4.4 ZENworks Agent Settings

The following sections provide details about the configuration settings available for the ZENworks Adaptive Agent. Each section assumes that you have accessed the settings at the level (zone, device folder, or device) where you want the settings applied.

4.4.1 Agent Security

You can configure whether or not to allow users to uninstall the ZENworks Adaptive Agent. In addition, you can require a password for the uninstall, define an override password to provide access to restricted administrative features in the agent, and enable self-defense to protect agent files from being removed.

If you are configuring the ZENworks Agent settings on a device folder or a device, click Override settings to activate the settings.

The following setting applies to all ZENworks 11 versions of the Adaptive Agent (version 11, version 11 SP1, version 11 SP2, a nd version 11 SP3):

  • Allow Users to Uninstall the ZENworks Adaptive Agent: Enable this option to allow users to perform a local uninstall of the ZENworks Adaptive Agent. If this option is disabled, the agent can only be uninstalled through the ZENworks Control Center.

The following settings apply only to the ZENworks 11 SP2 and newer versions of the Adaptive Agent. For older versions of the agent, use the Security Settings policy (one of the Windows Endpoint Security policies) to configure these settings.

  • Require an Uninstall Password for the ZENworks Adaptive Agent: Enable this option to require users to enter a password in order to uninstall the ZENworks Adaptive Agent. Click Change to set the password.

    To avoid distributing the uninstall password to users, we recommend that you use the Password Key Generator utility to generate a key for the uninstall password. The key, which is based on the uninstall password, functions the same as the uninstall password but can be tied to a single device or user so that its use is limited.

    You access the Password Key Generator utility in the Configuration Tasks list in the left navigation pane.

  • Enable an Override Password for the ZENworks Adaptive Agent: An override password can be used in the ZENworks Adaptive Agent to:

    • Access information about the device’s current location and how the location was assigned.

    • Access the Administrative options in the Endpoint Security Agent. These options let you disable the currently applied security policies (with the exception of the Data Encryption policy), view detailed policy information, and view agent status information.

    • Access the Administrative options in the Full Disk Encryption Agent. These options let you view detailed policy information, view agent status information, and perform functions such as

    • Uninstall the ZENworks Adaptive Agent.

    To enable an override password, select the check box, then click Change to set the password.

    To avoid distributing the override password to users, we recommend that you use the Password Key Generator utility to generate a key for the override password. The key, which is based on the override password, functions the same as the override password but can be tied to a single device or user and can have a usage or time limit.

    You access the Password Key Generator utility in the Configuration Tasks list in the left navigation pane.

  • Enable Self Defense for the ZENworks Adaptive Agent Currently, self-defense functionality protects only the ZENworks Endpoint Security Agent. It does not protect the other ZENworks Adaptive Agent modules.

    Self defense protects the Endpoint Security Agent from being shut down, disabled, or tampered with in any way. If a user performs any of the following activities, the device is automatically rebooted to restore the correct system configuration:

    • Using Windows Task Manager to terminate any Endpoint Security Agent processes.

    • Stopping or pausing any Endpoint Security Agent services.

    • Removing critical files and registry entries. If a change is made to any registry keys or values associated with the Endpoint Security Agent, the registry keys or values are immediately reset.

    • Disabling NDIS filter driver binding to adapters.

    Select the check box to enable self defense.

4.4.2 Agent Location Awareness

The Agent Location Awareness panel lets you choose the mode that the ZENworks Adaptive Agent uses to determine the location (Configuration > Locations tab) applied to a device.

There are two Location Awareness modes:

  • Location Awareness Lite: The agent uses network information provided by the operating system. This mode has limitations that the full Location Awareness mode does not. See Location Awareness Lite Limitations for details.

    If you use Location Awareness Lite mode and a device also has ZENworks Endpoint Security Management installed and enabled, the device uses Location Awareness mode instead. This occurs because ZENworks Endpoint Security Management and Location Awareness mode use the same ZENworks drivers. The agent detects that the drivers are installed and automatically switches to full Location Awareness mode, regardless of the mode setting.

  • Location Awareness: The agent installs ZENworks drivers to collect network information. The drivers provide more detailed information than the operating system, which enables the agent to make a more accurate determination of the location.

Select the mode you want applied to devices. Refer to Location Awareness Mode Transitions for information about how changing modes affects device reboots.

