0.9 Point Prod VSE Deployment Policy Config

2013 McAfee, Inc. All Rights Reserved.
ePolicy Orchestrator 5.1 Essentials
This module reviews client task configuration and functionality. Students will be shown the process
on deploying point products from ePO along with information on troubleshooting product
deployment.
This module also covers the steps involved in configuring a Point Products available policy settings
and then validating and troubleshooting the enforcement on the managed endpoint(s).
In addition to managing security products, ePolicy Orchestrator can deploy products, components,
and updates to the desired managed systems. You can perform these actions as needed, or you can
schedule them using client and server tasks.
Client Tasks
Client tasks help automate how you manage systems in the network. They are commonly used for the
following activities.
Product deployment
Product functionality; for example, the VirusScan Enterprise (VSE) On-Demand Scan task.
Upgrades and updates
The extension files installed on the ePO server determine which client tasks are available.
Server Tasks
Server tasks are configurable actions that run on your ePO server on a schedule. You can leverage
server tasks to help automate repetitive server tasks that need to be performed on your server.
McAfee ePO software includes preconfigured server tasks and actions by default. Most of the
additional software products you manage with your ePO server also add preconfigured server tasks.
Some example server tasks are:
Disaster Recovery Snapshot Server: Create a Disaster Recovery Snapshot on a daily basis.
Purge Threat and Client Events Older than 90 Days.
Duplicate Agent GUID: clear error count: Clear Sequence Error Count for systems who have not
recently reported duplicate activities.
Duplicate Agent GUID - remove systems with potentially duplicated GUIDs: Delete systems
whose sequence error count has exceeded the threshold and add Agent GUID to duplicate list.
Query: run a query on a regular basis.
Client Tasks
You manage client tasks from the Client Task Catalog page. Go to: Menu > Policy > Client Task
Catalog. The Client Task Catalog page opens.
Server Tasks
You manage server tasks from the Server Tasks page. Go to: Menu > Automation > Server Tasks. The
Server Tasks page opens.
Client and server tasks help automate the process of managing the security software deployed to the
systems on the network.
Client and Server Task Workflow
Follow these high-level steps when creating client and server tasks for the first time.
1. Plan the client tasks you want to automate; for example, deploy product software, perform
product updates, and more.
2. Create and assign client tasks to specific groups and systems.
3. Create server tasks to keep the repositories up-to-date and to automate server maintenance
tasks.
4. Schedule tasks to run automatically.
You assign and manage client tasks from the Client Task Catalog page. The Client Task Types pane, on
the left, lists the products for which you can create or manage client task objects. The list is
determined by the installed product extensions. Click the arrow next to object to either view/hide its
available tasks.
The Client Task Catalog Actions menu specifies actions you can perform for the selected object,
including:
Import: Opens the Import page, where you can import Client Task objects from an XML file.
When importing a file containing multiple Client Task objects, you can choose which tasks to
import. NOTE: If you choose to import a Client Task object that is identical to an existing Client
Task, the existing object is overwritten.
Export All: Opens the Export page, where you can export an XML file containing all client task
objects for the products listed in the Task Type pane. Use this action when you want to create an
XML file that you can import into this or other ePO servers. NOTE: Performing this action does
not delete the client task objects from the server.
The New Task button is used to create a new client task object.
The Actions menu displays the actions you can perform for the selected object, including:
Choose Columns: Opens the Select the Columns to Display page, where you can select the
columns displayed in the Client Task Catalog pane.
Export Table: Opens the Export page, where you can create a file containing the details of
objects listed in the Client Task Catalog pane. This option is useful, for example, when you need
to create a file to report on the client task objects you have created for a specific product. Note
This action does not export the actual Client Task object. It is a reporting function.
Export Tasks: Opens the Export page, where you can export an XML file containing all client task
objects for a specific type of task for a particular product, or all tasks for a specific product; for
example, you can export all the objects for the McAfee Agent product, McAfee Agent Wakeup
task type. This is useful when you want to export only some of the Client Task Catalog objects.
In each row containing a client task, you can perform these actions for the selected task:
Click the name of the client task to modify the details of this object. Changing a client task object
affects all instances where this object is assigned.
Name column: Name of the client task.
Owners column: Displays the Task Ownership page, where you can view and change the client
task's owner.
Assignments: Opens the Task Assignments page, where you can view the current client task
assignments.
Actions column: Contains several options:

