Novell ZENWORKS 10 Policy Management Reference

Novell®

www.novell.com

AUTHORIZED DOCUMENTATION

Policy Management Reference

ZENworks® 10 Configuration Management SP3

novdocx (en) 16 April 2010

10.3

March 30, 2010

ZENworks 10 Configuration Management Policy Management Reference

Legal Notices

Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims
any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.,
reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to
notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the
trade laws of other countries. You agree to comply with all export control regulations and to obtain any required
licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on
the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws.
You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the

Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on

exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export
approvals.

novdocx (en) 16 April 2010

Copyright © 2007 - 2010 Novell, Inc. All rights reserved. No part of this publication may be reproduced,
photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com

Online Documentation: To access the latest online documentation for this and other Novell products, see

the Novell Documentation Web page (http://www.novell.com/documentation).

Novell Trademarks

For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/

trademarks/tmlist.html).

Third-Party Materials

All third-party trademarks are the property of their respective owners.

novdocx (en) 16 April 2010

novdocx (en) 16 April 2010

4 ZENworks 10 Configuration Management Policy Management Reference

Contents

About This Guide 9

1Overview 11

1.1 What Is a Policy? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1.2 What Is a Policy Group? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1.3 Understanding the Policy Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

1.4 Understanding the Features of a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2 Creating Policies 15

2.1 Browser Bookmarks Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2.2 Dynamic Local User Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

2.3 Local File Rights Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

2.4 Printer Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.5 Remote Management Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

2.6 Roaming Profile Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

2.7 SNMP Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

2.8 Windows Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

2.9 ZENworks Explorer Configuration Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

2.10 Creating Policies by Using the zman Command Line Utility . . . . . . . . . . . . . . . . . . . . . . . . . . 34

2.10.1 Creating a Policy without Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

2.10.2 Creating a Policy with Content. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

2.10.3 Understanding the zman Policy XML File Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

novdocx (en) 16 April 2010

3 Managing Policies 41

3.1 Policy Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

3.2 Editing Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

3.3 Deleting Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

3.4 Adding Policies to Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

3.5 Assigning a Policy to Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

3.6 Assigning a Policy to Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

3.7 Assigning a Roaming Profile Policy that has User Profile Stored on a Windows Share Location

to Users on a Windows Vista, Windows Server 2008, or Windows 7 Device . . . . . . . . . . . . . 47

3.7.1 Creating a Default Profile Folder in a Shared Location . . . . . . . . . . . . . . . . . . . . . . . 48

3.7.2 Copying a Default Profile from a Windows Vista Device, Windows 2008 Device, or a

Windows 7 device to the Default Profile Folder in the Shared Location . . . . . . . . . . 48

3.7.3 Configuring the Permissions for the Default Profile Registry Hive. . . . . . . . . . . . . . . 48

3.7.4 Copying the Default Profile to User Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

3.8 Assigning the Local File Rights Policy to Devices Running Different Languages . . . . . . . . . . 49

3.9 Unassigning a Policy from Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

3.10 Unassigning a Policy from Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

3.11 Adding System Requirements for a Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

3.11.1 Filter Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

3.11.2 Filter Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

3.12 Disabling Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

3.13 Enabling the Disabled Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

3.14 Copying a Policy to a Content Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Contents 5

3.15 Incrementing the Policy Version. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

3.15.1 Using the Action Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

3.15.2 Editing the Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

3.16 Reviewing the Status of the Policies at the Managed Device . . . . . . . . . . . . . . . . . . . . . . . . . 58

3.17 Policy Issues on a Windows 7, Windows Server 2008, or Windows Server 2008 R2 device . 58

3.18 Viewing the Predefined Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

4 Managing Policy Groups 61

4.1 Creating Policy Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

4.2 Renaming or Moving Policy Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

4.3 Deleting a Policy Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

4.4 Assigning a Policy Group to Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

4.5 Assigning a Policy Group to Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

4.6 Adding a Policy to a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

5 Managing Folders 65

5.1 Creating Folders. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

5.2 Renaming or Moving Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

5.3 Deleting a Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

novdocx (en) 16 April 2010

A Troubleshooting Policy Management 67

A.1 Browser Bookmarks Policy Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

A.2 Browser Bookmarks Policy Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

A.3 Dynamic Local User Policy Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

A.4 Dynamic Local User Policy Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

A.5 General Policy Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

A.6 Local File Rights Policy Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

A.7 Local File Rights Policy Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

A.8 Printer Policy Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

A.9 Printer Policy Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

A.10 Roaming Profile Policy Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

A.11 Roaming Profile Policy Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

A.12 SNMP Policy Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

A.13 Windows Group Policy Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

A.14 Windows Group Policy Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

A.15 ZENworks Explorer Configuration Policy Errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

B Best Practices 95

B.1 Local File Rights Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

B.2 Dynamic Local User Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

B.3 Roaming Profile Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

B.4 SNMP Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

B.5 Windows Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

B.6 Printer Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

C iPrint Policy Management Utility 97

C.1 Installing the IPPman Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

C.2 Using IPPman Commands to Configure iPrint Printers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

6 ZENworks 10 Configuration Management Policy Management Reference

C.2.1 Creating an iPrint Printer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

C.2.2 Cloning an iPrint Printer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

C.2.3 Renaming an iPrint Printer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

C.2.4 Modifying an iPrint Printer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

C.2.5 Deleting an iPrint Printer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

C.2.6 Exporting iPrint Printer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

C.2.7 Importing an iPrint Printer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

C.3 Understanding the Format of the iPrint Printer Configuration File . . . . . . . . . . . . . . . . . . . . . 105

C.3.1 Format of iPrint Printer Configuration File with Default Printing Preferences . . . . . 105

C.3.2 [Example] iPrint Printer Configurati on Fil e with So m e Prin t ing Pr e ference s

Specified . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

C.4 Printing Preferences for an iPrint Printer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

C.5 iPrint Printer List Import File Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

