BlackBerry Configuration Policy

The BlackBerry Configuration policy lets you specify a standard owner name and additional information that is set on the associated BlackBerry devices. For example, you could specify that your company name, address, and telephone number be set on all associated BlackBerry devices to help recover lost devices.

The owner name and information that you specify using this policy does not affect the naming of the device objects in eDirectory; the owner name and information you specify in this policy displays only on the actual device.

To set up the BlackBerry Configuration policy:

1. In ConsoleOne, right-click the Handheld Package or Handheld User Package object, then click Properties.

   
   

2. On the Policies tab, click the down-arrow, then click BlackBerry.

3. Select the check box under the Enabled column for the BlackBerry Configuration policy.

   This both selects and enables the policy.

4. Click Properties to display the Owner page.

   
   

5. Fill in the fields:

   Owner Name: Select the Specify Owner Name To Be Set on the Handheld check box, then type the owner name that you want to be set on associated BlackBerry devices.

   Owner Information: Select the Specify Owner Information To Be Set on the Handheld check box, then type any additional information that you want to be set on associated BlackBerry devices.

   The owner name and information that you specify using this policy does not affect the naming of the device objects in Novell eDirectory; the owner name and information you specify in this policy displays only on the actual device.

6. Click OK to save the policy.

7. When you have finished configuring all of the policies for this package, continue with the steps under Associating the Handheld Package or the Handheld User Package to associate the policy package.

8. If desired, schedule the policy. For more information, see Scheduling Packages and Policies.

   NOTE:  For BlackBerry devices, a policy schedule of Custom Event:EventHandheldSync gets translated on the device to Daily.

BlackBerry Inventory Policy

The BlackBerry Inventory policy lets you enable the collection of hardware and software inventory from associated BlackBerry devices.

To set up the BlackBerry Inventory policy:

1. In ConsoleOne, right-click the Handheld Package or the Handheld User Package object, then click Properties.

   
   

2. On the Policies tab, click the down-arrow, then click BlackBerry.

3. Select the check box under the Enabled column for the BlackBerry Inventory policy.

   This both selects and enables the policy.

4. Click Properties to display the General page.

   
   

5. Fill in the fields:

   Hardware: To collect hardware information for associated BlackBerry devices, select the Enable Collection of Hardware Inventory on the Handheld check box.

   Collected data about hardware is stored on a per-device basis and is found on the ZENworks Inventory page in ConsoleOne or on the Clients: Hardware Inventory page in the ZENworks Handheld Management Inventory Viewer. To view the ZENworks Inventory page in ConsoleOne, right-click a handheld device object, click Properties, then click the ZENworks Inventory tab. To open the ZENworks Handheld Management Inventory Viewer, right-click a handheld device object, click Actions, then click Inventory. For more information, see Viewing Hardware Inventory.

   Software: To collect software information for associated BlackBerry devices, select the Enable Collection of Software Inventory on the Handheld check box.

   Collected data about software is found in the ZENworks Handheld Management Inventory Viewer. To open the ZENworks Handheld Management Inventory Viewer, right-click a handheld device object, click Actions, then click Inventory. You can view software inventory information for a specific device or across all BlackBerry devices in your system. For more information, see Viewing Software Inventory.

6. Click OK to save the policy.

7. When you have finished configuring all of the policies for this package, continue with the steps under Associating the Handheld Package or the Handheld User Package to associate the policy package.

8. If desired, schedule the policy. For more information, see Scheduling Packages and Policies.

   NOTE:  You must schedule inventory for BlackBerry devices because they are always connected to the ZENworks Handheld Management Server. For Palm and Windows CE devices, you do not need to schedule inventory; software inventory is collected once a day.

   For BlackBerry devices, a policy schedule of Custom Event:EventHandheldSync gets translated on the device to Daily.

BlackBerry Security Policy

The BlackBerry Security policy lets you ensure that a password is set on associated BlackBerry devices. You can also use the BlackBerry Device Lockout feature to lock a device that you suspect has been lost or stolen. For more information, see BlackBerry Device Lockout.

To set up the BlackBerry Security policy:

1. In ConsoleOne, right-click the Handheld Package or Handheld User Package object, then click Properties.

   
   

2. On the Policies tab, click the down-arrow, then click BlackBerry.

3. Select the check box under the Enabled column for the BlackBerry Security policy.

   This both selects and enables the policy.

4. Click Properties to display the Security page.

   
   

5. Select the Require a Password To Be Set On the Handheld check box.

   If your organization has a rule stating that all handheld devices must have a password, you should enable this policy.

   When the BlackBerry Security policy is enforced, if the user does not have a password set, he or she is prompted to create one. If the user ignores the prompt, he or she is prompted every 15 minutes to create a password for the device.

