Security requirements for a device can differ from location to location. For example, you might have different personal firewall restrictions for a device located in an airport terminal than for a device located in an office inside your corporate firewall.
To make sure that a device’s security requirements are appropriate for whatever location it is in, ZENworks supports both global policies and location-based polices. A global policy is applied regardless of the device’s location. A location-based policy is applied only when the device’s current location meets the criteria for a location associated with the policy. For example, if you create a location-based policy for your corporate office and assign it to a laptop, that policy is applied only when the laptop’s location is the corporate office.
If you want to use location-based policies, you must first define the locations that make sense for your organization. A location is a place, or type of place, for which you have specific security requirements. For example, you might have different security requirements for when a device is used in the office, at home, or in an airport.
Locations are defined by network environments. Assume that you have an office in New York and an office in Tokyo. Both offices have the same security requirements. Therefore, you create an Office location and associate it with two network environments: New York Office Network and Tokyo Office Network. Each of these environments is explicitly defined by a set of gateway, DNS server, and wireless access point services. Whenever the ZENworks Adaptive Agent determines that its current environment matches the New York Office Network or Tokyo Office Network, it sets its location to Office and applies the security policies associated with the Office location.
The following sections explain how to create locations:
Network environment definitions are the building blocks for locations. You can define a network environment while you are creating a location, but we recommend that you define network environments first and then add them as you are creating locations.
To create a location:
In ZENworks Control Center, click
> .In the Network Environments panel, click
to launch the Create New Network Environment Wizard.On the Define Details page, specify a name for the network environment, then click
.As you complete the wizard, if you need more information about any fields or options, click the
button located in the upper-right corner of ZENworks Control Center.On the Network Environment Details page, fill in the following fields:
Limit to Adapter Type: By default, the network services you define on this page are evaluated against a device’s wired, wireless, and dial-up network adapters. If you want to limit the evaluation to a specific adapter type, select
, , or .Minimum Match: Specify the minimum number of defined network services that must be matched in order to select this network environment.
Specify the minimum number of defined network services that must be matched in order to select this network environment.
For example, if you define one gateway address, three DNS servers, and one DHCP server, you have a total of five services. You can specify that at least three of those services must match in order to select this network environment.
When specifying a minimum match number, keep the following in mind:
The number cannot be less than the number of services marked as Match Required.
The number should not exceed the total number of defined services. If so, the minimum match would never be reached, resulting in the network environment never being selected.
Network Services: The Network Services panel lets you define the network services that the Adaptive Agent evaluates to see if its current network environment matches this network environment. Select the tab for the network service you want to define, click
, then fill in the required informationClick
to display the Summary page, then click to add the network environment definition to the list.When you create a location, you provide a location name and then associate the desired network environments with the location.
In ZENworks Control Center, click
> .In the Locations panel, click
to launch the Create New Location Wizard.On the Define Details page, specify a name for the location, then click
.As you complete the wizard, if you need more information about any fields or options, click the
button located in the upper-right corner of ZENworks Control Center.On the Assign Network Environments page:
Select
.Click
, select the network environments you want to define the location, then click to add them to the list.Click
when you are finished adding network environments.On the summary page, click
to create the location and add it to the Locations list.If you have multiple locations and network environments defined in ZENworks Control Center, you can use the
and options to reorder the list.You can also use the network-environment-create and location-create commands in the zman utility to create a network environment and the related location using the created network environment. For more information, see Registration Commands
in the ZENworks 11 Command Line Utilities Reference.
If you have multiple locations and network environments defined in ZENworks Control Center, the Adaptive Agent on the managed device scans all the defined network environments to identify matched environments. From the identified environments, the Adaptive Agent selects the network environments that have the highest number of matched network services (such as Client IP Address and DNS Servers). The Adaptive Agent then scans the ordered list of locations, identifies the first location that contains any of the selected network environments, and selects the location and the first matched network environment contained within this location.
For example:
The locations defined in ZENworks Control Center are listed in the following order: L1 and L2.
The network environments within L1 are listed in the following order: NE1, NE2, and NE4.
The network environments within L2 are listed in the following order: NE2, NE3, and NE4.
The Adaptive Agent on the managed device detects that NE2, NE3 and NE4 all match on the managed device.
If NE2 and NE4 each have two network service matches each, and NE3 has just one network service match, the Adaptive Agent selects NE2 and NE4 because they have the most network service matches. Because NE2 is the first listed network environment in L1, L1 and NE2 are selected as the location and network environment.
NOTE:For a network environment to be considered matched on the managed device, it must meet all the restrictions set in the network environment. These include the
attribute specified for the network environment and also the attribute specified for the network services within the network environment.