D Documentation Updates 107

D.1 March 30, 2010: SP3 (10.3). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

novdocx (en) 16 April 2010

Contents 7

novdocx (en) 16 April 2010

8 ZENworks 10 Configuration Management Policy Management Reference

About This Guide

This Novell ZENworks 10 Configuration Management Policy Management Reference includes
information about Policy Management features and procedures to help you configure and maintain
your Novell
guide is organized as follows:

 Chapter 1, “Overview,” on page 11

 Chapter 2, “Creating Policies,” on page 15

 Chapter 3, “Managing Policies,” on page 41

 Chapter 4, “Managing Policy Groups,” on page 61

 Chapter 5, “Managing Folders,” on page 65

 Appendix A, “Troubleshooting Policy Management,” on page 67

 Appendix B, “Best Practices,” on page 95

 Appendix C, “iPrint Policy Management Utility,” on page 97

®

ZENworks® 10 Configuration Management SP3 system. The information in this

novdocx (en) 16 April 2010

 Appendix D, “Documentation Updates,” on page 107

Audience

This guide is intended for Novell ZENworks administrators.

Feedback

We want to hear your comments and suggestions about this manual and the other documentation
included with this product. Please use the User Comments feature at the bottom of each page of the
online documentation, or go to the Novell Documentation Feedback site (http://www.novell.com/

documentation/feedback.html) and enter your comments there.

Additional Documentation

ZENworks Configuration Management is supported by other documentation (in both PDF and
HTML formats) that you can use to learn about and implement the product. For additional
documentation, see the ZENworks 10 Configuration Management SP3 documentation (http://

www.novell.com/documentation/zcm10/).

Documentation Conventions

In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and
items in a cross-reference path.

®

A trademark symbol (
trademark.

, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party

When a single pathname can be written with a backslash for some platforms or a forward slash for
other platforms, the pathname is presented with a backslash. Users of platforms that require a
forward slash, such as Linux*, should use forward slashes as required by your software.

About This Guide 9

novdocx (en) 16 April 2010

10 ZENworks 10 Configuration Management Policy Management Reference

1

Overview

Novell® ZENworks® 10 Configuration Management provides policies to configure operating
system settings and select application settings. By applying a policy to multiple devices, you can
ensure that all of the devices have the same configuration.

The following sections contain additional information:

 Section 1.1, “What Is a Policy?,” on page 11

 Section 1.2, “What Is a Policy Group?,” on page 11

 Section 1.3, “Understanding the Policy Types,” on page 12

 Section 1.4, “Understanding the Features of a Policy,” on page 12

1.1 What Is a Policy?

A policy is a rule that controls a range of hardware and software configuration settings on the
managed devices. For example, an administrator can create policies to control browser bookmarks
available in the browser, printers to access, and security and system configuration settings on the
managed devices.

novdocx (en) 16 April 2010

1

You can use the policies to create a set of configurations that can be assigned to any number of
managed devices. It helps you to provide the devices with a uniform configuration, and it eliminates
the need to configure each device separately.

You can assign a policy directly to a device or a user. You can also assign the policy to a folder or
group where the user or device is a member. Assigning a policy to device groups rather than device
folders is the preferred way, because a device can be a member of multiple device groups, but it can
be a member of only one device folder.

On managed devices, each policy type is enforced by a Policy Handler or Enforcer, which makes all
the configuration changes necessary to enforce or unenforce the settings in a given policy.

1.2 What Is a Policy Group?

A policy group is a collection of one or more policies. Creating policy groups eases the
administration efforts in managing policies. You can create policy groups and assign them to
managed devices the same way you would assign individual policies.

Because the policy inherits the group’s assignments, managing a policy group is easier than
managing individual policies. For example, if multiple policies are included in a policy group and
the policy group is assigned to a device or a device group, then all the policies included in the policy
group are automatically assigned to the device or device group at the same time. You need not
individually assign each policy to a device or a device group.

Overview

11

1.3 Understanding the Policy Types

ZENworks 10 Configuration Management lets you create the following policy types:

 Browser Bookmarks Policy: Lets you configure Internet Explorer* favorites for Windows*

devices and users.

 Dynamic Local User Policy: Lets you create new users and manage existing users created on

Windows 2000, Windows XP, and Windows Vista* workstations; and Windows 2000, 2003,
and Windows 2008 Terminal Server sessions after the users have successfully authenticated to
the user source.

 Local File Rights Policy: Lets you configure rights for files or folders that exist on the NTFS

file systems.

The policy can be used to configure basic and advanced permissions for both local and domain
users and groups. It provides the ability for an administrator to create custom groups on
managed devices.

 Printer Policy: Lets you configure Local, SMB, HTTP, and iPrint printers on a Windows

machine.

 Remote Management Policy: Lets you configure the behavior or execution of Remote

Management sessions on the managed device. The policy includes properties such as Remote
Management operations and security.

 Roaming Profile Policy: Lets you to create a user profile that is stored in a network path.

A user profile contains information about a user’s desktop settings and personal preferences,
which are retained from session to session.

Any user profile that is stored in a network path is known as a roaming profile. Every time the
user logs on to a machine, his profile is loaded from the network path. This helps the user to
move from machine to machine and still retain consistent personal settings.

 SNMP Policy: Lets you configure SNMP services on the managed devices.

 Windows Group Policy: Lets you configure a group policy for Windows devices.

novdocx (en) 16 April 2010

 ZENworks Explorer Configuration Policy: Lets you to administer and centrally manage the

behavior and features of the ZENworks Explorer.

1.4 Understanding the Features of a Policy

 A policy is applied to a device or a user only if the policy is directly or indirectly associated to

that device or user.

The Browser Bookmarks policy, Dynamic Local User policy, Printer policy, Remote
Management policy, Windows Group policy, and ZENworks Explorer Configuration policy
can be applied to a device or a user:

The Local File Rights and SNMP policies can be applied only to a device.

The Roaming Profile policy can be applied only to a user.

 A policy can be associated to groups and containers.