6. Click OK to save the policy.

7. When you have finished configuring all of the policies for this package, continue with the steps under Associating the Handheld Package or the Handheld User Package to associate the policy package.

8. If desired, schedule the policy. For more information, see Scheduling Packages and Policies.

   NOTE:  For BlackBerry devices, a policy schedule of Custom Event:EventHandheldSync gets translated on the device to Daily.

Palm Client Configuration Policy

The Palm Client Configuration policy lets you override the user authentication settings of the ZENworks Handheld Management Service object for associated Palm OS devices.

You can set up user authentication on a global basis for all handheld devices in your ZENworks Handheld Management system during installation or you can edit the properties of the ZENworks Handheld Management Service object.

If you do not want to enable user authentication for all handheld devices in your system, you can choose to not enable global user authentication during installation or by editing the properties of the ZENworks Handheld Management Service object. You can then configure and enable the Palm Client Configuration policy by following the procedure in this section to target only specific handheld devices or groups of handheld devices.

For more information about setting up user authentication on a global basis during installation, see "Installing the ZENworks Handheld Management Server" in the Novell ZENworks 6.5 Handheld Management Installation Guide. For more information about editing the properties of the ZENworks Handheld Management Service object to enable global user authentication, see Configuring User Authentication.

If user authentication is enabled, the user is prompted for his or her credentials (username and password) the first time the device connects/synchronizes. ZENworks Handheld Management will then authenticate the user using LDAP to log in to the directory. After the user is authenticated, you can target policies and applications to the user of the handheld device.

The user must enter the credentials only once; ZENworks Handheld Management does not prompt the user for the credentials again. If a user that has been authenticated gives the device to another person, you should reconfigure the user on the device itself. For more information, see the documentation that came with your handheld device.

If the device uses the Palm IP client to connect, the user-authentication dialog box displays on the handheld device. If the device uses Palm HotSync, the user-authentication dialog box displays on the desktop computer during synchronization.

When the user is prompted for authentication, if he or she clicks Cancel, the handheld device can be managed by device policies, but user-based management does not function because the user is not authenticated. If the user mis-types the username or password, he or she is immediately prompted for the credentials again.

NOTE:  There are two places in ZENworks Handheld Management where users can be required to enter a password: to authenticate to the directory as part of the Palm Client Configuration policy and to power on a handheld device as part of the Palm Security policy. These two passwords are independent of each other. For more information about the password users must enter to power on a device, see Palm Security Policy.

To set up the Palm Client Configuration policy:

1. In ConsoleOne, right-click the Handheld Package object, then click Properties.

   
   

2. On the Policies tab, click the down-arrow, then click Palm.

3. Select the check box under the Enabled column for the Palm Client Configuration policy.

   This both selects and enables the policy.

4. Click Properties to display the User Authentication page.

   
   

5. Select the Override the Server Configuration check box to override the user authentication settings of the ZENworks Handheld Management Service object.

6. Select the Enable User Authentication on Handhelds check box.

7. Click OK to save the policy.

8. When you have finished configuring all of the policies for this package, continue with the steps under Associating the Handheld Package or the Handheld User Package to associate the policy package.

Palm Configuration Policy

The Palm Configuration policy lets you configure the following:

• General Preferences: Lets you set preferences for associated Palm OS devices, for example how long before an idle device turns itself off, whether or not a device stays on when cradled, and more.

• Buttons: Lets you associate different software programs with the buttons on associated Palm OS devices. Also lets you assign a feature users can access when they drag the pen from the writing area to the top of the screen on the Palm OS device. For example, you can select Turn Off & Lock to make it easier for users to turn off and lock their Palm OS devices.

• Programs: Lets you specify which software programs are allowed or not allowed on associated Palm OS devices. Programs that are not allowed can be automatically removed from the devices.

To set up the Palm Configuration policy:

1. In ConsoleOne, right-click the Handheld Package or Handheld User Package object, then click Properties.

   
   

2. On the Policies tab, click the down-arrow, then click Palm.

3. Select the check box under the Enabled column for the Palm Configuration policy.

   This both selects and enables the policy.

4. Click Properties.

5. On the General page, make the desired configuration changes.

   
   

   You can change the settings for the following preferences:

   • Auto-Off After
   • Stay On in Cradle
   • System Sound
   • Alarm Sound
   • Alarm Vibrate
   • Alarm LED
   • Game Sound
   • Beam Receive

   Each preference in the list contains a Don't Change setting. If you choose this setting, ZENworks Handheld Management does not change that preference on associated devices; the corresponding setting on each device determines its behavior. For example, if you choose the Don't Change setting for Auto-Off After, each associated device uses its own preference settings to determine how long an idle Palm OS device waits until it turns itself off. If you want to ensure consistency across all associated Palm OS devices, choose the appropriate setting.

