 (Single Value) |
Policy Setting 3 (Multi-Value) |
|---|---|---|---|---|---|
|
User A |
Policy_1 |
Yes |
10 (inherited from Policy_3) |
True |
Device1;Device2 Device3 (inherited from Policy_2) Device4;Device5 (inherited from Policy_3) |
Enable Client Self Defense for Endpoint Security Agent
Client Self Defense protects the Endpoint Security Agent from being shut down, disabled, or tampered with in any way. If a user performs any of the following activities, the device is automatically rebooted to restore the correct system configuration:
-
Using Windows Task Manager to terminate any Endpoint Security Agent processes.
-
Stopping or pausing any Endpoint Security Agent services.
-
Removing critical files and registry entries. If a change is made to any registry keys or values associated with the Endpoint Security Agent, the registry keys or values are immediately reset.
-
Disabling NDIS filter driver binding to adapters.
Select one of the following options:
-
Yes: Enables Client Self Defense.
-
No: Disables Client Self Defense.
-
Inherit: If the policy’s Inherit from Policy Hierarchy setting is enabled, inherits this setting value from other Security Setting policies assigned higher in the policy hierarchy. For example, if you assign this policy to a user, the setting value is inherited from any Security Setting policies assigned to the user’s groups, folders, or zone.
Enable Uninstall Password for Endpoint Security Agent
Client Self Defense does not prevent the Endpoint Security Agent from being uninstalled by the agent installation program. If you want to prevent users from removing the Endpoint Security Agent without permission, you must enable an uninstall password.
The uninstall password applies only when a user tries to uninstall the agent at the device. If you use the ZENworks Adaptive Agent features (Configuration tab > Management Zone Settings > Device Management > ZENworks Agent) to uninstall the Endpoint Security Agent, the uninstall password is not used.
Select one of the following options:
-
Yes: Enables an uninstall password. To specify the password, click Set, enter and confirm the password, then click OK to save it.
-
No: Disables an uninstall password.
-
Inherit: If the policy’s Inherit from Policy Hierarchy setting is enabled, inherits this setting value from other Security Setting policies assigned higher in the policy hierarchy. For example, if you assign this policy to a user, the setting value is inherited from any Security Setting policies assigned to the user’s groups, folders, or zone.
Enable Password Override for Endpoint Security Agent
Password Override lets you specify a password that overrides the device’s currently applied security policies. All policies revert to the Endpoint Security Agent’s default policies.
You should not distribute the password to users. Instead, you should use the Override Password Key Generator utility to generate a temporary password key (based on the override password) for a user who needs to override security policies. The password key functions the same as the override password with the added benefit that you can specify when the key expires.
Select one of the following options:
-
Yes: Enables an override password. To specify the password, click Set, enter and confirm the password, then click OK to save it.
-
No: Disables the override password.
-
Inherit: If the policy’s Inherit from Policy Hierarchy setting is enabled, inherits this setting value from other Security Setting policies assigned higher in the policy hierarchy. For example, if you assign this policy to a user, the setting value is inherited from any Security Setting policies assigned to the user’s groups, folders, or zone.