12 ZENworks 10 Configuration Management Policy Management Reference

In ZENworks Control Center, devices and users can be organized by using containers and
groups. A device or user can be a member of multiple groups. The containers can be nested
within other containers. If a policy is associated to a group of users, it applies to all users in that
group. If a policy is associated to a user container, it applies to all users in the entire subtree
rooted at that container. The same behavior applies to device groups and containers.

 A policy can be associated to query groups.

In ZENworks Control Center, the devices can also be members of query groups. Query groups
are similar to ordinary groups except that the membership is determined by a query defined by
the administrator. All devices that satisfy the query become members of that device group. The
query is evaluated periodically and the membership is updated with the results. An
administrator can configure the periodicity of the evaluation. An administrator can also force
an immediate refresh of a query group. Query groups act just like other groups where policies
are concerned.

 Policies are chronologically ordered by default.

When multiple policies are associated to a device, user, group, or container, the associations are
chronologically ordered by default. The administrator can change the ordering.

If a device or user belongs to multiple groups, the groups are ordered. Consequently, the
policies associated to those groups are also ordered. The administrator can change the ordering
of groups for a device or user at any time.

In addition, the policies in a policy group are ordered.

 Policies have a precedence configured to determine the policy that is effective for a device or a

user.

Many policies of the same type can be applied to a user or a device through direct association
and inheritance. For example, if a Browser Bookmark policy is associated to a user and another
Browser Bookmark policy is associated to a container containing that user, the policy directly
associated to that user overrides the policy associated to the container.

 Policies support management by exception.

novdocx (en) 16 April 2010

You can define a global policy for your enterprise and associate it to the top-level container
containing all your user objects. You can then override configuration items in the global policy
by defining a new policy and associating it to specific users or user groups. These users receive
their configuration from the new policy. All other users receive their configuration from the
global policy.

 Policies support system requirements.

You can specify the system requirements of a device or user in a policy. The policy is applied to
a device or user only if the device or user meets the system requirements.

For example, the SNMP policy is applied by default on all devices having the SNMP service
installed.

 ZENworks Configuration Management supports singular and plural policies.

Singular Policy: If multiple policies of the same policy type are assigned to a device or a user
and the policy type is a Singular policy, then only the nearest associated policy meeting the
system requirements is applied. If the policy type is associated to both user and device, then
two different policies can be assigned to user and device.

The SNMP policy, Dynamic Local User policy, Remote Management policy, Roaming Profile
policy, and ZENworks Explorer Configuration policy are singular policies.

Overview 13

Plural Policy: If multiple policies of the same policy type are assigned to a device or a user
and the policy type is a Plural type, then all policies meeting the associated system requirement
are applied.

The Browser Bookmarks policy, Local File Rights policy, Windows Group policy, and Printer
policy are plural policies. However, the security settings in the Windows Group policy are not
plural.

 Policies can be disabled.

When you create a policy in ZENworks Configuration Management, the policy is enabled by
default. You can disable it if you do not want to apply it on a user or a device.

 ZENworks Configuration Management allows you to resolve policy conflicts.

The set of effective policies is a subset of the set of assigned policies. The set of effective
policies for a device or user is calculated by applying precedence rules, multiplicity rules, and
system requirements filters on the set of assigned policies. Effective policies are calculated
separately for devices and users. The Policy Conflict Resolution setting determines how user
and device policies interact for a specific user and device combination.

Effective policies are calculated separately for devices and users. When a user logs in to a
device, policies associated to both the user and the device must be applied. Policy Conflict
Resolution settings are used only when policies of the same type are associated to both the
device and the user. This setting determines the precedence order among the policies associated
to the user and those associated to the device. The Policy Conflict Resolution settings are
applied after the effective policies are calculated.

novdocx (en) 16 April 2010

Policy Conflict Resolution settings are defined when associating a policy to a device. The
settings cannot be defined for associations to users. For each policy type, the Policy Conflict
Resolution setting defined in the closest effective policy of that type is applied for all policies
of that type.

A Policy Resolution Conflict setting can have one of the following values:

 User Last: Applies the policies associated to the device first, then the policies associated

to the user. This is the default value.

 Device Last: Applies the policies associated to the user first, then the policies associated

to the device.

 User Only: Applies only the policies associated to the user and ignores the policies

associated to the device.

 Device Only: Applies only the policies associated to the device and ignore the policies

associated to the user.

NOTE: The Policy Conflict Resolution setting is taken from the device-associated policy with
the highest precedence.

14 ZENworks 10 Configuration Management Policy Management Reference

2

Creating Policies

Novell® ZENworks® 10 Configuration Management lets you create policies by using ZENworks
Control Center or by using the zman command line utility.

The following sections contain step-by-step instructions about creating policies by using ZENworks
Control Center:

 Section 2.1, “Browser Bookmarks Policy,” on page 15

 Section 2.2, “Dynamic Local User Policy,” on page 16

 Section 2.3, “Local File Rights Policy,” on page 20

 Section 2.4, “Printer Policy,” on page 23

 Section 2.5, “Remote Management Policy,” on page 27

 Section 2.6, “Roaming Profile Policy,” on page 28

 Section 2.7, “SNMP Policy,” on page 29

 Section 2.8, “Windows Group Policy,” on page 30

 Section 2.9, “ZENworks Explorer Configuration Policy,” on page 32

novdocx (en) 16 April 2010

2

The following section explains how to create policies by using the zman command line utility:

 Section 2.10, “Creating Policies by Using the zman Command Line Utility,” on page 34

2.1 Browser Bookmarks Policy

The Browser Bookmarks policy lets you configure Internet Explorer favorites for Windows devices
and users.

1 In ZENworks Control Center, click the Policies tab.

2 In the Policies list, click New, then click Policy to display the Select Policy Type page.

3 Select Browser Bookmarks Policy, click Next to display the Define Details page, then fill in the

fields:

Policy Name: Provide a name for the policy. The policy name must be different than the name
of any other item (group, folder, and so forth) that resides in the same folder. The name you
provide displays in ZENworks Control Center.