6. On the Buttons: Configuration page, make the desired configuration changes.

   
   

   The Button Column lists the available buttons on the Palm OS device. To change a button's association, select a button from the Button list, click Edit, click Set to Application, browse to an application, then click OK.

   NOTE:  Depending on your particular Palm OS device, the available buttons in the Button list are named differently than those in the preceding illustration.

   The Pen Function drop-down list lets you assign a feature users can access when they drag the pen from the writing area to the top of the screen on the Palm OS device. For example, you can select Turn Off & Lock to make it easier for users to turn off and lock their Palm OS devices. To assign a feature, choose an option from the drop-down list.

   The following options are available:

   • Not Specified
   • Backlight
   • Keyboard
   • Graffiti Help
   • Turn Off & Lock
   • Beam Data

7. On the Programs page, make the desired configuration changes.

   
   

   The Application column lists the applications that you want to allow on the device or remove from the device. To add an application to the list, click Add, browse to the application, then click OK.

   Select a rule to apply to the application:

   • Allow the Application on the Handheld
   • Remove the Application from the Handheld

   Rather than selecting certain applications to be removed from the device, you might find it easier to specify a list of allowed applications and select the Remove All Other Applications from the Handheld check box. When the policy is enforced or when the user synchronizes the device, all applications not listed in the Applications list with the Allow rule set are removed from the device.

8. Click OK to save the policy.

9. When you have finished configuring all of the policies for this package, continue with the steps under Associating the Handheld Package or the Handheld User Package to associate the policy package.

10. If desired, schedule the policy. For more information, see Scheduling Packages and Policies.

Palm File Retrieval Policy

The Palm File Retrieval policy lets you specify source files you want to retrieve from a Palm OS device and copy to a specified destination location.

The File Retrieval policy is a plural policy, meaning it can be added many times to a policy package. You can set up as many File Retrieval policies as required to adequately retrieve important files from the handheld devices in your organization. When you name these plural policies, be sure to give them descriptive names.

The File Retrieval policy is also cumulative, meaning that many different Palm File Retrieval policies can be effective for a single handheld device object, handheld group object, or container object.

NOTE:  If you want to retrieve files from handheld devices and store them on a Novell NetWare^® volume, you must install the Novell Client^TM on the ZENworks Handheld Management Server.

To set up the Palm File Retrieval policy:

1. In ConsoleOne, right-click the Handheld Package object or the Handheld User Package object, then click Properties.

   
   

2. On the Policies tab, click the down-arrow, then click Palm.

3. Click Add.

   
   

4. Type a descriptive name in the Policy Name field, then click OK.

   The newly created File Retrieval policy displays in the Handheld Policies list.

   
   

5. Select the check box under the Enabled column for the newly created Palm File Retrieval policy.

   This both selects and enables the policy.

6. Click Properties to display the Files page.

   
   

7. In the Files field, specify the source files to be retrieved from the handheld device.

   NOTE:  You must specify the Palm database or resource filename in the Files field. A third-party file utility tool (such as FileZ, a shareware program) might be necessary to determine the actual filename.

   When you specify source files, be aware that filenames are case sensitive. You can use wildcard characters to specify source files.

   When the policy is enforced, all specified source files are retrieved from the device; the files are retrieved even if the same files were previously retrieved at another time.

8. Select the Files Are Required check box if you want ZENworks Handheld Management to report a failed status if the specified files do not exist on the handheld device or if the specified wildcard characters do not provide a match for files on the device.

   For more information about policy status, see Viewing Policy Status Information.

9. Select the Delete Files After Retrieval check box if you want the specified source files to be deleted from the handheld device after they have been retrieved from the handheld device.

   If you do not enable this option, the source files are copied to the specified location but will also remain on the handheld device.

10. In the Path field, browse to or specify the destination location where you want the specified files copied to.

    The renamed file can include variables. To include variables, click the Insert button, then click the desired variable.

    The following variables are available for use:

    Variable	Description
    device	The CN of the device. For example, in Dan m130.Handhelds.NovellWheaton, the string would be Dan m130.
    devicedn	The full DN of the device. For example, In Dan m130.Handhelds.NovellWheaton, the string would be Dan m130.Handhelds.NovellWheaton.
    user	The username of the device. This is the value stored in the UserName attribute for the object in the directory. When this value is not configured on the handheld device, it is set to <Undefined>.
    date	The date the file was retrieved from the handheld device. This value is the date only; the time that the file was retrieved is not included. For example, if the file was retrieved on September 15, 2002 at 3:15 p.m., the string would be 2002-09-15. The string is always in the format of yyyy-mm-dd.
    time	The time the file was retrieved from the handheld device. This value is for the time only; the date that the file was retrieved is not included. For example, if a file was retrieved on September 15, 2002 at 3:20 p.m., the string would be 15-20. The string is always in the format of hh-mm, with hh representing the hour in 24-hour format.
    guid	The GUID for the handheld device.
    server	The name of the server that received the data. This is the Windows NT* name of the server.

