The following sections provide details about the configuration settings available for the ZENworks Adaptive Agent. Each section assumes that you have accessed the settings at the level (zone, device folder, or device) where you want the settings applied.
You can configure whether or not to allow users to uninstall the ZENworks Adaptive Agent. In addition, you can require a password for the uninstall, define an override password to provide access to restricted administrative features in the agent, and enable self-defense to protect agent files from being removed.
If you are configuring the ZENworks Agent settings on a device folder or a device, click Override settings to activate the settings.
The following setting applies to all ZENworks 11 versions of the Adaptive Agent (version 11, version 11 SP1, version 11 SP2, a nd version 11 SP3):
Allow Users to Uninstall the ZENworks Adaptive Agent: Enable this option to allow users to perform a local uninstall of the ZENworks Adaptive Agent. If this option is disabled, the agent can only be uninstalled through the ZENworks Control Center.
The following settings apply only to the ZENworks 11 SP2 and newer versions of the Adaptive Agent. For older versions of the agent, use the Security Settings policy (one of the Windows Endpoint Security policies) to configure these settings.
Require an Uninstall Password for the ZENworks Adaptive Agent: Enable this option to require users to enter a password in order to uninstall the ZENworks Adaptive Agent. Click Change to set the password.
To avoid distributing the uninstall password to users, we recommend that you use the Password Key Generator utility to generate a key for the uninstall password. The key, which is based on the uninstall password, functions the same as the uninstall password but can be tied to a single device or user so that its use is limited.
You access the Password Key Generator utility in the Configuration Tasks list in the left navigation pane.
Enable an Override Password for the ZENworks Adaptive Agent: An override password can be used in the ZENworks Adaptive Agent to:
Access information about the device’s current location and how the location was assigned.
Access the Administrative options in the Endpoint Security Agent. These options let you disable the currently applied security policies (with the exception of the Data Encryption policy), view detailed policy information, and view agent status information.
Access the Administrative options in the Full Disk Encryption Agent. These options let you view detailed policy information, view agent status information, and perform functions such as
Uninstall the ZENworks Adaptive Agent.
To enable an override password, select the check box, then click Change to set the password.
To avoid distributing the override password to users, we recommend that you use the Password Key Generator utility to generate a key for the override password. The key, which is based on the override password, functions the same as the override password but can be tied to a single device or user and can have a usage or time limit.
You access the Password Key Generator utility in the Configuration Tasks list in the left navigation pane.
Enable Self Defense for the ZENworks Adaptive Agent Currently, self-defense functionality protects only the ZENworks Endpoint Security Agent. It does not protect the other ZENworks Adaptive Agent modules.
Self defense protects the Endpoint Security Agent from being shut down, disabled, or tampered with in any way. If a user performs any of the following activities, the device is automatically rebooted to restore the correct system configuration:
Using Windows Task Manager to terminate any Endpoint Security Agent processes.
Stopping or pausing any Endpoint Security Agent services.
Removing critical files and registry entries. If a change is made to any registry keys or values associated with the Endpoint Security Agent, the registry keys or values are immediately reset.
Disabling NDIS filter driver binding to adapters.
Select the check box to enable self defense.
The Agent Location Awareness panel lets you choose the mode that the ZENworks Adaptive Agent uses to determine the location (Configuration > Locations tab) applied to a device.
There are two Location Awareness modes:
Location Awareness Lite: The agent uses network information provided by the operating system. This mode has limitations that the full Location Awareness mode does not. See Location Awareness Lite Limitations for details.
If you use Location Awareness Lite mode and a device also has ZENworks Endpoint Security Management installed and enabled, the device uses Location Awareness mode instead. This occurs because ZENworks Endpoint Security Management and Location Awareness mode use the same ZENworks drivers. The agent detects that the drivers are installed and automatically switches to full Location Awareness mode, regardless of the mode setting.
Location Awareness: The agent installs ZENworks drivers to collect network information. The drivers provide more detailed information than the operating system, which enables the agent to make a more accurate determination of the location.
Select the mode you want applied to devices. Refer to Location Awareness Mode Transitions for information about how changing modes affects device reboots.
Because Location Awareness Lite does not use the ZENworks drivers and depends solely on the operating system for network information, this mode has limitations that the Location Awareness mode does not. Some limitations appear on all operating systems and some on specific operating systems only.