Folder: Type the name or browse to and select the ZENworks Control Center folder where you
want the policy to reside. The default is
organize your policies.

Description: Provide a short description of the policy’s content. This description displays in
ZENworks Control Center.

4 Click Next to display the Bookmarks Tree Data Source page.

5 Create a browser bookmarks tree by importing a previously exported file or manually entering

the data. Before you import a book marks file ensure that it is in UTF-8 format. To manually
convert the bookmark file into UTF-8 format, use a text editor

/policies

, but you can create additional folders to

Creating Policies

15

The following list contains browser-specific information to create the exported file:

 Internet Explorer 6.x/8.x: In the browser window, click File > Import and Export.

Follow the instructions given in the Import/Export Wizard to create

the bookmark.htm

file.

 Internet Explorer 7: In the browser window, click Add to Favorites > Import and

Export. Follow the instructions given in the Import/Export Wizard to create the

bookmark.htm

 Mozilla Firefox 2.x: In the browser window, click Bookmarks > Organize Bookmarks,

then click File > Export to create the

 Mozilla Firefox 3.x: In the browser window, click Bookmarks > Organize Bookmarks,

then click Import and Backup > Export HTML to create

file.

bookmarks.html

file.

the bookmarks.html

file.

6 Click Next to display the Bookmarks Tree Configuration page, then use the options to

configure the bookmarks tree.

The following table lists the tasks you can perform with the New, Edit, and Delete options.

Field Details

novdocx (en) 16 April 2010

New  Click New > Folder to display the Add Folder to Bookmarks dialog box, through

which you can add a new folder to the bookmarks tree.

 Click New > Bookmark to display the Add Bookmark to Bookmarks dialog box,

through which you can add a new bookmark to the bookmarks tree by specifying
the bookmark name and a URL. Click the button next to the URL field to verify
that the URL entered by you is correct and functional.

Edit  Select the bookmark name you want to change, click Edit > Rename, then specify

a new name.

 Click Edit > Sort to organize the bookmarks in ascending or descending order.

 Click Edit > Move Up, Move Down, or Move To to relocate a bookmark.

 Click Edit > Select All Children to select all the subdirectories and bookmarks of

the selected parent directory.

 Click Edit > Deselect All Children > to deselect all the subdirectories and

bookmarks of the selected parent directory.

 Click Edit > Clear Selection > to clear the selections.

Delete

 Click Delete to delete the selected bookmarks and the bookmarks folder from the

bookmarks tree. However, you cannot delete the default bookmarks folder named

Bookmarks

.

7 Click Next to display the Summary page.

8 Click Finish to create the policy now, or select Define Additional Properties to specify

additional information, such as policy assignment, system requirements, enforcement, status,
and which group the policy is a member of.

2.2 Dynamic Local User Policy

The Dynamic Local User policy lets you create new users and manage existing users on the
managed device after they have successfully authenticated to user source.

16 ZENworks 10 Configuration Management Policy Management Reference

novdocx (en) 16 April 2010

NOTE: Ensure that the latest version of the Novell client is installed on the managed device before

TM

the Dynamic Local User policy is enforced. To obtain the latest version of Novell Client

, see the

Novell Download Web site (http://download.novell.com/index.jsp).

1 In ZENworks Control Center, click the Policies tab.

2 In the Policies list, click New, then click Policy to display the Select Policy Type page.

3 Select Dynamic Local User Policy, click Next to display the Define Details page, then fill in the

fields:

Policy Name: Provide a name for the policy. The policy name must be different than the name
of any other item (group, folder, and so forth) that resides in the same folder. The name you
provide displays in ZENworks Control Center.

Folder: Type the name or browse to the ZENworks Control Center folder where you want the
policy to reside. The default is

/policies

, but you can create additional folders to organize

your policies.

Description: Provide a short description of the policy’s content. This description displays in
ZENworks Control Center.

4 Click Next to display the User Configurations page, then use the options on the page to

configure the user account.

The following table contains information about configuring dynamic local user accounts and
managing them on managed devices:

Field Details

Use User Source
Credentials

Use the Credentials
Specified Below
(Always volatile)

Enables logging in through the user's authoritative source credentials
instead of Windows 2000, Windows XP, or Windows Vista credentials.

Allows you to specify the following user credentials for a volatile user:

 User Name: Specify the user’s name.

 Full Name: Specify the user’s complete name.

 Description: Provide any additional information that helps the

administrator to further identify this user account.

If a user logs in to a device that has the Dynamic Local User policy
applied and then logs out of the device when the device is disconnected
from the network, the user is unable to log in to the disconnected device
again. For information on this issue, see “Dynamic Local User Policy

Troubleshooting” on page 70.

Manage Existing User
Account (if any)

Volatile User Specifies the use of a volatile user account for login. The user account

Helps you to manage a user object that already exists.

If you select both the Volatile User and Manage Existing User Account (If
Any) check boxes, and the user has a permanent local account that uses
the same username specified in the user source, the permanent account
is changed to a volatile (temporary) account and is removed when the
user logs out.

that NWGINA creates on the local workstation can be either a volatile or a
nonvolatile account.

Enable Volatile User
Cache

Enables the caching of the volatile user account on the device for a
specified period of time.

Creating Policies 17

Field Details

novdocx (en) 16 April 2010

Cache Volatile User for
Time Period (Days)

Not a Member Of Displays the available group to which a user can be assigned as a

Member Of Displays groups a user is member of.

Custom Click Custom to display the Custom Group Properties dialog box, through

Edit Click Edit to view and edit the details of a custom group. You cannot edit

Delete Click Delete to delete a custom group. You cannot delete the default

Allows you to specify the number of days to cache the volatile user
account on the device. The default value is 5. You can specify a value
from 1 to 999 days.

This volatile user account is deleted after the expiry of the specified cache
period when another DLU user logs out from the device.

member.

which you can add a new custom group and configure its rights.

the default Windows groups with this option.

Windows groups with this option.

