Novell Doc: ZENworks Endpoint Security Management Administration Guide - Using the Override-Password Key Generator

9.2 Using the Override-Password Key Generator

Productivity interruptions that a user may experience due to restrictions to connectivity, disabled software execution, or access to removable storage devices are likely caused by the security policy the Endpoint Security Client is enforcing. Changing locations or firewall settings most often lifts these restrictions and restores the interrupted functionality. However, in some cases the restriction could be implemented in such a way that they are restricted in all locations and firewall settings, or the user is unable to make a location or firewall setting change.

When this occurs, the restrictions in the current policy can be lifted via a password override to allow productivity until the policy can be modified. This feature allows an administrator to set up password protected override for specified users and functionality, which temporarily permits the necessary activities.

Password overrides disable the current security policy (restoring the default, All Open policy) for a pre-defined period of time, after the time-limit expires, the current or updated policy is restored. The password for a policy is set in the security policy's Global Rules settings.

Password override does the following:

Overrides application blocking
Allows users to change locations
Allows users to change firewall settings
Overrides hardware control (thumb drivers, CDROM, etc.)

The password entered into the policy should never be issued to an end user. It is recommended that the Override-Password Key Generator be used to generate a short-term-use key.

Figure 9-1 Override Password Key Generator

To generate an override key:

Click Start > All Programs > Novell > ESM Management > Override-Password Generator.
Specify the global policy password in the Administrator Password box, and confirm it in the next box.
Specify the local user logged in on the target machine.

The username is case sensitive.
Specify the amount of time the policy should be disabled.
Click the Generate Key button to generate an override key.

This key can be either read to the end user during a help-desk call, or it can be copied and pasted into an e-mail message. To use the key, the user must open the About dialog box in the ZENworks Security Client, click the Password Override button, then enter the key. This key is valid for that user's policy only and only for the specified amount of time. Once the key has been used, it cannot be used again.

NOTE:If the user logs off or reboots the computer during password override, the password expires, and a new password must be issued.

If a new policy has been written prior to the time limit expiring, the end user should be instructed to check for a policy update, rather than clicking the Load Policy button in the ZENworks Security Client About dialog box.