Delete: Deletes the selected object from the Client Task Catalog.
Duplicate: Creates a copy of the selected client task object.
Assign: Opens the Select a group to assign the task page, where you can identify a group in your
System Tree to assign this task. Selecting a group and clicking OK opens the Client Task
Assignment Builder, where you can complete the assignment process.
Share/Unshare: Shares or unshares the selected client task object. To share a client task object
with other ePO servers in your environment, you must have another ePO server registered with
this ePO. In addition, a Share Client Tasks server task must be created and enabled.
10
The New Task button is used to create a new client task object.
11
You can use client tasks to automatically deploy product software, perform product updates, and
more. The process is similar for all client tasks. In some cases you must create a new client task
assignment to associate a client task to a System Tree group.
Complete these steps from the ePO console. For option definitions, click ? in the interface.
1. Go to the Client Task Catalog page (Menu > Policy > Client Task Catalog).
2. Select a Client Task Type in the left pane; for example, McAfee Agent > Product Update.
3. Click Actions > New Task (or click the New Task button).
4. Select a task type from the list, then click OK. The Client Task Builder wizard opens.
5. Type a name for the task you are creating, add a description (optional), then configure the
settings specific to the task type you are creating. The configuration options change depending
on the task type selected.
6. Review the task settings, then click Save. The task is added to the list of client tasks for the
selected client task type.
12
Complete these steps from the Client Task Catalog page, to edit a client task:
2. Select a client task in the right pane.
3. Click the client task name in the Name column.
4. Edit the settings, as needed, then click Save.
13
Complete these steps from the Client Task Catalog page, to delete a client task:
3. Click the Delete link for the selected task.
4. When prompted, click OK.
14
Complete these steps from the Client Task Catalog page:

3. Click the Duplicate link for the selected task.
4. Enter task name, then click OK.
5. Use the Client Task Builder wizard to finish the setup. The steps are similar to those for creating
a new task.
15
Client tasks in the Client Task Catalog must be assigned to the managed systems to take affect. When
you click the Assign link, you are prompted to specify the System Tree group where you want to
assign the client task object, then the Client Task Assignment Builder opens. Client Tasks are inherited
by any managed system in or below the group you specify.
16
Select the client task object to assign to systems in the network. After completing the page, click the
Next button in the bottom right corner to navigate through the steps.
See the next page for information about the available fields.
17
Task to Schedule
Use the options in this section to specify settings, including:
Product: Select the managed product from this list that provides the Client Task object you want
to assign. For example, select the McAfee Agent product category to display McAfee Agent Client
Task objects. Choices in this list are dependent on the managed product extensions checked into
your ePO server.
Task Type: Specify which task type you want to assign. Each managed product has a predefined
set of task types you can employ.
Task Name: Choices in this list are dependent on the Client Task objects you create. You can
create Client Task objects using the Client Task Catalog, or create one now by clicking Create New
Task. When you create a new Client Task object, it is stored in the Client Task Catalog.
Created at
This field identifies the System Tree location where this Client Task Assignment is enforced. By
default, all groups and systems below this location inherit this assignment unless you break
inheritance manually.
Lock Task Inheritance
Specify whether task inheritance is:
Locked: Managed systems below this location cannot have inheritance broken.
Unlocked: Managed systems below this location can have inheritance broken. Note When
inheritance is locked, only the Client Task owner, Global Administrators, or users with specific
permissions can unlock inheritance. The owner is the user who created the Client Task object.
Tags
Use this setting to use Tags to include or exclude tagged managed systems from this assignment. For
example, if you assign a Client Task at the My Organization level in the System Tree, and choose to
send this assignment only to systems with the Server tag, any system in the My Organization group
that does not have the Server tag will not receive this task.
NOTE: You cannot create and apply tags to your managed systems while creating or managing Client
Task Assignments. The tags must already be created and assigned. For more information on creating
and applying tags, see Tags and how they work in the ePolicy Orchestrator Product Guide.
18
Client tasks run on the clients and are typically scheduled to run at a specific time. They are different
from policies because they are an action that the client must perform at a predetermined time.
In this next step, enter the scheduling parameters, then click the Next button in the bottom right
corner. See the next page for information about the fields.
19
Schedule status
Specifies whether the task runs according to its schedule. If the schedule is disabled, the task can only
be run only from the System Tree >Systems page by clicking Actions > Agent > Run Client Task Now
or as a Server Task action.
Schedule type
Specifies the time interval for running the client task. Options include:
Daily: Specifies that the task runs every day, at a specific time, on a recurring basis between two
times of the day, or a combination of both.
Weekly: Specifies that the task runs on a weekly basis. Such a task can be scheduled to run on a
specific weekday, all weekdays, weekends, or a combination of them. You can schedule such a
task to run at a specific time of the selected days, or on a recurring basis between two times of
the selected days.
Monthly: Specifies that the task runs on a monthly basis. Such a task can be scheduled to run on
one or more specific days of each month at a specific time.
Once: Starts the task on the time and date you specify.
At System Startup: Starts the task the next time you start the server.
At logon: Starts the task the next time you log on to the server.
When idle: Starts the task the next time the client goes idle. Once initiated, the task continues to
run until its complete, even if the system does not stay idle. Note: After the task is run the first
time, it is not run again.
Run immediately: Starts the task immediately.
Run on dialup: Starts the task the next time that the managed system establishes a dialup
connection to the network.
Effective period
Specify the following:
End date: The date on which the client task becomes unavailable to the scheduled interval.
Start date: The date on which the client task is available to begin running at the scheduled
intervals.
Start time
Specify the time at which this task should begin, as well as: Whether to run the task only once at the
Start time, or to continue running until a later time. You can also specify the interval at which the task
runs during this interval.
Task runs according to
Specifies whether the task schedule runs according to the local time on the managed system or
Coordinated Universal Time (UTC).
Options
Specifies how the task behaves and the actions that can be taken if the task runs too long, or whether
the task should run if it was missed. Options include:
Enable randomization X hours Y minutes: Specifies that this task runs randomly within the time
you specify. Otherwise, this task starts at the scheduled time regardless if other client tasks are
scheduled to run at the same time.
Run missed task X minute delay: Runs the task after a user-configured number of minutes once
the managed system is restarted.
Stop the task if it runs for X hours Y minutes: Stops the task when it has run for a userconfigured amount of time.
20
Consider the following when creating and scheduling client update tasks:
Create a task to update DAT and engine files daily at the highest level of the Directory that is
inherited by all systems. If your organization is large, you can use randomization intervals to
mitigate the bandwidth impact of all systems updating at the same time. Also, for large networks
with offices in different time zones, running the task at the local system time on the managed
system, rather than at the same time for all systems, helps balance network load.
Schedule the update task at least an hour after the scheduled replication task, if you are using
scheduled replication tasks.
Run update tasks for DAT and engine files at least once a day. Managed systems can be logged off
from the network and miss the scheduled task; running the task frequently ensures these
systems receive the update.
Maximize bandwidth efficiency and create several scheduled client update tasks that update
separate components and run at different times. For example, you can create one update task to
update only DAT files, then create another to update both DAT and engine files weekly or
monthly engine packages are released less frequently.
Create and schedule additional update tasks for products that do not use the agent for Windows.
Use the Run missed task option. This can be useful if systems are logged off from the network at
the scheduled update time, ensuring they update after logging onto the network.
21
After completing the steps using the Client Task Assignment Builder, verify the configuration. If
necessary, use the Back button to return to a previous step to make changes. When you are satisfied
with the settings, click Save.
22
Client tasks can be set at a group or machine level and always inherits to the group or machine below
them. Customers should always try to set their client tasks at the highest point of their directory tree,
like the My Organization level. This reduces the number of tasks they will have to manage and keeps
administration overhead to a minimum.
You can see when systems or groups are not inheriting task. You can select the blue hyperlink and
select the systems or groups and reset the inheritance upon the desired nodes.
23
Use this task to edit a client tasks settings or schedule information for any existing task.
1. Go to System Tree >Actions > Agent > Modify Tasks on a Single System.
2. Click the task name to edit the task, or click on the blue Edit Assignment hyperlink to modify
which systems it is assigned to.
3. Edit the task settings as needed, then click Save.
The managed systems receive these changes the next time the agents communicate with the server.
Note that saving an inherited task at the subgroup level breaks the tasks inheritance.
24
Some commonly-used client tasks are described below. We will take a closer look at these tasks in the
following sections.
McAfee Agent:
McAfee Agent Statistics: Collect network bandwidth saved by RelayServer and SuperAgent
hierarchical feature.
McAfee Agent Wakeup: Triggers an immediate Agent-Server Communication. This applies to
Windows operating systems only.
Mirror Repositories: Specifies a location on the managed system to replicate contents from the
repository. This applies to Windows operating systems only.
Product Deployment: Install a product on managed systems.
Product Update: Update a product on managed systems.
VirusScan Enterprise: Perform On-Demand Scan and Restore From Quarantine.
NOTE: Client tasks in the Client Task Catalog must be assigned to the managed systems to take affect.
25
You can configure the McAfee Agent Statistics task to collect network bandwidth saved by
RelayServer and SuperAgent hierarchical feature.
Creating a New Task
The steps are:
1. Provide a name for the task.
2. Optionally, provide a description of the task's purpose.
3. Select from the Statistics Options.
RelayServer Statistics: Collects these statistics from the client systems:
Number of failed connections to the RelayServers
Number of attempts made to connect to the RelayServer after the maximum allowed
connections
SuperAgent Hierarchical Update Statistics: Collects the network bandwidth saved by use
of SuperAgent hierarchy.
Agent Relay Capability
If your network configuration blocks communication between the McAfee Agent and the McAfee ePO
server, the agent can't receive content updates, policies, or send events. Relay capability can be
enabled on agents that have direct connectivity to the ePO server or Agent Handlers to bridge
communication between the client systems and the McAfee ePO server. You can configure more than
one agent as a RelayServer to maintain network load balance.
SuperAgent Hierarchical Capability
You can create a hierarchy to avoid repetitive download of the content update from the ePO server or
distributed repository. It is recommended to have a three-level hierarchy of SuperAgents in your
network.
26
A McAfee Agent wake-up call triggers an immediate Agent-Server Communication rather than waiting
for the current Agent-Server Communication Interval (ASCI) to elapse. The agent wake-up client task
is supported only on Windows platforms. Use System Tree actions to wake-up agents on Unix-based
and MAC operating systems.
There are two ways to issue a wake-up call:
Manually from the server: This is the most common approach and requires the agent wake-up
communication port be open.
On a schedule set by the administrator: This approach is useful when manual agent-to-server
communication is disabled by policy.
Some reasons for issuing an agent wake-up call are:

You make a policy change that you want to enforce immediately, without waiting for the
scheduled ASCI to expire.
You created a new task that you want to run immediately. The Run Task Now creates a task, then
assigns it to specified client systems and sends wake-up calls.
A query generated a report indicating that a client is out of compliance, and you want to test its
status as part of a troubleshooting procedure.
If you have converted a particular agent on a Windows system to a SuperAgent, it can issue wake-up
calls to designated network broadcast segments. SuperAgents distribute the bandwidth impact of the
wake-up call.
27
The Mirror Repositories page specifies a location on the managed system to replicate contents from
the repository. The repository this task uses is selected based on policy selections on the Repositories
tab of the agent policy pages.
Creating a New Mirror Repositories (Windows only) Task
The steps are:
1. Provide a name for the task.
2. Optionally, provide a description of the task's purpose.
3. Specify the path and folder where the repository contents are copied. The repository selected
is based on policy selections on the Repositories tab of the agent policy pages.
28
Product Deployment is a McAfee Agent client task. Product deployment tells the agent which
products you want deployed to the client and when. To deploy a product you must create a task and
either link it to policy enforcement or schedule it to occur.
After you have checked in the product deployment package, use the Product Deployment client task
to install the product on managed systems. The task installs any product that is deployable through
ePO that has been checked in to the master repository.
Deployment Packages for Products and Updates
The ePO deployment infrastructure supports deploying products and components, as well as
updating both.
Each McAfee product that ePO can deploy provides a product deployment package ZIP file. ePO can
deploy these packages to any of your managed systems, once they are checked in to the master
repository. The ZIP file contains the product installation files, which are compressed in a secure
format. ZIP files are used for both detection definition (DAT) and engine update packages.
You can configure product policy settings before or after deployment. McAfee recommends
configuring policy settings before deploying the product to network systems. This saves time and
ensures that your systems are protected as soon as possible.
NOTES:
After you configure the deployment, it occurs the next time the agents call back to the ePolicy
Orchestrator server for updated instructions. You can also initiate an agent wakeup call to have the
deployment occur immediately.
McAfee recommends selecting Enable randomization and entering a length of time if deploying the
agent to 1,000 nodes or more.
29
Fields and Descriptions