5 Click Next to display the Login Restrictions page, then use the options on the page to configure

user access.

The Dynamic Local User policy can be associated to either a user or device. If the policy is
associated to a user object, workstations can be included or excluded from the list. In this case,
Included / Excluded Users list will be ignored.

If the policy is associated to a device object, users can be included or excluded from the list. In
this case, Included / Excluded Workstations list will be ignored.

The Excluded Workstations List displays the workstations and containers that you want to
exclude DLU access to. Workstations listed or workstations that are part of containers listed in
this box cannot use DLU access. You can make exceptions for individual workstations by
listing them in the Included Workstations List. This allows DLU access to those workstations
only, and excludes DLU access to the remaining workstations in the container.

Rules for Workstations are:

 By default, all workstations are included.

 For an indirect association, if an object is in both the lists, the closeness of the association

is considered. A direct association is closer than a group association, which in turn is
closer than a folder.

 If the closeness is the same, a workstation is directly added to Group A and Group B, and

the Included List takes precedence.

Excluded List Included List Result

Workstation-A Workstation-B The policy is applied on all

workstations except
Workstation-A.

18 ZENworks 10 Configuration Management Policy Management Reference

Excluded List Included List Result

Workstation Group-1 Workstation-A The policy is not applied on

any workstations in
Workstation Group-1, except
for Workstation -A.

The policy is applied on
workstations that are not
contained in Workstation
Group-1.

novdocx (en) 16 April 2010

Container-1 Workstation Group-1 or

Workstation-A

The policy is not applied on
any workstations in Container­1, except for Workstation
Group-1 or Workstation-A.

The policy is also applied on
workstations that are not
contained in the Container-1.

The Excluded Users List displays the users and containers that you want to exclude DLU
access to. Users listed or users that are part of containers listed in this box cannot use DLU
access. You can make exceptions for individual users by listing them in the Included Users list.
This allows DLU access to those users only, and excludes DLU access to the remaining users in
the container.

Rules for Users are:

 By default, all users are included.

 For an indirect association, if an object is in both the lists, the closeness of the association

is considered. A direct association is closer than a group association, which in turn is
closer than a folder.

 If the closeness is the same, a user is directly added to Group A and Group B, and the

Included List takes precedence.

Excluded List Included List Result

User-A User-B The policy is applied on all

users except User-A.

User Group-1 User-A The policy is not applied on

any users in User Group-1,
except for User -A.

The policy is also applied on
users that are not contained in
User Group-1.

Container-1 User Group-1 or User-A The policy is not applied on

any users in Container-1,
except for User Group-1 or
User-A.

The policy is also applied on
users that are not contained in
Container-1.

Creating Policies 19

6 Click Next to display the File Rights page.

The following table contains information about managing Dynamic Local User file system
access on the managed device:

Field Details

Add Allows you to select and assign appropriate file rights.

To add a file/folder:

1. Click Add, then specify a file or folder.

2. Select the file rights you want to assign to the specified file or folder.

3. If you want to restrict the inheritance of the rights to only the immediate child
file or folder, select Restrict inheritance to immediate child files/folders only.

4. Click OK.

Edit Copy: Allows you to copy and add a file rights setting to the list.

1. Select a file or folder, then click Edit.

2. Click Copy.

3. Specify a new name.

4. Click OK.

novdocx (en) 16 April 2010

Rename: Allows you to edit only the filename.

1. Select a file or folder, then click Edit.

2. Click Rename.

3. Specify a new filename.

4. Click OK.

Move Up or
Move Down

Remove Allows you to remove a file or a folder from the list.

Allows you to reorder the files or folders.

1. Select the check box next to the file or folder you want to move.

2. Click Move Up or Move Down to relocate it.

1. Select the check box next to the file or folder.

2. Click Remove.

7 Click Next to display the Summary page.

8 Click Finish to create the policy now, or select Define Additional Properties to specify

additional information, such as policy assignment, system requirements, enforcement, status,
and which group the policy is a member of.

2.3 Local File Rights Policy

The Local File Rights policy allows you to configure rights for files or folders that exist on the
NTFS file systems.

1 In ZENworks Control Center, click the Policies tab.

2 In the Policies list, click New, then click Policy to display the Select Policy Type page.

3 Select Local File Rights Policy, click Next to display the Define Details page, then fill in the

fields:

20 ZENworks 10 Configuration Management Policy Management Reference

Policy Name: Provide a name for the policy. The policy name must be different than the name
of any other item (group, folder, and so forth) that resides in the same folder. The name you
provide displays in ZENworks Control Center.

Folder: Type the name or browse to and select the ZENworks Control Center folder where you
want the policy to reside. The default is

/policies

, but you can create additional folders to

organize your policies.

Description: Provide a short description of the policy’s content. This description displays in
ZENworks Control Center.

4 Click Next to display the Configure Basic Properties page, then use the options on the page to

configure the attributes.

The following table contains information about configuring a file or folder and the attributes
associated with it:

Field Details

File / Folder Path Allows you to specify the complete path of a file or folder on the managed

device. You can use the ZENworks system variables or environment variables to
specify the path.

novdocx (en) 16 April 2010

To configure system variables in ZENworks Control Center, click the
Configuration tab > the Content setting in the Management Zone Settings panel

> System Variables. Click the Help button for details about configuring system
variables.

Attributes Allows you to specify the attributes of a file or folder, such as Read only and

Hidden.

This page allows you to configure permissions for only one file or folder. If you want to assign
permissions to multiple files or folders, then configure them in the Details page after creating
the policy.

5 Click Next to display the Configure Permissions page, then use the options on the page to

configure permissions for selected users or groups.

The following table contains information about configuring permissions:

Creating Policies 21

Field Details

novdocx (en) 16 April 2010

Permission for
Users or Groups

Create Groups on
the Managed
Device if they Do
not Exist

Remove Access
Control Rules not
Configured by
ZENworks

Allows you to configure permissions for users or groups.