Location Awareness Lite Limitations

Because Location Awareness Lite does not use the ZENworks drivers and depends solely on the operating system for network information, this mode has limitations that the Location Awareness mode does not. Some limitations appear on all operating systems and some on specific operating systems only.

All Operating Systems

  • Location change latency: In Location Awareness mode, location changes are event driven. As soon as a ZENworks driver detects a network change, the change is sent to the agent so that the location assignment can be changed immediately (if necessary). In Location Awareness Lite mode, however, location changes are based on polling. The agent periodically polls the operating system for network information and determines if a location change is required. The result is that location changes are typically slower in Location Awareness Lite mode than in Location Awareness mode.

  • Inaccurate network adapter classification: As network adapters enumerate to the operating system, they can mask their device type. For example, an 802.11 wireless adapter might indicate that it is an Ethernet device. Modems and cellular devices can also do this. Because of this, any location awareness that is based on network adapter classification can be inaccurate. This is not the case in Location Awareness mode, because the drivers validate the adapter type.

Windows XP, Windows Server 2003, and Windows 2003 R2

  • Wireless SSID and MAC address information unavailable: In Location Awareness Lite mode, both wireless (802.11) SSID and MAC address information is not available. This means that network environment definitions based solely on this information cannot be matched.

Windows Vista, Windows 7, Windows 8, and Windows 10

  • WLAN service required: The wireless (802.11) controls require that the WLAN service is installed and running on a device. If the service is disabled, wireless SSID and MAC address information is not available (similar to the Windows XP/2003 issue described above). Any network environment definitions based solely on this information are never matched.

Windows Servers: 2008, 2008 R2, 2012, 2012 R2, and 2016

  • WLAN service required: The wireless (802.11) controls require that the WLAN service is installed and running on a device. The WLAN service on these servers must be manually installed via the Features option in the Windows Server Manager. Without this service installed and enabled, any network environment definitions based solely on this information are never matched.

Location Awareness Mode Transitions

When a device transitions from one Location Awareness mode to another, the ZENworks drivers are either installed or removed. Because these are kernel drivers, the device must be rebooted for the change to take effect.

The timing of the reboot is determined by the Reboot Behavior setting in the Agent Features panel.

4.4.3 Agent Features

The ZENworks Adaptive Agent uses modules to perform the following functions on managed devices:

  • Asset Management

  • Bundle Management

  • Endpoint Security Management

  • Full Disk Encryption

  • Image Management

  • Patch Management

  • Policy Management

  • Remote Management

  • User Management

    If you are viewing the properties of a Windows 2000 device, the User Management options are disabled because user management cannot be disabled or uninstalled from Windows 2000 devices. If you are viewing the properties of the Management Zone or a folder, user management settings are ignored for Windows 2000 devices.

By default, all modules are installed on a device. However, you can uninstall any of the modules. You can also disable (or enable) any of the installed modules.

To modify a module’s state:

  1. (Conditional) If you are configuring the ZENworks Agent settings on a device folder or a device, click Override settings.

  2. To install a module, select the Installed check box.

    or

    To uninstall a module, deselect the Installed check box.

    By default, the Installed check boxes for all modules are selected, meaning that all modules are installed on devices when they register to your ZENworks Management Zone. If you deselect a module’s Installed check box, that module is uninstalled from the device the next time it refreshes.

  3. To enable an installed module, click the Enabled button.

    or

    To disable an installed module, click the Disabled button.

    By default, the Enabled option for all installed modules is selected, meaning that all modules are enabled on devices. Disabling a module does not cause that module to be uninstalled from currently managed devices. The module remains installed on the device, but it is disabled.

  4. Specify the reboot behavior if a reboot is required.

    This option applies only when installing or uninstalling a module. In some cases, Windows Installer might require a reboot of the device when installing or uninstalling the module. If a reboot is required during install, the module does not function until the reboot occurs. If a reboot is required during uninstall, the module’s files are not completely removed until a reboot occurs, but the module stops functioning.

    • Prompt user to reboot (Default): The user is prompted to reboot the device. The user can reboot immediately or wait until later.

    • Do not reboot device: No reboot occurs. The user must initiate a reboot.

    • Force device to reboot: The device is automatically rebooted. The user is notified that the device will reboot in 5 minutes.

  5. Click Apply to save the changes.

  6. (Conditional) If you install the Remote Management or Image Management module on a device, reboot the device for the install to be effective.