    To use a variable, place an @ sign on either side of the variable in the string. For example, you could use the following syntax:

    @user@_filename

11. Select Use the Original File Name(s) to use the original source filenames for the destination files.

    or

    Select Rename the Files To and specify new filenames for the destination files.

12. Click OK to save the policy.

13. When you have finished configuring all of the policies for this package, continue with the steps under Associating the Handheld Package or the Handheld User Package to associate the policy package.

14. If desired, schedule the policy. For more information, see Scheduling Packages and Policies.

Palm Security Policy

The Palm Security policy lets you configure the following:

• Password Requirements: Lets you ensure that a password is set on the associated Palm devices and also lets you configure enhanced security options, such as the number of days to allow before a password expires, the number of grace logons permitted before the user must change the password, the minimum number of characters to allow for the password, and whether the password must contain a mix of letters and numbers. For devices running Palm OS 4.x or newer, you can also configure auto-lock options.

  NOTE:  There are two places in ZENworks Handheld Management where users can be required to enter a password: to authenticate to the directory as part of the Palm Client Configuration policy and to power on a handheld device as part of the Palm Security policy. These two passwords are independent of each other. For more information about the password users must enter to authenticate to the directory, see Palm Client Configuration Policy.

• Self-Destruct Settings: Lets you specify self-destruct settings to disable a Palm device after a specified number of failed password attempts or after a specified number of days since the device was last connected or synchronized.

To set up the Palm Security policy:

1. In ConsoleOne, right-click the Handheld Package or Handheld User Package object, then click Properties.

   
   

2. On the Policies tab, click the down-arrow, then click Palm.

3. Select the check box under the Enabled column for the Palm Security policy.

   This both selects and enables the policy.

4. Click Properties to display the Security page.

   
   

5. Fill in the fields:

   Require a Password to Be Set on the Handheld: Lets you specify that a password must be set on the Palm OS device. If your organization has a rule that states that all handheld devices must have a password, you should enable this policy. If a user does not have a policy set, he or she is prompted to create one.

   For Palm OS devices, ZENworks Handheld Management replaces the Palm password applet if you select Require a Password to Be Set on the Handheld; users will see ZENworks Handheld Management password dialog boxes rather than the default Palm OS dialog boxes.

   Enable Enhanced Password Support: Select this option to specify enhanced password support.

   Minimum Password Length: Select this check box and specify the minimum number of characters to allow for the password on the device. You should choose a number great enough to ensure adequate security, but small enough not to excessively burden the user.

   Require Alphanumeric Mix: Select this check box to require that the user use both letters and numbers in the password. To improve the security of a password, it should contain both letters (uppercase and lowercase) and numbers.

   Password Expires In _ Days: Select this check box and specify the number of days that you want the password to expire in. When the specified number of days has expired, the user is prompted to change the password for the device.

   Limit Grace Logons to _ Attempts: Select this check box and specify the number of grace logon attempts you want to allow the user before he or she must change the password for the device. After the number of days in Password Expires in _ Days, the user is prompted to change the password. The user can choose to ignore this prompt and keep the same password for the number of logon attempts you specify.

   Require Unique Passwords: Select this check box to require that the user enter a new password; he or she cannot reuse the previous eight passwords.

   Enable Auto Lock Configuration (Palm OS 4.x and Above): Lets you specify that the Palm OS device is automatically locked when the specified event occurs. Using this policy improves the security of the data on your Palm OS devices. To use this setting, the handheld device must be running Palm OS 4.x or later.

   The available settings include:

   • Never
   • On Power Off
   • At Present Time
   • After a Preset Delay

6. Click the Self-Destruct tab.

   
   

   The Self-destruct page lets you configure self-destruct settings for Palm OS devices so that data is not accessible from handheld devices that are lost or stolen. When the self-destruct feature is activated, the data on the device is made unusable and the device must be manually reset, which restores the device to its out-of-the-box state.

   To use the self-destruct options for Palm OS devices, you must select the Require a Password to Be Set on the Handheld check box on the Security page.

   IMPORTANT:  Use caution when you use the self-destruct feature. Be sure to allow an adequate number of password attempts and an adequate number of days since the last connection or synchronization to prevent data loss to users who incorrectly enter the password or do not connect or synchronize the device during a short vacation.

   For Palm devices using HotSync, if the user synchronizes the device using the same desktop or laptop machine as usual, the data can be restored by HotSync.

7. Fill in the fields:

   Bad Password Attempts: Select the Enforce Self-destruct check box and specify the number of bad password attempts to allow before activating the self-destruct feature.

   Time Since Last Connection: Select the Enforce Self-Destruct check box and specify the number of days after the last connection before activating the self-destruct feature. The Time Since Last Connection option refers to the last time the handheld device connected to the Access Point.