1. Click Add, then Click User or Group to select a user or a group from the
appropriate drop-down list.

2. Select the type of permission you want to configure as Simple NTFS
Permissions or All NTFS Permissions. Depending on the type of
permission you select, a list of permissions are displayed. Configure the
permissions as applicable to the selected user or group.

3. By default, when a permission is set on a folder, all the subfolders and the
files also inherit the permissions. If you want to restrict the inheritance of
the rights to only the immediate child file or folder, select Restrict
inheritance to immediate child files/folders only.

4. Click OK.

The permissions configured for the user or group in the Dynamic Local User
policy takes precedence over the permissions configured in the Local File
Rights policy.

Creates a group for which permissions are configured; however the group
does not exist on the managed device. With this option, you can create only
local groups.

Removes all access control entries for users or groups not configured by the
ZENworks Local File Rights policy. Also, updates the existing access control
entries for users and groups configured in the policy. After the policy is applied,
any manual changes made to the permissions for a user or group configured
by the policy are lost when the policy is re-applied.

Inherit Applicable
Access Rights
Configured on
Parent Folders

Select Yes if you want a file or folder to inherit applicable access control rules
from its parent object. If you select No, inherited rules are removed. If you do
not want to make any changes, select not configured on the managed
device.At least one attribute, permission, or inheritance setting must be
configured to create a policy. Without configuring any settings, you cannot
create a policy.

NOTE: If the Full Control access right is denied for the Administrators or Authenticated Users
group, the policy is successful only during the first enforcement. However, if the Full Control
access right is denied for the Administrators or Authenticated Users group and the Remove
access control rules not configured by ZENworks option is selected, the policy fails.

The unenforcement of the Local File Rights policy from a device fails if the Full Control access
right is denied for the Administrators or Authenticated Users group in the policy.

6 Click Next to display the Summary page.

7 Click Finish to create the policy now, or select Define Additional Properties to specify

additional information, such as policy assignment, system requirements, enforcement, status,
and which group the policy is a member of.

22 ZENworks 10 Configuration Management Policy Management Reference

2.4 Printer Policy

The Printer policy allows you to configure Local, SMB, HTTP, and iPrint printers on a Windows
device.

1 In ZENworks Control Center, click the Policies tab.

2 In the Policies list, click New, then click Policy to display the Select Policy Type page.

3 Select Printer Policy, click Next to display the Define Details page, then fill in the fields:

Policy Name: Provide a name for the policy. The policy name must be different than the name
of any other item (group, folder, and so forth) that resides in the same folder. The name you
provide displays in ZENworks Control Center.

Folder: Type the name or browse to and select the ZENworks Control Center folder where you
want the policy to reside. The default is
organize your policies.

Description: Provide a short description of the policy’s content. This description displays in
ZENworks Control Center.

4 Click Next to display the Printer Identification page, then select the type of printer to be

installed on the managed device.

5 Click Next, then skip to the appropriate step, depending on which printer type you chose in

Step 4:

 Local Printer: Continue with Step 6.

 Network Printer: Skip to Step 7.

/policies

, but you can create additional folders to

novdocx (en) 16 April 2010

 iPrint Printer: Skip to Step 8.

6 (Conditional) If you are configuring a local printer, refer to the following table for more

information:

Field Details

Name Specify the name of the local printer that you want to configure on the target

device.

Port Select the physical port to which the printer is added, such as LPT1 or

COM1.

Driver Browse to and select a suitable driver for the printer. If the driver is not

contained in the browser list, type in the correct model name. The driver
must either be installed on the target device or specified in the enforced
policies. The driver must be digitally signed by Microsoft*. However, if you
choose to use a driver that is not digitally signed, see the Troubleshooting

Scenario

Creating Policies 23

Field Details

Install a Driver Select this option to install a driver on the target device. The driver

installation must be non-interactive and silent. The supported driver

.inf

installation type is
or

.tar

formats. The
available on the target device. Ensure that the
installation of the driver.

NOTE: To add a new printer driver to the existing driver list:

Edit the

and the

.inf

.inf

driver files can be bundled in

file can be specified directly if it is already

.inf

file supports the

zenworks_installdir\novell\zenworks\share\tomcat\webapp
s\zenworks\WEB-INF\conf\printerDriverDetails.conf file

to add the following line:

Printer_ Manufacturername = Printer_ Model

For example, if you want to add an HP* Color LaserJet* 4550 PCL printer,
then add the following line:

HP = HP Color LaserJet 4550 PCL

novdocx (en) 16 April 2010

.zip

Model Name Browse to select the model name of the driver.

Driver File Path Specify the driver files either from a particular device where the browser is

running or from a path on the managed device, such as

C:\temp\nipp.zip

Supported Platforms Specify a platform for the driver. The platform information helps to select a

suitable driver from the available drivers list, which is based on the
installation platform.

Language of
Installation

Install Forcefully
Even if the Driver is
Already Installed

Select the installation language. Your choices are English (United States),
French, German, Portuguese, Spanish, Italian, Chinese (Traditional),
Chinese (Simplified), or Japanese.

Select this option to force installation of the driver, even though it is already
installed on the target device.

.

7 (Conditional) If you are configuring a Network printer, refer to the following table for more

information:

Field Details

Name / Location Specify the UNC path or URL name of the HTTP or an SMB printer.

For example, it is

http://server/printers/.myprinter/.printer

and
printer.

\\server-name\printer-name

for an SMB printer,

for a HTTP

NOTE: Support for network printer that prompts for user credentials is not
provided.

24 ZENworks 10 Configuration Management Policy Management Reference

Field Details

Driver Browse to add and select a suitable driver for the Windows HTTP printer.

You can ignore this for SMB printers.

The driver must be digitally signed by Microsoft*. However, if you choose to
use a driver that is not digitally signed, see the Troubleshooting Scenario

Install a Driver Use this option to install a driver on the target device. The driver installation

is non-interactive and silent. The supported driver installation types is
and the
file can be specified directly if it is already available on the target device.
Ensure that the

NOTE: To add a new printer driver to the existing driver list:

Edit the

.inf

driver files can be bundled in

.inf

file supports the installation of the driver.

