Security requirements for a device might differ from location to location. For example, you might have different personal firewall restrictions for a device located in an airport terminal than for a device located in an office inside your corporate firewall.
To ensure that a device’s security requirements are appropriate for the location that it is in, ZENworks supports both global policies and location-based polices. A global policy is applied regardless of the device’s location. A location-based policy is applied only when the device’s current location meets the criteria for a location associated with the policy. For example, if you create a location-based policy for your corporate office and assign it to a laptop, the policy is applied only when the laptop’s location is the corporate office.
If you want to use location-based policies, you must first define the locations that suit your organization. A location is a place, or type of place, for which you have specific security requirements. For example, you might have different security requirements when a device is used in the office, at home, or in an airport.
Locations are defined by network environments. Assume that you have an office in New York and an office in Tokyo. Both offices have the same security requirements. Therefore, you create an Office location and associate it with two network environments: New York Office Network and Tokyo Office Network. Each of these environments is explicitly defined by a set of gateway, DNS server, and wireless access point services. Whenever the ZENworks Adaptive Agent determines that its current environment matches the New York Office Network or Tokyo Office Network, the agent sets its location to Office and applies the security policies associated with the Office location.
The following sections explain how to create locations:
Network environment definitions are the building blocks for locations. Network environments can be defined while creating a location. However, it is recommended that you define network environments first, and then add them while creating locations.
To create a network environment:
In ZENworks Control Center, click Configuration > Locations.
In the Network Environments panel, click New to launch the Create New Network Environment wizard.
On the Define Details page, specify a name for the network environment, then click Next.
On the Network Environment Details page, specify the following:
Limit to Adapter Type: By default, the network services you define on this page are evaluated against a device’s wired, wireless, and dial-up network adapters. If you want to limit the evaluation to a specific adapter type, select Wired, Wireless, or Dial Up.
Minimum Match: Specify the minimum number of defined network services that should match in order to select this network environment.
Specify the minimum number of defined network services that should match, in order to select this network environment.
For example, if you define one gateway address, three DNS servers, and one DHCP server, you have a total of five services. You can specify that at least three of those services must match in order to select this network environment.
When specifying a minimum match number, ensure the following:
The number cannot be less than the number of services marked as Match Required.
The number should not exceed the total number of defined services. If it exceeds, the minimum match will never be reached, and the network environment will never be selected.
Network Services: Enables you to define the network services that the Adaptive Agent evaluates to see if its current network environment matches this network environment. Select the tab for the network service that you want to define. Click Add, then specify the required information.
Click Next to display the Summary page, then click Finish.
When you create a location, you provide a location name and then associate the required network environments with the location.
In ZENworks Control Center, click Configuration>Locations.
In the Locations panel, click New to launch the Create New Location wizard.
On the Define Details page, specify a name for the location, then click Next.
On the Assign Network Environments page:
Select Assign existing Network Environments to the Location.
Click Add, select the network environments for which you want to define the location, then click OK to add them to the list.
Click Next when you are finished adding network environments.
On the summary page, click Finish to create the location and add it to the Locations list.
When multiple locations include the network environment identified by the Adaptive Agent, the order of the list determines which location is used. The location listed first is selected, by default. To reorder the list, use the Move Up and Move Down options.
You can also use the network-environment-create and location-create commands in the zman utility to create a network environment and the related location using the created network environment. For more information, see Registration Commands
in the ZENworks 11 SP4 Command Line Utilities Reference.
If you have multiple locations and network environments defined in ZENworks Control Center, the Adaptive Agent on the managed device scans all the defined network environments to identify matched environments. From the identified environments, the Adaptive Agent selects the network environments that have the highest number of matched network services (such as Client IP Address and DNS Servers). The Adaptive Agent then scans the ordered list of locations, identifies the first location that contains any of the selected network environments, and selects the location and the first matched network environment contained within this location.
For example:
The locations defined in ZENworks Control Center are listed in the following order: L1 and L2.
The network environments within L1 are listed in the following order: NE1, NE2, and NE4.
The network environments within L2 are listed in the following order: NE2, NE3, and NE4.
The Adaptive Agent on the managed device detects that NE2, NE3 and NE4 all match on the managed device.
If NE2 and NE4 each have two network service matches each, and NE3 has just one network service match, the Adaptive Agent selects NE2 and NE4 because they have the most network service matches. Because NE2 is the first listed network environment in L1, L1 and NE2 are selected as the location and network environment.
NOTE:For a network environment to be considered matched on the managed device, it must meet all the restrictions set in the network environment. These include the Minimum Match attribute specified for the network environment, and also the Match Required attribute specified for the network services, within the network environment.