   Each day is made up of 24 hours. If you connect (synchronize) the device on Monday at 2 p.m. and specify three days after the last connection before activating the self-destruct feature, the self-destruct feature activates Thursday at 2 p.m (72 hours after the last connection/synchronization) unless the device is connected/synchronized during that period.

8. Click OK to save the policy.

9. When you have finished configuring all of the policies for this package, continue with the steps under Associating the Handheld Package or the Handheld User Package to associate the policy package.

10. If desired, schedule the policy. For more information, see Scheduling Packages and Policies.

WinCE Client Configuration Policy

The WinCE Client Configuration policy lets you override the user authentication settings of the ZENworks Handheld Management Service object for associated WinCE devices.

You can set up user authentication on a global basis for all handheld devices in your ZENworks Handheld Management system during installation or you can edit the properties of the ZENworks Handheld Management Service object.

If you do not want to enable user authentication for all handheld devices in your system, you can choose to not enable global user authentication during installation or by editing the properties of the ZENworks Handheld Management Service object. You can then configure and enable the WinCE Client Configuration policy by following the procedure in this section to target only specific handheld devices or groups of handheld devices.

For more information about setting up user authentication on a global basis during installation, see "Installing the ZENworks Handheld Management Server" in the Novell ZENworks 6.5 Handheld Management Installation Guide. For more information about editing the properties of the ZENworks Handheld Management Service object to enable global user authentication, see Configuring User Authentication.

If user authentication is enabled, the user is prompted for his or her credentials (username and password). ZENworks Handheld Management then authenticates the user using LDAP to log in to the directory. After the user is authenticated, you can target policies and applications to the user of the handheld device.

If the device uses the Windows IP client to connect, the user-authentication dialog box displays on the handheld device.

When the user is prompted for authentication, if he or she clicks Cancel, the handheld device can be managed by device, but user-based management does not function because the user is not authenticated. If the user mis-types the username or password, he or she is immediately prompted for the credentials again.

NOTE:  There are two places in ZENworks Handheld Management where users can be required to enter a password: to authenticate to the directory as part of the WinCE Client Configuration policy and to power on a handheld device as part of the WinCE Security policy. These two passwords are independent of each other. For more information about the password users must enter to power on a device, see WinCE Security Policy.

To set up the WinCE Client Configuration policy:

1. In ConsoleOne, right-click the Handheld Package or Handheld User object, then click Properties.

   
   

2. On the Policies tab, click the down-arrow, then click WinCE.

3. Select the check box under the Enabled column for the WinCE Client Configuration policy.

   This both selects and enables the policy.

4. Click Properties to display the User Authentication page.

5. Select the Override the Server Configuration check box to override the user authentication settings of the ZENworks Handheld Management Service object.

6. Select the Enable User Authentication on Handhelds check box.

7. Click OK to save the policy.

8. When you have finished configuring all of the policies for this package, continue with the steps under Associating the Handheld Package or the Handheld User Package to associate the policy package.

WinCE Configuration Policy

The WinCE Configuration policy lets you configure the following:

• Buttons: Lets you associate different software programs with the buttons on the Windows CE device. Also lets you assign another function to a button. For example, you can assign the Start Menu to a button on the Windows CE device, making it easier for users to access the Start menu.

• Programs: Lets you specify which programs you want to include on the Start Menu (on a Pocket PC) or on the desktop (on a Handheld PC). Programs that are not allowed can be automatically removed from the Start menu/desktop of the device.

• Power: Lets you specify power settings for associated Windows CE devices. You can specify power settings that apply to Windows CE devices running on internal batteries or on external power.

To set up the WinCE Configuration policy:

1. In ConsoleOne, right-click the Handheld Package or Handheld User object, then click Properties.

   
   

2. On the Policies tab, click the down-arrow, then click WinCE.

3. Select the check box under the Enabled column for the WinCE Configuration policy.

   This both selects and enables the policy.

4. Click Properties.

   
   

5. On the Buttons: Configuration page, click Add to change a button's assignment.

   
   

   To view the button naming conventions for your particular handheld device: on the handheld device, click Start > Settings > Buttons. For example, on a Compaq* iPAQ Pocket PC, the buttons are named Button 1, Button 2, and so forth. On a HP* Jornada Pocket PC, the buttons are named Hot key 1, Hot key 2, and so forth.

6. Select a button or type the name of a button, click OK, then select an option:

   • Reset to Default: Resets the selected button's association to the factory default association.

   • Set to Application: Lets you specify the application to assign to the selected button. If you specify an application that is not in the Start menu path (or subpath), the button applet might not show the correct settings and you are prompted to restart the handheld device to see the changes.

   • Set to Other Function: Lets you specify a function from the drop-down list to assign a function to the selected button.