.zip

or

.tar

formats. The

.inf

.inf

zenworks_installdir\novell\zenworks\share\tomcat\webapps
\zenworks\WEB-INF\conf\printerDriverDetails.conf file

add the following line:

to

Printer_ Manufacturername = Printer_ Model

novdocx (en) 16 April 2010

For example, if you want to add an HP Color LaserJet 4550 PCL printer, then
add the following line:

HP = HP Color LaserJet 4550 PCL

Model Name Browse to select the model name of the driver.

Driver File Path Specify the driver files either from a particular device where the browser is

running or from a path in the managed device, such as

Supported Platforms Specify a platform for the driver. The platform information helps to select a

suitable driver from the available drivers list, which is based on the
installation platform.

Language of
Installation

Install Forcefully
Even if the Driver is
Already Installed

Select the installation language. Your choices are English (United States),
French, German, Portugese, Spanish, Italian, Chinese (Traditional), Chinese
(Simplified), or Japanese.

Select this option to force the installation of the driver on the device every
time the policy is applied on the device, even if the driver is already installed
on the device.

c:\temp\nip.zip

8 (Conditional) If you are configuring an iPrint printer, refer to the following table for more

information:

On Windows Vista devices, you need to install the Novell iPrint client 5.04 or later.

.

Field Details

Name / Location Specify the URI name of the iPrint printer. For example,

.

Update iPrint Printer
while Installing the
Driver

acme.com/ipp/servername

Select this option to update the printer driver and to reinstall the printer
driver from the iPrint server while installing the iPrint printer.

ipp://

Creating Policies 25

Field Details

Install iPrint Client Select this option to install the iPrint client on a target machine. The iPrint

client is not supported on 64-bit versions of Windows Server 2003.

novdocx (en) 16 April 2010

iPrint Client Installer
File Path

The installation file can be either
which are capable of carrying out non-interactive silent installation.These
files can be uploaded from the machine where the browser is running.

To install the iPrint client, you cannot use a
a silent installation. For example, you cannot use a
install iPrint client.

Allows to specify the path to the iPrint Client Installer (which installs the
iPrint client on the managed device).

nipp.zip

or

nipp-s.exe

.exe

file that does not support

nipp.exe

 On the Managed Device: Select this option to specify the path to

the iPrint client installer on the managed device.

 Select from this Device: Select this option to add the iPrint client

installer as content with the policy. You can also distribute the iPrint
client installer along with the policy.

Install Forcefully Even
if the Driver is Already
Installed

Configure iPrint Client Select this option to configure the iPrint proxy server.

Proxy Server Specify the iPrint proxy server name. For example,

Select this option to force installation of the driver, even though it is
already installed on the target device.

If the workstations are located outside the physical firewall, you can use
this option to specify the proxy address followed by a (:) and the port
number.

http://

proxy.companyx.com:8080

, both of

file to

9 Click Next to display the Printing Preferences page, then use the options to specify the

preferences. Refer to the following table for more information:

Field Details

Orientation Select this option to specify the paper layout for the printer, such as

landscape or portrait.

Duplex Printing Specify whether or not to print on both sides of the paper, if the printer has

that capability.

Collate Specify whether or not the printer should organize multiple copies of a

document, if the printer has that capability.

Print Quality Select the print quality. Select High quality, for the best possible resolution, or

select Low quality for lower resolution and lower quality.

Paper Source Specify the paper source for the printer. A source that is not listed in the

standard available list can also be specified, but it must be supported by the
printer. Information on supported paper sources is available in the printer
documentation or in the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Print\Printers\printer­name\DsDriver\printBinNames

on a Windows machine.

26 ZENworks 10 Configuration Management Policy Management Reference

Field Details

Paper Size Specify the paper size for the printer. You can specify any paper size

supported by the printer, in addition to the options listed in the menu.
Information on supported sizes is available in the printer documentation or in
the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Print\Printers\printer­name\DsDriver\printMediaSupported

a printer is locally installed.

on a Windows machine, where

10 Click Next to display the Additional Printer Policy settings, then use the options to specify the

settings. Refer to the following table for more information:

Field Details

novdocx (en) 16 April 2010

Set as Default
Printer

Remove all
Printers not
Specified by
ZENworks Printer
Policies

Select this option to specify a printer as the default printer to which the print
requests are sent if no other printer is specified by the user.

On a Windows 7 managed device, the assigned printer might be set as a
default printer on the device even if the Set as Default Printer option is not
selected in the policy.

Select this option to remove all printers that are not specified through the
ZENworks Printer policy.

11 Click Next to display the Summary page.

This wizard allows you to configure only one printer. If you want to configure additional
printers, then configure them in the Details page after creating the policy.

12 Click Finish to create the policy now, or select Define Additional Properties to specify

additional information, such as policy assignment, system requirements, enforcement, status,
and which group the policy is a member of.

Only the preferences that are supported by the printer are configured on that printer.

2.5 Remote Management Policy

The Remote Management policy lets you configure the behavior or execution of a Remote
Management session on the managed device. The policy includes properties such as Remote
Management operations and security.

By default, a secure Remote Management policy is created on the managed device when the
ZENworks Adaptive Agent is deployed with the Remote Management component on the device.
You can use the default policy to remotely manage a device. To override the default policy, you can
explicitly create a Remote Management policy for the device.

For information on creating the Remote Management policy, see “Creating the Remote Management

Policy” in the ZENworks 10 Configuration Management Remote Management Reference.

Creating Policies 27

2.6 Roaming Profile Policy

The Roaming Profile policy allows you to create a user profile that is stored in a network path. An
administrator can either use the roaming profile stored in the user’s home directory or the profile
stored in the network directory location.