To understand the effects of enabling, disabling, or uninstalling the modules, see the following tables:

Table 4-1 Bundle Management

Installed and Enabled

Installed and Disabled

Uninstalled

Additional Details

  • The Bundle Management service is running on the device.

  • The icon properties page displays the Bundle Management status as Running

  • The Bundle Management service is stopped and disabled on the device.

  • The icon properties page displays the Bundle Management status as Disabled.

  • The Windows bundle, File bundle, or Directive bundle that are assigned to the device are not displayed in the NAL window or in the shortcut locations such as Desktop, Start Menu, Quick Launch, or System Tray of the device.

  • You cannot execute Windows bundle, File bundle, or Directive bundle related zac commands.

  • If you disable the Bundle Management module when a bundle is being applied to the device, the module is disabled after the bundle is applied and the device is refreshed.

  • The Bundle Management service is uninstalled from the device.

  • The icon properties page does not display an entry for the Bundle Management status in the Agent Status panel

  • Bundles with content such as Windows bundle, File bundle, or Directive bundle that are assigned to the device but are not yet installed on the device are deleted from the device.

  • If the ZENworks license expires, you cannot create, edit, enable, or disable bundles. However, you can view the existing bundles in ZENworks Control Center or by using zman commands.

  • If the ZENworks license is deactivated, then the Bundles tab is no longer displayed in the left navigation pane of the ZENworks Control Center and you cannot use bundles related zman commands.

Table 4-2 Endpoint Security Management

Installed and Enabled

Installed and Disabled

Uninstalled

Additional Details

  • The Endpoint Security Management services (ZESService.exe and ZESUser.exe) are running on the device.

  • The Endpoint Security Management drivers are running on the device.

  • The icon properties page displays the Endpoint Security Management status as Running.

  • The Endpoint Security Management services (ZESService.exe and ZESUser.exe) are running on the device to support Location Awareness and Agent Self Defense.

  • The Endpoint Security Management drivers are stopped on the device.

  • The icon properties page displays the Endpoint Security Management status as Disabled.

  • If there are security policies assigned to the device when it enters this state, all security policies are removed from the device before the drivers are disabled.

  • The Endpoint Security Management services (ZESService.exe and ZESUser.exe) are running on the device to support Location Awareness and Agent Self Defense.

  • The Endpoint Security Management drivers are not installed on the device.

  • The icon properties page does not display an entry for Endpoint Security Management in the Agent Status panel.

  • If there are security policies assigned to the device when it enters this state, all security policies are removed from the device before the drivers are uninstalled.

  • If the ZENworks Endpoint Security Management license expires, you cannot create, edit, enable, or disable security policies. However, the security policies that are already enforced and enabled on a device continue to work on the device.

Table 4-3 Full Disk Encryption

Installed and Enabled

Installed and Disabled

Uninstalled

Additional Details

  • The Full Disk Encryption services (ZESService.exe and ZESUser.exe) and drivers are installed on the device

  • The Full Disk Encryption drivers are running.

  • The icon properties page displays the Full Disk Encryption status as Running.

  • The Full Disk Encryption services (ZESService.exe and ZESUser.exe) and drivers are installed on the device

  • The Full Disk Encryption drivers are running.

  • The icon properties page displays the Full Disk Encryption status as Disabled.

  • If a Full Disk Encryption policy is assigned to the device when it enters this state, the policy is removed, the disk is unencrypted, and the ZENworks PBA is removed (if previously enabled).

  • The Full Disk Encryption services (ZESService.exe and ZESUser.exe) are running on the device to support Location Awareness and Agent Self Defense.

  • The Full Disk Encryption drivers are not installed.

  • The icon properties page does not display an entry for Full Disk Encryption in the Agent Status panel.

  • If a Full Disk Encryption policy is assigned to the device when it enters this state, the policy is removed, the disk is unencrypted, and the ZENworks PBA is removed (if previously enabled).

  • If the ZENworks Full Disk Encryption license expires, you cannot create, edit, enable, or disable policies. However, the policies that are already enforced and enabled on a device continue to work on the device.

Table 4-4 Image Management

Installed and Enabled

Installed and Disabled

Uninstalled

Additional Details

  • novell-ziswin is installed and enabled on Windows XP and Windows 2003 managed devices.

  • novell-ziswin is installed but disabled on Windows Vista, Windows 2008, Windows 7, and Windows 2008 R2 managed devices.