     The available options include:

     • <Input Panel>
     • <None>
     • <Scroll Down>
     • <Scroll Left>
     • <Scroll Right>
     • <Scroll Up>
     • <Start Menu>
     • <Today>

7. On the Programs: Start Menu/Desktop page, make the desired configuration changes.

   
   

   Click Add to specify a program to be added to the Short Cut list, fill in the Shortcut Name box (this is the name that displays in the Start menu or on the desktop), fill in the Target path (the full path to an application's executable file), then click OK.

   Rather than selecting certain programs to be removed from the device's Start menu/desktop, you might find it easier to specify a list of allowed applications and select the Move All Other Start Menu/Desktop Items to the Programs Folder check box. When the policy is enforced, all programs not listed in the Icon Name list are moved to the Programs folder.

   Click Hide All Items in the Programs Folder to hide the names and icons of all listed programs in the Programs folder. Using this option lets the user run applications only from the Start menu (on Pocket PC devices) or on the desktop (on handheld PC devices).

8. Click OK to save the policy.

9. On the Power page, make the desired configuration changes.

   
   

   NOTE:  The Power settings do not apply to HP Jornada devices running MicrosoftPocket PC 2002 software.

   If you select the Don't Change setting, ZENworks Handheld Management does not change that setting on associated devices; the corresponding setting on each device determines its behavior. For example, if you select the Don't Change setting, each associated device uses its own preference settings to determine how long an idle Windows CE device waits until it turns itself off. If you want to ensure consistency across all associated Windows CE devices, select the appropriate setting.

   If you select the Disable setting, ZENworks Handheld Management disables that setting on all associated Windows CE devices; idle Windows CE devices do not shut down.

10. When you have finished configuring all of the policies for this package, continue with the steps under Associating the Handheld Package or the Handheld User Package to associate the policy package.

11. If desired, schedule the policy. For more information, see Scheduling Packages and Policies.

WinCE File Retrieval Policy

The WinCE File Retrieval policy lets you specify source files you want to retrieve from a Windows CE device and copy to a specified destination location.

The WinCE File Retrieval policy is a plural policy, meaning it can be added many times to a policy package. You can set up as many File Retrieval policies as required to adequately retrieve important files from the handheld devices in your organization. When you name these plural policies, be sure to give them descriptive names.

The WinCE File Retrieval policy is also cumulative, meaning that many different WinCE File Retrieval policies can be effective for a single handheld device object, handheld group object, or container object.

NOTE:  If you want to retrieve files from handheld devices and store them on a NetWare volume, you must install the Novell Client on the ZENworks Handheld Management Server.

To set up the WinCE File Retrieval policy:

1. In ConsoleOne, right-click the Handheld Package or Handheld User Package, then click Properties.

   
   

2. On the Policies tab, click the down-arrow, then click WinCE.

3. Click Add.

   
   

4. Type a descriptive name in the Policy Name field, then click OK.

   The newly created File Retrieval policy displays in the Handheld Policies list.

   
   

5. Select the check box under the Enabled column for the newly created WinCE File Retrieval policy.

   This both selects and enables the policy.

6. Click Properties to display the Files page.

   
   

7. In the Path field in the Source Files box, specify the path to the source files.

8. In the Files field, browse to or specify the source files to be retrieved from the Windows CE device.

   You can use wildcard characters to specify source files.

   When the policy is enforced, all specified source files will be retrieved from the device; the files are retrieved even if the same files were previously retrieved at another time.

9. Select the Files Are Required check box if you want ZENworks Handheld Management to report a failed status if the specified files do not exist on the Windows CE device or if the specified wildcard characters do not provide a match for files on the device.

   NOTE:  For more information about policy status, see Viewing Policy Status Information.

10. Select the Delete Files After Retrieval check box if you want the specified source files to be deleted from the Windows CE device after they have been retrieved from the handheld device.

    If you do not enable this option, the source files are copied to the specified location but also remain on the Windows CE device.

11. In the Path field in the Destination Location box, browse to or specify the destination location where you want the specified files copied to.

    The renamed file can include variables. To include variables, click the Insert button, then click the desired variable.

    The following variables are available for use:

    Variable	Description
    device	The CN of the device. For example, in Dan m130.Handhelds.NovellWheaton, the string would be Dan m130.
    devicedn	The full DN of the device. For example, In Dan m130.Handhelds.NovellWheaton, the string would be Dan m130.Handhelds.NovellWheaton.
    user	The username of the device. This is the value stored in the zfhUserName attribute for the object in the directory. When this value is not configured on the handheld device, it is set to <Undefined>.
    date	The date the file was retrieved from the handheld device. This value is the date only; the time that the file was retrieved is not included. For example, if the file was retrieved on September 15, 2002 at 3:15 p.m., the string would be 2002-09-15. The string is always in the format of yyyy-mm-dd.
    time	The time the file was retrieved from the handheld device. This value is for the time only; the date that the file was retrieved is not included. For example, if a file was retrieved on September 15, 2002 at 3:20 p.m., the string would be 15-20. The string is always in the format of hh-mm, with hh representing the hour in 24-hour format.
    guid	The GUID for the handheld device.
    server	The name of the server that received the data. This is the Windows NT name of the server.