IMPORTANT: Because of the security settings in Microsoft Vista, administrators must manually
add the appropriate security rights to the user registry hive to enable roaming profiles. For more
information, see Section 3.7, “Assigning a Roaming Profile Policy that has User Profile Stored on a

Windows Share Location to Users on a Windows Vista, Windows Server 2008, or Windows 7
Device,” on page 47.

1 In ZENworks Control Center, click the Policies tab.

2 In the Policies list, click New, then click Policy to display the Select Policy Type page.

3 Select Roaming Profile Policy, click Next to display the Define Details page, then fill in the

fields:

Policy Name: Provide a name for the policy. The policy name must be different than the name
of any other item (group, folder, and so forth) that resides in the same folder. The name you
provide displays in ZENworks Control Center.

Folder: Type the name or browse to and select the ZENworks Control Center folder where you
want the policy to reside. The default is
organize your policies.

Description: Provide a short description of the policy’s content. This description displays in
ZENworks Control Center.

/policies

, but you can create additional folders to

novdocx (en) 16 April 2010

4 Click Next to display the Roaming Profile Policy page, then use the options to specify the

settings. Refer to the following table for more information:

Field Details

Store User Profile
in User’s Home
Directory

User Profile Path Select a UNC path to a user’s roaming profile. If you want to administer the

Override Terminal
Server Profile

Select this option to load and save a user’s profile from the user’s home
directory as specified in eDirectory.

This option is applicable only if the user object is in eDirectory. However, it is
currently not supported in Domain Services for Windows environment.

policy on more than one user object, use
variable. In this case, the environment variable is resolved with the logged-on
username and the user profile is loaded from the specified path.

If a user is accessing a terminal server that has its own profile, enable this
option to override the terminal server’s profile.

%USERNAME%

as the environment

5 Click Next to display the Summary page.

6 Click Finish to create the policy now, or select Define Additional Properties to specify

additional information, such as policy assignment, system requirements, enforcement, status,
and which group the policy is a member of.

28 ZENworks 10 Configuration Management Policy Management Reference

2.7 SNMP Policy

The SNMP policy allows you to configure SNMP parameters on the managed devices.

1 In ZENworks Control Center, click the Policies tab.

2 In the Policies list, click New, then click Policy to display the Select Policy Type page.

3 Select SNMP Policy, click Next to display the Define Details page, then fill in the fields:

Policy Name: Provide a name for the policy. The policy name must be different than the name
of any other item (group, folder, and so forth) that resides in the same folder. The name you
provide displays in ZENworks Control Center.

Folder: Type the name or browse to the ZENworks Control Center folder where you want the
policy to reside. The default is

/policies

your policies.

Description: Provide a short description of the policy’s content. This description displays in
ZENworks Control Center.

4 Click Next to display the SNMP Community Strings page. Refer to the following table for more

information:

, but you can create additional folders to organize

novdocx (en) 16 April 2010

Field Details

Add a Community String Allows you to add a community string.

Community String Specify the name of the SNMP community string to be added.

Community Rights Allows you to administer rights for a selected community, such as

Read Only, Read & Write, Read & Create, and Notify.

Remove All SNMP
Community Strings not
specified by ZENworks
SNMP Policies

Send SNMP Authentication
Trap

Select this option to remove all the community strings that are not
specified through ZENworks SNMP policy.

Select this option if you want to send authentication trap information.

This page allows you to add only one community string to the policy. If you want to add
multiple community strings, then configure them in the Details page after creating the policy.

5 Click Next to display the SNMP Default Access Control List page, then use the options to

specify the settings. Refer to the following table for more information:

Field Details

Allow SNMP Communication Select this option to specify whether SNMP communication is

allowed from any host or a list of predefined hosts.

Remove All SNMP Allowed
Hosts not Specified by
ZENworks SNMP Policies

Select this option to remove all the SNMP allowed hosts that are not

specified through the ZENworks SNMP policy.

6 Click Next to display the SNMP Trap Targets page, then use the options to specify the settings.

Refer to the following table for more information:

Creating Policies 29

Field Details

Add a Trap Target Allows you to add a trap target for the SNMP service.

IP Address / Host Name Specify an IP address or host name of the target device.

Community String Specify a community string for the trap target defined in IP address/

Host name.

novdocx (en) 16 April 2010

Remove All SNMP Trap
Targets Not Specified by
ZENworks SNMP Policies

Select this option to remove all the trap targets that are not
specified through the ZENworks SNMP policy.

This page allows you to add only one trap target to the policy. If you want to add multiple trap
targets, then configure them in the Details page after creating the policy.

7 Click Next to display the Default System Requirements for SNMP Policy page, then use the

options to specify the settings. Refer to the following table for more information:

Field Details

Apply Policy Only if SNMP
Service Exists On the Target
Device

Select this option apply the SNMP policy only if the SNMP service
exists on the target device. If the target device does not contain
the SNMP service, the SNMP policy cannot be fully applied or
effective on the target device.

8 Click Next to display the Summary page.

9 Click Finish to create the policy now, or select Define Additional Properties to specify

additional information, such as policy assignment, system requirements, enforcement, status,
and which group the policy is a member of.

2.8 Windows Group Policy

The Windows Group Policy allows you to configure a Group Policy for Windows devices.

1 In ZENworks Control Center, click the Policies tab.

2 In the Policies list, click New, then click Policy to display the Select Policy Type page.

3 Select Windows Group Policy, click Next to display the Define Details page, then fill in the

fields:

Policy Name: Provide a name for the policy. The policy name must be different than the name
of any other item (group, folder, and so forth) that resides in the same folder. The name you
provide displays in ZENworks Control Center.

Folder: Type the name or browse to and select the ZENworks Control Center folder where you
want the policy to reside. The default is

/policies

, but you can create additional folders to

organize your policies.

Description: Provide a short description of the policy’s content. This description displays in
ZENworks Control Center.

4 Click Next to display the Windows Group Policy Settings page, then use the options to specify

the settings. Refer to the following table for more information:

30 ZENworks 10 Configuration Management Policy Management Reference