Location change latency: In Location Awareness mode, location changes are event driven. As soon as a ZENworks driver detects a network change, the change is sent to the agent so that the location assignment can be changed immediately (if necessary). In Location Awareness Lite mode, however, location changes are based on polling. The agent periodically polls the operating system for network information and determines if a location change is required. The result is that location changes are typically slower in Location Awareness Lite mode than in Location Awareness mode.
Inaccurate network adapter classification: As network adapters enumerate to the operating system, they can mask their device type. For example, an 802.11 wireless adapter might indicate that it is an Ethernet device. Modems and cellular devices can also do this. Because of this, any location awareness that is based on network adapter classification can be inaccurate. This is not the case in Location Awareness mode, because the drivers validate the adapter type.
Wireless SSID and MAC address information unavailable: In Location Awareness Lite mode, both wireless (802.11) SSID and MAC address information is not available. This means that network environment definitions based solely on this information cannot be matched.
WLAN service required: The wireless (802.11) controls require that the WLAN service is installed and running on a device. If the service is disabled, wireless SSID and MAC address information is not available (similar to the Windows XP/2003 issue described above). Any network environment definitions based solely on this information are never matched.
WLAN service required: The wireless (802.11) controls require that the WLAN service is installed and running on a device. The WLAN service on these servers must be manually installed via the Features option in the Windows Server Manager. Without this service installed and enabled, any network environment definitions based solely on this information are never matched.
When a device transitions from one Location Awareness mode to another, the ZENworks drivers are either installed or removed. Because these are kernel drivers, the device must be rebooted for the change to take effect.
The timing of the reboot is determined by the Reboot Behavior setting in the Agent Features panel.
The ZENworks Adaptive Agent uses modules to perform the following functions on managed devices:
Asset Management
Bundle Management
Endpoint Security Management
Full Disk Encryption
Image Management
Patch Management
Policy Management
Remote Management
User Management
If you are viewing the properties of a Windows 2000 device, the User Management options are disabled because user management cannot be disabled or uninstalled from Windows 2000 devices. If you are viewing the properties of the Management Zone or a folder, user management settings are ignored for Windows 2000 devices.
By default, all modules are installed on a device. However, you can uninstall any of the modules. You can also disable (or enable) any of the installed modules.
To modify a module’s state:
(Conditional) If you are configuring the ZENworks Agent settings on a device folder or a device, click Override settings.
To install a module, select the Installed check box.
or
To uninstall a module, deselect the Installed check box.
By default, the Installed check boxes for all modules are selected, meaning that all modules are installed on devices when they register to your ZENworks Management Zone. If you deselect a module’s Installed check box, that module is uninstalled from the device the next time it refreshes.
To enable an installed module, click the Enabled button.
or
To disable an installed module, click the Disabled button.
By default, the Enabled option for all installed modules is selected, meaning that all modules are enabled on devices. Disabling a module does not cause that module to be uninstalled from currently managed devices. The module remains installed on the device, but it is disabled.
Specify the reboot behavior if a reboot is required.
This option applies only when installing or uninstalling a module. In some cases, Windows Installer might require a reboot of the device when installing or uninstalling the module. If a reboot is required during install, the module does not function until the reboot occurs. If a reboot is required during uninstall, the module’s files are not completely removed until a reboot occurs, but the module stops functioning.
Prompt user to reboot (Default): The user is prompted to reboot the device. The user can reboot immediately or wait until later.
Do not reboot device: No reboot occurs. The user must initiate a reboot.
Force device to reboot: The device is automatically rebooted. The user is notified that the device will reboot in 5 minutes.
Click Apply to save the changes.
(Conditional) If you install the Remote Management or Image Management module on a device, reboot the device for the install to be effective.
To understand the effects of enabling, disabling, or uninstalling the modules, see the following tables:
Table 4-1 Bundle Management
Installed and Enabled |
Installed and Disabled |
Uninstalled |
Additional Details |
---|---|---|---|
|
|
|
|
Table 4-2 Endpoint Security Management
Installed and Enabled |
Installed and Disabled |
Uninstalled |
Additional Details |
---|---|---|---|
|
|
|
|
Table 4-3 Full Disk Encryption
Installed and Enabled |
Installed and Disabled |
Uninstalled |
Additional Details |
---|---|---|---|
|
|
|
|
Table 4-4 Image Management
Installed and Enabled |
Installed and Disabled |
Uninstalled |
Additional Details |
---|---|---|---|
|
|
|
When the ZENworks 11 Configuration Management license expires:
|
Table 4-5 Patch Management
Installed and Enabled |
Installed and Disabled |
Uninstalled |
Additional Details |
---|---|---|---|
|
|
|
|
Table 4-6 Policy Management
Installed and Enabled |
Installed and Disabled |
Uninstalled |
Additional Details |
---|---|---|---|
|
|
|
|
Table 4-7 Remote Management
Installed and Enabled |
Installed and Disabled |
Uninstalled |
Additional Details |
---|---|---|---|
|
|
|
If the ZENworks license expires, the Remote Management service continues to run and the device can be remotely managed. |
You can configure the ZENworks Adaptive Agent’s cache and agent retry settings.