Task Name: Provide a name for the task.
Description: An optional description of the task's purpose.
Target platforms: Specifies all platforms where these packages are deployed.
Products and components: Select the products and components to deploy when this task runs.
If you do not see the product you want to deploy listed here, you must first check in that
products software package.
Select Add (+) or Delete (-) to add or delete products from the list. For each product:
o Specify the Action, Language, and Branch.
o Optionally, specify command-line update options by typing the desired command.
Options: Select Run at every policy enforcement (Windows only) to ensure the deployment
occurs again at the policy enforcement interval if a user has removed the product or component.
Postpone Deployment dialog box (Windows systems only): Select Allow end users to postpone
this update to give the user the option to postpone the update; for example, if users are in the
middle of an important task, they can postpone the update to finish the task, or at least close
any open applications.
Maximum number of postpones allowed: Specifies the number of times a user can postpone
the update. Defaults to 1.
Option to postpone expires after (seconds): Specifies how long the option to postpone exists.
Once this threshold is passed, the update begins. Defaults to 20 seconds.
30
Display this text: Specifies a message displayed in the Postpone Update dialog box.
Use this task to deploy products to a single system using the Product Deployment task.
Create a Product Deployment client task for a single system when that system requires:
A product installed which other systems within the same group do not require.
A different schedule than other systems in the group. For example, if a system is located in a
different time zone than its peers.
Steps
1. Go to System Tree > Systems, then select the group in the System Tree which contains the
desired system.
2. Select the checkbox next to the desired system.
3. Click Actions > Agent > Modify Tasks on a Single System. The list of tasks assigned to this
system appears.
4. Click Actions > New Client Task Assignment. The Description page of the Client Task
Assignment Builder appears.
5. Select McAfee Agent > Product Deployment from the Task information screens.
6. Click Create New Task.
7. Add any descriptive information to the Notes field.
The information you add here is only visible when you open the task at the system for which you are
configuring the task.
Continued on next page
31
Steps (Continued)
8. Select the desired platforms to which you are deploying the packages.
9. Next to Products to deploy, select the desired product from the first drop-down list. The
products listed are those for which you have already checked in a package file to the master
repository. If you do not see the product you want to deploy listed here, you must first check in
that products package file.
10. Set the Action to Install, then select the language version of the package.
11. To specify command-line install options, type the desired command-line options in the
Command line text field. See the product documentation for information on command-line
options of the product you are installing.
12. Click Save.
13. Select your newly created task and click Next. The Schedule page appears.
14. Schedule the task as needed, then click Next. The Summary page appears.
15. Review and verify the details of the Product Deployment task, then click Save.
32
Product Update page (Client Task Configuration)

