Multiple User Support; Machine-Based Policies (Active Directory Only); Distributing Unmanaged Policies - Novell ZENWORKS ENDPOINT SECURITY MANAGEMENT 3.5 - ADMINISTRATION Administration Manual

7.5.1 Multiple User Support

For machines that have multiple users logging on to them, each user account has its own, separate
Novell environment. Users can have separate policies and saved network environments. Each
account needs to log in to the Management Service separately to receive its credential in order to
download its published policy.
If a user can't log in or refuses to do so, that user gets the initial policy that was included at Endpoint
Security Client installation. This helps discourage a user from creating a different account to avoid
policy restrictions.
Multiple user support is set at the time you install the client, and can only be changed through an
MSI property (POLICYTYPE 0=user or 1=computer) when you upgrade the client (see
Installation" the ZENworks Endpoint Security Management Installation Guide
Because only one policy can be enforced at a time, the Microsoft Fast User Switching (FUS) is not
supported. The Endpoint Security Client turns off FUS at installation.
For an unmanaged client, the first policy that is pushed to one of the users is applied to all users until
the other users enforce their policies.
The users on a single computer must all be managed or unmanaged. If they are managed, all the
users must use the same Management and Policy Distribution Service.

7.5.2 Machine-Based Policies (Active Directory Only)

The option for using machine-based rather than user-based policies is set at Endpoint Security Client
installation (see the ZENworks Endpoint Security Management Installation Guide
this option is selected, the machine is assigned the policy from the Management Service, and the
policy is applied to all users who log on to that machine. Users who have a policy assigned to them
on another machine do not have that policy accompany them when they log on to a machine with a
machine-based policy. Instead, the machine-based policy is enforced.
NOTE: The machine must be a member of the Policy Distribution Service's domain for the first
policy sent down. Occasionally, Microsoft does not immediately generate the SID, which can
prevent the Endpoint Security Client on that machine from receiving its credential from the
Management Service. When this occurs, reboot the machine when the Endpoint Security Client
installation is finished to receive the credentials.
When you switch an Endpoint Security Client from accepting user-based policies to accepting
machine-based policies, the client continues to enforce and use the last policy downloaded by the
current user, until credentials are provided. If multiple users exist on the machine, the machine uses
only the policy assigned to the currently logged-in user. If a new user logs in, and the SID is
unavailable, the machine uses the default policy included at installation, until the SID is available.
After the SID is available for the endpoint, all users have the machine-based policy applied.

7.5.3 Distributing Unmanaged Policies

To distribute polices to unmanaged Endpoint Security Clients:
1 Locate and copy the Management Console's
file is generated at installation of the Management Console, and placed in the
setup.sen
\Program Files\Novell\ESM Management Console\
file to a separate folder. The
setup.sen
directory.
Managing the Endpoint Security Client 3.5 179
"MSI
for details).
for details). When