If you are configuring the ZENworks Agent settings on a device folder or a device, click Override settings.
The following settings can be configured:
Cache Life: The ZENworks Adaptive Agent’s cache directory contains content data used by the agent. Each piece of data, referred to as a cache entry, is stored in the cache database.
When a cache entry is added to the cache database, it is assigned a creation time and an expiration time. The creation time is simply the time it was added to the database. The expiration time is the creation time plus the number of hours specified by the Cache Life setting (by default, 336 hours or 14 days). For example, suppose that a cache entry is added on June 10 at 3:00 p.m. With the default Cache Life setting, the expiration time is set to June 24 at 3:00 p.m.
The agent does not attempt to update a cache entry until after the entry’s expiration time. At that point, the agent updates the cache entry the next time it contacts the ZENworks Server to refresh its information.
NOTE:Updates to expired cache entries occur only for cache entries that are content-related (bundles, policies, configuration settings, registration settings, and so forth). Updates to cache entries that are event-related (remote management, inventory, reporting, and so forth) only occur at the time the event takes place on the device.
A higher Cache Life setting reduces the traffic load on your network because cache entries are refreshed less frequently. A lower setting provides newer information but increases the traffic load.
This setting affects only how often the agent requests updates to a cache entry. Cache entries can also be updated before their expiration time if information is changed in ZENworks Control Center that causes the information to be pushed from the ZENworks Server to the agent.
Cache Orphaning Threshold: Over a period of time, it is possible for entries to be inserted in the cache database but not removed. This can cause the cache to grow unnecessarily.
An orphan is an entry that is inserted into the cache but not accessed within the number of days specified by the Cache Orphaning Threshold setting. For example, suppose that a cache entry is accessed on July 1 at 10:00 a.m. Without the default Cache Orphaning Threshold setting (30 days), the entry becomes an orphan if it is not accessed again before July 31 at 10:00 a.m.
A higher Cache Orphaning Threshold setting ensures that infrequently accessed information is not removed from the cache database. A lower setting can reduce the cache size.
Times to Retry Requests to a Busy Server: Lets you specify the number of times that the agent retries a request to a busy server before considering the server as bad instead of busy.
The default value is 15. The maximum value that you can specify is 20.
Initial Retry Request Wait: The Initial Retry Request Wait setting lets you specify the initial amount of time that the agent waits before retrying a Web service request after receiving a busy response from the server. The wait time increases by one second with every busy response. The default setting is four seconds. The maximum value that you can set is ten seconds. Each subsequent request is incremented by one second.
For example, suppose that you leave this setting at the default (four seconds). After receiving a busy response from the server, the agent waits four seconds for the first retry attempt. If the server is still busy, the agent waits five additional seconds (4 + 1) before making the second retry attempt. The third retry attempt is 15 seconds after the initial retry attempt (4 + 5 + 6). The time increments until the value specified in the Maximum Retry Request Wait setting is reached. The retry attempts stop when the value specified in the Times to Retry Requests to a Busy Server setting is reached.
Maximum Retry Request Wait: Lets you specify the maximum amount of time to wait before retrying a Web service request after receiving a busy response from the server.
The default setting is 16 seconds. The maximum value that you can specify is 20 seconds.
To provide optimal performance the default status upload frequency of the ZENworks Adaptive Agent is 30 minutes. You can choose to override the default status upload frequency by configuring the following preferences on a Windows or Linux managed device:
On a Windows managed device, create the StatusSenderConfig.xml file in <CONF_DIR>.
Open <CONF_DIR>/StatusSenderConfig.xml in a text editor.
Provide the following values:
<configuration> <StatusSender> <Parameter Name="SleepTime" Value="milliseconds"/> </StatusSender> </configuration>
On a Linux managed device, create the StatusSenderConfig.conf file in /etc/opt/novell/zenworks/StatusSenderConfig.conf
Add the following parameter: SleepTime=<nnn>
Where nn is the interval frequency (in minutes) which Status Sender will rollup the status messages.