The Product Update page is where you configure how the McAfee Agent updates packages,
signatures, and engines on managed systems.
33
When you are configuring the options for updating signatures, engines, patches, service packs, and
any other update types, it is important to keep in mind that the McAfee Agent policy is where you
configure the location and the desired repositories that you want the system to access for updates.
The product update task lists the package types that you can update. If, for example, the customer
wants to control the update for a new engine version then they will need to configure both the policy
location along with the task.
34
After you have Client tasks defined in the task Catalog, you can select systems in the System tree and
select the McAfee Agent action Run Client Task Now.
35
You can then select the task you wish to run. Once you click the Run Task Now button it will present a
Status bar showing the status of the task on each system you selected the task to run.
36
Customers can choose to deploy many products available in their repositories, provided that they are
checked-in properly. Each product provides their own packages and extensions for management.
The customer must check these in and create a deployment task for the managed machines that they
want the product installed on. Once the agents check back into the ePO server and see that there is a
deployment task available, theyll run the task at the scheduled time. This could be immediately, or
at some chosen point in the future.
Of course, the customer can always just install the product manually or through some other method,
and then just manage it from ePO.
37
The administrator will need to check product installation software in to the ePO 5.1 Master
Repository for deployment to systems. This can be done manually through the Master Repository or
automatically through the Software Manager.
Customers can download their licensed software from the McAfee downloads site or through the
Software Manager.
To manually download McAfee products, updates, and documentation, visit the Downloads page at
http://www.mcafee.com/us/downloads/downloads.aspx.
To download through the Software Manager:
1. Log on to the ePO console.
2. Click Menu.
3. Click Software, Software Manager.
4. Under Software Not Checked In, select the product you wish to download or check in from the
Product list in the detail pane.
5. Under the details, select to check in all components or select them individually. You can select
to check in, download, remove, or update components.
Checked in packages are displayed on the Master Repository page. Successfully checked in products
will display:
Install listed in the Type column
38
OK listed in the Status column
You can check in deployment packages manually to the Master Repository so that the ePO server can
deploy them. The Check In Package button launches the Check in Package wizard. Use this to browse
to a new package to be checked in to the server.
39
A products extension must be installed before ePolicy Orchestrator can manage the product.
The Extension page is used to upload the files needed by point products to be managed through ePO.
For example, Vulnerability Manager has an extension that ensures among other things that the
proper menus are added to ePO for administration.
To bring products under management:
1. From the ePO console, click Menu > Software > Extensions > Install Extension.
2. Browse to and select the extension file, then click OK.
3. Verify that the product name appears in the Extensions list.
40
Deploying security products to managed systems using a deployment project allows the customer to
easily select products to deploy, the target systems, and schedule the deployment.
Customers can use the Product Deployment page to display the configuration and status of currently
configured deployment projects. Plus, you can edit, delete, duplicate, start, stop and uninstall
deployment projects using this page.
41
To create a new deployment project:

1. Click Menu > Software > Product Deployment.
2. Click New Deployment to open the New Deployment page to start a new project.
3. Type a Name and Description for this deployment. This name appears on the Deployment page
after the deployment is saved.
4. Choose the type of deployment:
Continuous Uses your System Tree groups or tags to configure the systems receiving the
deployment. This allows these systems to change over time as the yare added or removed from
the groups or tags.
Fixed Uses a fixed, or defined, set of systems to receive the deployment. System selection is
done using your System Tree or Managed System Queries table output.
5. To specify which software to deploy, select a product from the Package list. Click + and to add or
remove packages.
6. In the Command line text field, specify any command-line installation options.
NOTE: After choosing the type of deployment, either Fixed or Continuous, the menu options change
in Select the systems area (in Select Systems windows).
Continued on next page
42
7. In the Select the systems section, click Select Systems to open the System Selection dialog box.
The System Selection dialog box is a filter that allows you to select groups in your System Tree,
Tags, or a subset of grouped and/or tagged systems. The selections you make in each tab within
this dialog box are concatenated to filter the complete set of target systems for your deployment.
For example, if your System Tree contains, Group A, which includes both Servers and
Workstations, you can target the entire group, just the Servers or Workstations (if they are tagged
accordingly), or a subset of either system type in group A.
8. Pick a start time or schedule for your deployment:
Run Immediately Starts the deployment task during next ASCI.
Once Opens the scheduler so you can configure the start date, time, and randomization.
9. When finished click Save at the top of the page.
43
After saving the task, the Product Deployment page opens with your new project added to the list of
deployments.
After you create a deployment project, a client task is automatically created with the deployment
settings.
You can click on the System Actions button to display the list of systems in a new page where you can
perform system specific actions on the systems you select.
44
Troubleshooting Product Deployment Issues

1. Validate that the agent(s) received the task.
a. Validate that the task is present on the client.
Check for its presence in the Datastore.bin file.
Check for the corresponding task ini file in the agents task folder.
b. If task was not received, validate that the agent is communicating with ePO. If failing to
communicate, investigate as an agent-to-server communication problem (check the
Agent_<SYSTEM>.log file).
2. On the ePO Server side, review the server.log file. To validate the task was provided without
errors.
3. Validate that the agents executed the task at the scheduled time. Check the
Agent_<SYSTEM>.log, and McScript.log files.
4. Is task being written to the registry?
a. Use PROCMON to capture if the task (policy) is attempted to be written to the registry. If it
is and access was denied, then we know it to be a permissions related issue.
Its this type of troubleshooting methodology that will help you identify where the failure is occurring
and why.
NOTE: When ePO deploys a product, it only pushes out the files to the client and starts the
installation. Any problems with providing the files or starting the installation is generally the
deployment tasks fault. Any problems after that are on the application/point product.
45
Managing products from a single location is a central feature of ePolicy Orchestrator. This is
accomplished through application and enforcement of product policies. Policies ensure a products
features are configured correctly, while client tasks are the scheduled actions that run on the
managed systems hosting any client-side software.
46
A policy is a collection of settings that you create and configure, then enforce. Policies make sure that
the managed security software products are configured and perform accordingly. Some policy
settings are the same as the settings you configure in the interface of the product installed on the
managed system. Other policy settings are the primary interface for configuring the product or
component. The ePolicy Orchestrator console allows you to configure policy settings for all products
and systems from a central location.
Each McAfee product Extension file within the ePO repository is represented in the Policy Catalog list.
Generally by default only two named policy objects exists for each product policy. One is named
McAfee Default, and cannot be renamed, edited, or deleted (but can be duplicated). The other policy
is named My Default and this policy can be edited, renamed, duplicated, deleted, or exported.
Policy objects are managed from within the Policy Catalog. From here policies can be viewed,
duplicated, copied, enforced, and policy assignments can be viewed. However, policies cannot be
assigned to System Tree nodes from within the catalog. In order to assign a policy to a System Tree
node the node itself must be selected.
Policy categories
Policy settings for most products are grouped by category. Each policy category refers to a specific
subset of policy settings. Policies are created by category. In the Policy Catalog page, policies are
displayed by product and category. When you open an existing policy or create a policy, the policy
settings are organized across tabs.
47
The product configuration options on the managed system is almost identical to that specified
through the product policies in ePO, as shown here. The left graphic shows Access Protection
configured locally on a system running VirusScan Enterprise. The right graphic shows how this same
configuration can be enforced using ePO product policies.
48
It is likely that most systems within any environment will require identical or very similar
configurations. A small minority of systems may require radically different settings from the majority.
The purpose of policy objects and inheritance is to allow the described scenario (or any given
scenario) to be implemented with as minimal effort as possible.
Policy inheritance is the concept of a higher-level policy assignment being applied to a lower-level
node.
Policy assignment is the allocation of a specific named policy object at a specific node within the ePO
System Tree.
49
You can create a new policy from the Policy Catalog by clicking the button at the top left-hand side of
the Policy Catalog page labeled New Policy. This allows you to base the new policy on a duplicate of
an existing policy object. Policies created here are by default not assigned to any groups or systems.
When you create a policy here, you are adding a custom policy to the Policy Catalog. You can create
policies before or after a product is deployed.
In addition to specifying how the policy obtains its initial configuration, you must specify the name.
After the policy is created, you can change inheritance and any configuration contained within the
policy.
To create a new policy:
1. Click Menu on the navigation bar. Select Policy Catalog within the Policy section.
2. Select the Product and Category from the drop-down lists. All created policies for the selected
category appear in the details pane.
3. Click New Policy button. The Create new policy dialog appears.
4. Select the policy you want to duplicate from the Create a policy based on this existing policy
drop-down list. Type a name for the new policy and click OK.
50
Policies can be edited by clicking the hyperlink name of the policy in the System Tree. This will open
the policy viewing or policy editing dialog, depending on the policy and the rights of the user
accessing it.
Here you can make changes to the policy as needed and when finished, save it.
51
The next step is to assign the new policy to take effect. To assign the new policy to a specific group of
the System Tree:
1. Go to Systems > System Tree > Assigned Policies, then select the desired Product. Each
assigned policy per category appears in the details pane.
2. Locate the desired policy category, then click Edit Assignment. The Policy Assignment page
appears.
3. If the policy is inherited, select Break inheritance and assign the policy and settings below next
to Inherited from.
4. Select the desired policy from the Assigned policy drop-down list.
From this location, you can also edit settings of the selected policy, or create a new policy. You
can choose whether to lock policy inheritance. Locking policy inheritance prevents any systems
that inherit this policy from having another one assigned in its place.
5. When finished, click Save. The new assigned policy will be displayed in the Policy column.
52
When policies are enforced