  • novell-zisdservice is installed and enabled on the Windows Vista, Windows 2008, Windows 7, and Windows 2008 R2 managed devices.

  • The Image Management Agent is installed and enabled.

  • The icon properties page displays the status of Image Management as Running.

  • novell-ziswin is only disabled but it is not uninstalled on all the Windows XP and Windows 2003 managed devices.

  • novell-zisdservice is only disabled but it is not uninstalled on the Windows Vista, Windows 2008, Windows 7, and Windows 2008 R2 managed devices.

  • The icon properties page displays the status of Image Management as Disabled.

  • novell-ziswin is uninstalled on all the Windows XP and Windows 2003 managed devices.

  • novell-zisdservice is uninstalled on the Windows Vista, Windows 2008, Windows 7, and Windows 2008 R2 managed devices.

  • The Image Management Agent is additionally uninstalled from the device.

  • The icon properties page does not display an entry for the Image Management in the Agent Status panel.

When the ZENworks 11 Configuration Management license expires:

  • On the ZENworks Server: You cannot install the agent with Image Management module on any new device. Also, you cannot enable or disable the Image Management module for the existing devices.

  • On the Managed Device: novell-ziswin and the novell-zisdservice are disabled but are not uninstalled. Also, the icon properties page displays the status of Image Management as Disabled.

Table 4-5 Patch Management

Installed and Enabled

Installed and Disabled

Uninstalled

Additional Details

  • The Patch Management service is running on the device.

  • The icon properties page displays the Patch Management status as Running

  • The Patch Management service is stopped and disabled on the device.

  • The icon properties page displays the Patch Management status as Disabled

  • The patch bundles that are assigned to the device are not displayed in the NAL window or in the shortcut locations such as Desktop, Start Menu, Quick Launch, or System Tray of the device.

  • You cannot execute patch bundle related zac commands.

  • The Patch Management service is uninstalled from the device.

  • The icon properties page does not display an entry for the Patch Management status in the Agent Status panel.

  • Patch bundles that are assigned to the device but are not yet installed on the device are deleted from the device.

  • If the ZENworks license is deactivated, you cannot download any new patch bundles. However, the existing patches can be used for assignments.

Table 4-6 Policy Management

Installed and Enabled

Installed and Disabled

Uninstalled

Additional Details

  • The Policy Management service is running on the device.

  • The icon properties page displays the Policy Management status as Running.

  • The Policy Management service is stopped and disabled on the device.

  • The icon properties page displays the Policy Management status as Disabled.

  • All the policies assigned to the device are unenforced from the device.

  • You can use ZENworks Control Center to assign policies to a device. However, the policies are not enforced on the device until the Policy Management feature is enabled.

  • You cannot execute policy related zac commands.

  • If you disable the Policy Management module on a device that is running a Dynamic Local User (DLU) policy, the module is disabled after the device is rebooted

  • The Policy Management service is uninstalled from the device.

  • The icon properties page does not display an entry for the Policy Management status in the Agent Status panel.

  • All the policies assigned to the device are unenforced from the device.

  • If you uninstall the Policy Management module on a device that is running a Dynamic Local User (DLU) policy, the module is uninstalled after the device is rebooted.

  • If the ZENworks Configuration Managementf license expires, you cannot create, edit, enable, or disable policies. However, the policies that are already enforced and enabled on a device continue to work on the device.

  • If the User Management is disabled:

    • The Roaming Profile policy and the DLU policy is not enforced on a device even if the user to whom the policy is assigned has logged in to the device

    • The Windows Group Policy with user configuration settings is not enforced on the managed device even if the policy is assigned to the device.

Table 4-7 Remote Management

Installed and Enabled

Installed and Disabled

Uninstalled

Additional Details

  • The Remote Management service is running on the device.

  • The icon properties page displays the Remote Management status as Running.

  • The device can be remotely managed.

  • The Remote Management service is stopped and disabled on the device.

  • The icon properties page displays the Remote Management status as Disabled.

  • The Remote Management policy is unenforced from the device.

  • The device cannot be remotely managed.

  • The Remote Management service is uninstalled from the device.

  • The icon properties page does not display an entry for the Remote Management status in the Agent Status panel

  • The Remote Management policy is unenforced from the device.

  • The device cannot be remotely managed.

If the ZENworks license expires, the Remote Management service continues to run and the device can be remotely managed.