    To use a variable, place an @ sign on either side of the variable in the string. For example, you could use the following syntax:

    @user@_filename

12. Select Use the Original File Name(s) to use the original source filenames for the destination files.

    or

    Select Rename the Files To and specify new filenames for the destination files.

13. Click OK to save the policy.

14. When you have finished configuring all of the policies for this package, continue with the steps under Associating the Handheld Package or the Handheld User Package to associate the policy package.

15. If desired, schedule the policy. For more information, see Scheduling Packages and Policies.

WinCE Security Policy

The WinCE Security policy lets you configure the following:

• Password Requirements: Lets you ensure that a password is set on associated Windows CE devices and also lets you configure enhanced security options for Pocket PCs, such as the number of days to allow before a password expires, the number of grace logons permitted before the user must change the password, the minimum number of characters to allow for the password, and whether the password must contain a combination of letters and numbers.

  NOTE:  There are two places in ZENworks Handheld Management where users can be required to enter a password: to authenticate to the directory as part of the WinCE Client Configuration policy and to power on a handheld device as part of the WinCE Security policy. These two passwords are independent of each other. For more information about the password users must enter to authenticate to the directory, see WinCE Client Configuration Policy.

• Self-Destruct Settings: Lets you specify self-destruct settings to disable a Windows CE device after a specified number of failed password attempts or after a specified number of days since the device was last connected or synchronized.

IMPORTANT:  The WinCE Security policy does not function on Jornada Pocket PCs running Microsoft Windows for Pocket PC 2000 software. Jornada Pocket PCs must be running Microsoft Pocket PC 2002 software to use the WinCE Security policy.

To set up the WinCE Security policy:

1. In ConsoleOne, right-click the Handheld Package object, then click Properties.

   
   

2. On the Policies tab, click the down-arrow, then click WinCE.

3. Select the check box under the Enabled column for the WinCE Security policy.

   This both selects and enables the policy.

4. Click Properties to display the Security page.

   
   

5. Fill in the fields:

   Require a Password to Be Set on the Handheld: Lets you specify that a password must be set on the Windows CE device. If your organization has a rule that states that all handheld devices must have a password, you should enable this policy. If a user does not have a password set, he or she is prompted to create one.

   Pocket PC Options: Lets you specify enhanced security options for Pocket PCs. The options in this group box are disabled unless you check Require a Password to Be Set on the Handheld.

   • Enable Enhanced Password Support: Select this option to specify enhanced password support settings for Pocket PCs.

     For Pocket PCs, where enhanced security like biometric is not supported by the device, if you select Enable Enhanced Password Support, ZENworks Handheld Management displays it's own password dialog box instead of default Windows CE dialog box.

     IMPORTANT:  For Pocket PCs, where the device supports enhanced security, if you select Enable Enhanced Password Support, ZENworks Handheld Management displays a dialog box saying that a password must be set on the device. In that case, the default Windows CE dialog box will be shown.

     The Enable Enhanced Password Support option does not function on handheld PCs.

     If, in the future, you want to remove the ZENworks Handheld Management password applet and restore the original Windows CE password applet, you need to reconfigure the WinCE Security policy and disable the Enable Enhanced Password Support option and then resynchronize the device so that the policy is enforced. Uninstalling the ZENworks Handheld Management handheld client on the device or disassociating the device from the WinCE Security policy does not remove the ZENworks Handheld Management password applet replacement.

     NOTE:  You can replace the bitmap image that displays in the ZENworks Handheld Management password dialog boxes with a bimap image of your choosing. For more information, see Replacing the ZENworks Handheld Management Password Dialog Box Bitmap Image.

     • Minimum Password Length: Select this check box and specify the minimum number of characters to allow for the password on the device. You should choose a number great enough to ensure adequate security, but small enough not to excessively burden the user.

     • Require Alphanumeric Mix: Select this check box to require that the user use both letters and numbers in the password. To improve the security of a password, it should contain both letters (uppercase and lowercase) and numbers.

     • Password Expires in _ Days: Select this check box and specify the number of days that you want the password to expire in. When the specified number of days has expired, the user is prompted to change the password for the Pocket PC.

     • Limit Grace Logons to _ Attempts: Select this check box and specify the number of grace logon attempts you want to allow the user before he or she must change the password for the device. After the number of days in Password Expires in _ Days, the user is prompted to change the password. The user can choose to ignore this prompt and keep the same password for the number of logon attempts you specify.