When you reconfigure policy settings, the new settings are delivered to, and enforced on, the
managed systems at the next agent-to-server communication.
Once the policy settings are in effect on the managed system, the agent continues to enforce policy
settings locally at the regular interval. This enforcement interval is determined by the Policy
enforcement interval setting on the General tab of the McAfee Agent policy pages.
Policy settings for McAfee products are enforced immediately at the policy enforcement interval, and
at each agent-to-server communication if policy settings have changed.
53
Troubleshooting Point Product Policy Enforcement

1. Is the policy set up correctly?
a.VSE splits policies between workstation and server OSes.
2. Has an agent wakeup occurred since saving the policy?
3. Is the target client(s) receiving the policy?
a.Check the Agent_<SYSTEM>.log and Datastore.bin files.
4. Use PROCMON to capture if the policy is attempted to be written to the registry. If it is and
access was denied, then we know it to be a permissions related issue.
54
55

0.9 Point Prod VSE Deployment Policy Config

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

0.9 Point Prod VSE Deployment Policy Config

Diunggah oleh

Hak Cipta:

Format Tersedia

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

ePolicy Orchestrator 5.1 Essentials

Query: run a query on a regular basis.

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

Actions column: Contains several options:

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

Complete these steps from the Client Task Catalog page:

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

ePolicy Orchestrator 5.1 Essentials

Some reasons for issuing an agent wake-up call are:

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials

ePolicy Orchestrator 5.1 Essentials

Fields and Descriptions

ePolicy Orchestrator 5.1 Essentials

2013 McAfee, Inc. All Rights Reserved.

ePolicy Orchestrator 5.1 Essentials