4.4.4 General

You can configure the ZENworks Adaptive Agent’s cache and agent retry settings.

If you are configuring the ZENworks Agent settings on a device folder or a device, click Override settings.

The following settings can be configured:

  • Cache Life: The ZENworks Adaptive Agent’s cache directory contains content data used by the agent. Each piece of data, referred to as a cache entry, is stored in the cache database.

    When a cache entry is added to the cache database, it is assigned a creation time and an expiration time. The creation time is simply the time it was added to the database. The expiration time is the creation time plus the number of hours specified by the Cache Life setting (by default, 336 hours or 14 days). For example, suppose that a cache entry is added on June 10 at 3:00 p.m. With the default Cache Life setting, the expiration time is set to June 24 at 3:00 p.m.

    The agent does not attempt to update a cache entry until after the entry’s expiration time. At that point, the agent updates the cache entry the next time it contacts the ZENworks Server to refresh its information.

    NOTE:Updates to expired cache entries occur only for cache entries that are content-related (bundles, policies, configuration settings, registration settings, and so forth). Updates to cache entries that are event-related (remote management, inventory, reporting, and so forth) only occur at the time the event takes place on the device.

    A higher Cache Life setting reduces the traffic load on your network because cache entries are refreshed less frequently. A lower setting provides newer information but increases the traffic load.

    This setting affects only how often the agent requests updates to a cache entry. Cache entries can also be updated before their expiration time if information is changed in ZENworks Control Center that causes the information to be pushed from the ZENworks Server to the agent.

  • Cache Orphaning Threshold: Over a period of time, it is possible for entries to be inserted in the cache database but not removed. This can cause the cache to grow unnecessarily.

    An orphan is an entry that is inserted into the cache but not accessed within the number of days specified by the Cache Orphaning Threshold setting. For example, suppose that a cache entry is accessed on July 1 at 10:00 a.m. Without the default Cache Orphaning Threshold setting (30 days), the entry becomes an orphan if it is not accessed again before July 31 at 10:00 a.m.

    A higher Cache Orphaning Threshold setting ensures that infrequently accessed information is not removed from the cache database. A lower setting can reduce the cache size.

  • Times to Retry Requests to a Busy Server: Lets you specify the number of times that the agent retries a request to a busy server before considering the server as bad instead of busy.

    The default value is 15. The maximum value that you can specify is 20.

  • Initial Retry Request Wait: The Initial Retry Request Wait setting lets you specify the initial amount of time that the agent waits before retrying a Web service request after receiving a busy response from the server. The wait time increases by one second with every busy response. The default setting is four seconds. The maximum value that you can set is ten seconds. Each subsequent request is incremented by one second.

    For example, suppose that you leave this setting at the default (four seconds). After receiving a busy response from the server, the agent waits four seconds for the first retry attempt. If the server is still busy, the agent waits five additional seconds (4 + 1) before making the second retry attempt. The third retry attempt is 15 seconds after the initial retry attempt (4 + 5 + 6). The time increments until the value specified in the Maximum Retry Request Wait setting is reached. The retry attempts stop when the value specified in the Times to Retry Requests to a Busy Server setting is reached.

  • Maximum Retry Request Wait: Lets you specify the maximum amount of time to wait before retrying a Web service request after receiving a busy response from the server.

    The default setting is 16 seconds. The maximum value that you can specify is 20 seconds.

4.4.5 Agent Preferences

To provide optimal performance the default status upload frequency of the ZENworks Adaptive Agent is 30 minutes. You can choose to override the default status upload frequency by configuring the following preferences on a Windows or Linux managed device:

Changing the Default Status Upload Frequency of the ZENworks Adaptive Agent on a Windows Managed Device

  1. On a Windows managed device, create the StatusSenderConfig.xml file in <CONF_DIR>.

  2. Open <CONF_DIR>/StatusSenderConfig.xml in a text editor.

  3. Provide the following values:

    <configuration>
    <StatusSender>
      <Parameter Name="SleepTime" Value="milliseconds"/>
    </StatusSender>
    </configuration>

Changing the Default Status Upload Frequency of the ZENworks Adaptive Agent on a Linux Managed Device

  1. On a Linux managed device, create the StatusSenderConfig.conf file in /etc/opt/novell/zenworks/StatusSenderConfig.conf

  2. Add the following parameter: SleepTime=<nnn>

    Where nn is the interval frequency (in minutes) which Status Sender will rollup the status messages.