You can assign security policies to the Management Zone. When determining the effective policies to be enforced on a device, the Zone policies are evaluated after all other assigned policies. For more information about how an effective policy is determined, see How the Effective Policy is Determined.
Consider the following situations:
No Firewall policies are assigned to a device or the device’s user (either directly or through a group or folder). The Zone Firewall policy becomes the effective policy for the device and is enforced on the device.
Firewall policies are assigned to a device and the device’s user. Both policies are evaluated and manipulated to determine the effective Firewall policy to apply to the device. After the effective policy is determined from the user-assigned and device-assigned policies, the Zone Firewall policy is used to supply any values that 1) are unset in the effective Firewall policy and 2) are additive (such as the multi-valued Port/Protocol Rules tables).
You can assign Zone policies at three levels. This enables you to assign different Zone policies to different devices within your Management Zone.
Management Zone: The policies you assign at the Management Zone become the Zone policies for all devices, unless you assign different Zone policies at the device folder or device level.
Device Folder: The policies you assign at a device folder override the Management Zone (and any parent device folders) and become the Zone policies for all devices contained within the folder structure, unless you assign different Zone policies for a subfolder or an individual device.
Security policies apply to workstation devices only. If you assign a security policy to a Server device folder, the policy is not applied to any servers located in the folder.
Device: The policies you assign for an individual device override the Management Zone and device folder and become the Zone policies for the device.
Security policies apply to workstation devices only. If you assign a security policy to a server device, it is not applied.
NOTE:System requirements that are defined in a security policy are ignored when the policy is assigned as a Zone policy.
In ZENworks Control Center:
To assign a Zone policy to the Management Zone, click the Configuration tab, click Endpoint Security Management (in the Management Zone Settings panel), then click Zone Policy Settings.
or
To assign a Zone policy to a device folder, click the Devices tab, locate the folder in the Devices list, then click Details > Settings > Endpoint Security Management > Zone Policy Settings.
or
To assign a Zone policy to a device, click the Devices tab, click the device in the Devices list, then click Settings > Endpoint Security Management > Zone Policy Settings.
If you are assigning a Zone policy to a device folder or device, click Override settings to activate the panel.
In the list, click Add, browse for and select the policy you want to add as a default policy, then click OK to add it to the list.
After you finish adding default policies, click Apply to save the settings.
By default, Management Zone settings are cached on the ZENworks Server and the cache is updated every 10 minutes. Because of this, if a change is made to a zone setting, devices don’t receive the changes until the next cache update, which might be as long as 10 minutes.
For ZENworks Endpoint Security Management, the following are stored as zone settings:
Zone security policies
Location and network environment settings
Effective policy report settings
Data encryption keys
If you change any of these settings and you want to apply them immediately to a device, you must use the zac command line utility on the device to bypass the ZENworks Server cache and retrieve the new settings. To do so, run the following command on the device:
zac ref general bypasscache