     • Require Unique Passwords: Select this check box to require that the user enter a new password; he or she cannot reuse the previous eight passwords.

   Pocket PC 2002 Options: Lets you specify a time limit that the Pocket PC can be turned off for before a password prompt is displayed when the device is turned back on. For example, if you set this option to 5 minutes, if the user turns the device off and then back on within 5 minutes, no password is required to use the device. However, if more than 5 minutes passes, the user must enter a password to use the device.

   • Display Password Prompt for Unused Devices Within: Select this check box and choose a time limit from the drop-down list.

     The Windows CE device user can change the corresponding setting on the actual handheld device; however, the value you enter in the Display Password Prompt for Unused Devices Within field in ZENworks Handheld Management is the maximum amount of time the user can set; he or she cannot increase the time limit beyond this value.

6. Click the Self-Destruct tab.

   
   

   The Self-Destruct page lets you configure self-destruct settings for Windows CE devices so that data is not accessible from handheld devices that are lost or stolen. When the self-destruct feature is activated, the data on the device is made unusable and the device must be manually reset, which restores the device to its out-of-the-box state.

   To use the self-destruct options for Windows CE devices, you must select the Enable Enhanced Password Support check box on the Security page. You cannot use the self-destruct options on handheld PCs because the Enable Enhanced Password Support option does not function on them.

   IMPORTANT:  Use caution when you use the self-destruct feature. Be sure to allow an adequate number of password attempts and an adequate number of days since the last connection or synchronization to prevent data loss to users who incorrectly enter the password or do not connect or synchronize the device during a short vacation.

   For Windows CE devices, ActiveSync does not automatically back up data. If the user has manually backed up the data, he or she can then manually restore the data to the device.

7. Fill in the fields:

   Bad Password Attempts: Select the Enforce Self-Destruct check box and specify the number of bad password attempts to allow before activating the self-destruct feature.

   Time Since Last Connection: Select the Enforce Self-destruct check box and specify the number of days after the last connection before activating the self-destruct feature. The Time Since Last Connection option refers to the last time the handheld device connected to the Access Point.

   Each day is made up of 24 hours. If you connect (synchronize) the device on Monday at 2 p.m. and specify three days after the last connection before activating the self-destruct feature, the self-destruct feature activates Thursday at 2 p.m (72 hours after the last connection/synchronization) unless the device is connected/synchronized during that period.

8. Click OK to save the policy.

9. When you have finished configuring all of the policies for this package, continue with the steps under Associating the Handheld Package or the Handheld User Package to associate the policy package.

10. If desired, schedule the policy. For more information, see Scheduling Packages and Policies.

Associating the Handheld Package or the Handheld User Package

The policies you configured and enabled are not in effect until you associate their policy package with a handheld device object, a User object, a handheld group object, a user group, or a container object.

1. In ConsoleOne, right-click the Handheld Package or Handheld User Package object, then click Properties.

2. Click the Associations tab > Add.

3. Browse for the object for associating the package, then click OK.

   The Handhelds Package can be associated with a handheld device object, a handheld group object, or a container object containing these objects.

   The Handhelds User Package can be associated with a User object, a user group object, or a container object containing these objects.

Scheduling Packages and Policies

Some policies can be scheduled to run at a certain time. During creation, all policy packages are given a default run schedule (EventHandheldSync, by default). This means that all applicable policies in this package are enforced every time the handheld device synchronizes/connects to the Access Point. However, you can change the entire policy package schedule, or you can set a policy within the package to run at a different time from the rest of the package.

If you should enable a policy but fail to schedule it, it runs according to the schedule currently defined in the Default Package Schedule.

If you have configured and enabled policies, but they have not been enforced on individual handheld devices, consider the following:

1. When you configure and enable policies, ConsoleOne records the new information in the directory.
2. The ZENworks Handheld Management Server scans for new information hourly, by default. You must wait for up to one hour to ensure that the Handheld Management Server has received the policy changes, depending on when the last scan was performed. Or, you can force an immediate directory scan to ensure that the Handheld Management Server receives the new policy changes by right-clicking the ZENworks Handheld Management Service object, clicking Actions, then clicking Scan Now.
3. For Palm OS and Windows CE devices, the default Policy Package Schedule is EventHandheldSync (whenever the handheld device connects/synchronizes); for BlackBerry devices, the default Policy Package Schedule is once per day. If you have changed the default Policy Package Schedule, it might take longer to enforce the policy changes on the associated handheld devices. In addition, if the handheld devices were unable to connect to the ZENworks Handheld Management system (because of connectivity problems, for example), you might need to reconnect/resynchronize the devices.

The following sections contain additional information:

• Changing the Handheld Package or Handheld User Package Schedule
• Changing an Individual Policy's Schedule