ZENworks Endpoint Security Management - Scripting

December 2016

This document provides a test scenario that shows you how you can use scripting in ZENworks Endpoint Security Management to provide additional functionality for 3rd party products.

1.0 Enforcing the Running of a Required Application

As the ZENworks administrator, you want to ensure that a specific application is always running on your ZENworks managed devices. The following steps help you import a predefined Scripting policy that monitors whether or not an application is running and, if it is not, start the application and inform the user that it is a required a application.

  1. Import the Scripting policy:

    1. Copy the following files to a directory on the ZENworks Primary Server:

      When you click a filename, the file will either be opened, saved, or you will be prompted to open or save it. You need to save the file. If it opens, click File > Save.

      If you downloaded the Endpoint Security Resource Kit, you can copy the files from the PolicyExamples directory.

    2. On the Primary Server, open a command prompt, change to the directory where you copied the files, then run the following commands one at a time, entering your ZENworks administrator username and password when prompted:

      zman epi "Location Assignment" policykey.txt Location-Assignment.xml
      zman epi "Scripting - Enforce Application Running" policykey.txt Scripting-Enforce-App-Running.xml

      A message similar to the following is displayed when a policy is successfully imported:

      Successfully created the object "Location Assignment" in "/Policies".

  2. Validate the policy import:

    1. In ZENworks Control Center, click Policies to display the Policies list with the two imported policies.

    2. Click the Location Assignment policy, then click its Details tab.

      There are six locations included in the policy: the standard Unknown location and five locations that start with BB_ZESM_ZONE. The BB_ZESM_ZONE locations were imported with the policy and added as locations in your zone. If you go to the Locations page (Configuration > Locations), you will see them listed.

      For this test scenario, only the BB_ZESM_ZONE_Scripting Test Location is used. The other locations are used with the test scenarios for other policies (Wireless, USB, and VPN).

      The locations do not include any network environments, which means that the only way a device can switch to one of the locations is for the device’s user to manually change to the location. For this reason, each location is configured to appear in the Security Locations list (available when right-clicking the ZENworks icon on the device) and to allow the user to manually change to the location.

    3. Return to the Policies list.

  3. Click the Scripting - Enforce Application Running policy, then click its Details tab:

    The script is a JScript that is configured to run in the System space with the same rights as a Windows service. The script is written to monitor the calc.exe application. If calc.exe is not running, it is launched and this message is displayed: The following application is required to run in this security location: calc.exe

    1. Next to Script Content, click Edit to display the Edit Script Content dialog box. Change the LocationName variable from Scripting Test Location to BB_ZESM_ZONE_Scripting Test Location, then click OK to save the change.

    2. If desired, change any of the trigger events.

      The script is configured to run when the ZENworks Agent enforces the policy (initial assignment, device startup, policy update), detects a network change, or detects a network connection or disconnection. It is also configured to run whenever the device’s location changes.

    3. Click Apply to save the policy changes.

    4. Click Publish to make the new policy the published version.

    5. Return to the Policies list.

  4. Assign the Location Assignment and Scripting policies to a device:

    1. In the Policies list, select the check boxes next to the following policies:

      • Location Assignment

      • Scripting - Enforce Application Running

    2. Click Action > Assign to Device, then follow the prompts to assign the policies to the appropriate device.

      When prompted for the policy conflict method, you can leave it set to User Precedence.

  5. Test the policy on the assigned device:

    1. On the device, make sure that calc.exe (Calculator) is not running.

    2. Right-click the ZENworks icon, then click Refresh to retrieve the new policies.

      When the device finishes refreshing and the policies are enforced, the script is run because of the Enforcement of this policy trigger. Because calc.exe is not running, a message will temporarily appear indicating that calc.exe is required to run in “this security location.” The Calculator will also open.

    3. Right-click the ZENworks icon, and select Security Locations > BB_ZESM_ZONE_Scripting Test Location.

      Changing to the BB_ZESM_ZONE_Scripting Test Location triggers the script again, displaying the message and launching calc.exe.

  6. If you want to use this script for other applications, you can simply create new policies by copying the sample policy. If you want to create a new policy from scratch:

    1. Retrieve the applicationWatcher.js script.

      When you click the filename, the file will either be opened, saved, or you will be prompted to open or save it. You need to save the file. If it opens, click File > Save.

      If you downloaded the Endpoint Security Resource Kit, you can copy the file from the ScriptExamples directory.

    2. In ZENworks Control Center, create a Scripting policy. When doing so:

    • Copy the applicationWatcher.js script into the Script Contents box.

    • Modify the LocationName variable to specify the security location in which you want the script run. Any time the device enters this location, the script is run.

    • Modify the requiredApp variable to specify the application you want to require.

    • Modify the Agent Triggers and Location Triggers to specify any other events that you want to trigger the script.

2.0 Legal Notice

For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.novell.com/company/legal/.

Copyright © 2016 Novell, Inc., a Micro Focus company. All Rights Reserved.