Novell Press on ZENworks 7
Articles and Tips:
01 Oct 2005
The following excerpts are taken from the Novell Press book Novell ZENworks 7 Linux Management Administrator's Handbook (ISBN: 0-672-32735-X) by Ron Tanner and Richard Whitehead. Look for the book to be released soon.
This chapter discusses policies in the Novell ZENworks 7 Linux Management product. Policy creation, modifications and assignments, like all administrative functions, are performed in the ZENworks Control Center.
What Are Policies?
Policies are configurations that may be made to an operating system or application on a managed device. Security settings or default configurations, for example, can be set up in a policy.
After these policies are created, you can assign them to devices registered in your ZENworks system. When a device discovers (or is told) that it has a policy assigned, it retrieves the policy and applies that policy based on the schedule or event specified. When a policy is applied, the configurations are set on the operating system or application. Applying policies is the responsibility of enforcers that are installed on the device when the ZENworks 7 agent is installed.
Why Are Policies Useful?
The reason that policies can be very powerful in managing your business environment is that you can create a single policy and, with just a click of the mouse, have that policy applied to hundreds and thousands of devices. After they are assigned, those devices automatically apply that policy. You can be confident that the policy is sent and enforced on the device.
Now if you decide to change a policy, simply edit it in the ZENworks Control Center and the system automatically updates all assigned devices with that policy. You don't need to do a thing.
How Are Policies Assigned?
Policies are assigned in the ZENworks Control Center through direct or indirect assignments. Either way, the policy is sent to the device and applied to the managed device.
Policies that you assign directly to a managed device.
Indirectly assigned policies are policies that are effective for the device and have been assigned through a group membership or containment.
Assigning a Policy
The ZENworks Control Center allows you to assign a policy to a device in several different ways. The following describes the options:
As part of the Policy Creation Wizard.
As an action in the standard ZENworks Control Center lists.
During review of the details of a folder, policy or device.
In the command line on the managed device.
Assigning a Policy with Creation Wizard
All policies are created through a Policy Creation Wizard. Each wizard page is customized for the particular policy that is being created. Regardless of the type of policy created, all wizards present the same pages to allow for the assignment of the policy to managed devices, folders or groups.
After the policy is defined in the wizard and you are viewing the summary page, you may either finish the policy definition by pressing the Finished button on the page or you may proceed in the wizard to select an assignment of the policy by pressing the Next button. (See Figure 1.)
Figure 1: Wizard page that allows policy assignments.
When you are viewing the Policy Assignment page, you can select devices, groups or folders that are assigned the created policy. Complete the following steps to assign the policy:
Press the bold Add menu item in the middle of the screen.
The Select Associations dialog box appears on the screen. (See Figure 2.)
Select the devices, groups or folders to which you want to assign the policy. To drill into folders, select the green, underlined folder name. You can select the item by pressing the blue arrow to the left of the object name. When you select the item, it is displayed on the right pane of the dialog box. (See Figure 3.)
If you want to remove a selection that you previously selected, click the red boxed X. This removes that item from the assignment list.
After you have completed your selections, press the OK button to make your assignments.
Complete the wizard by finishing the remaining pages.
Figure 2: The Select Associations pop-up dialog box.
Figure 3: You can select the item by pressing the blue arrow to the left of the object name. When you select the item, it is displayed on the right pane of the dialog box.
Assign a Policy Through List View
While in the ZENworks Control Center and under the Devices folder you are presented with the Workstations and Servers folders. If you select either folder, then the ZENworks Control Center drills into that folder and displays all the devices and sub-folders. From any of these lists you may assign a policy to a device or folder.
Complete the following to assign a policy to a device in the ZENworks Control Center list view:
Select the Devices folder in the ZENworks Control Center. (See Figure 4.)
Select either the Workstations or Servers folder to drill into the folder and view any devices or subfolders. (See Figure 5.)
Select all the devices to which you want to assign the policy by selecting the selection box next to the device. When one or more devices are selected, the Action menu item is activated.
Select the Action menu item to bring up the pop-up menu list.
Select the Assign Policy menu item. This brings up the Assign Policy Wizard.
The first page of the Assign Policy Wizard displays the devices that are to be assigned. (See Figure 6.) From this wizard page you may add additional devices by selecting the Add menu. You can also remove devices on this wizard page by selecting the selection box next to the devices and selecting the Remove menu item. Press Next when you are finished with the selected devices.
Step 2 of the Assign Policy Wizard enables you to select the policies that you want assigned to the selected devices in the previous step. Press the Add menu item and select the desired policies from the Select Objects dialog. (See Figure 7.)
After you have selected the set of policies to assign, press OK in the Select Objects dialog.
The assigned policies are listed on the Step 2: Policies to Be Assigned page. From here you can continue to add policies or you can remove the policies from the list. Remove by selecting the selection box next to the policy and then pressing the Remove menu choice. After the list of policies is complete, press Next.
The next page of the Assign Policy Wizard enables you to select the schedule within which the policy will become effective. When the schedule occurs, the policy is placed on the workstation. If None is selected for the schedule type, the policy will never be enforced on the assigned devices. When you have completed the scheduling administration, press Next.
The summary page is displayed next, listing the policies and the devices, folders or groups to which they have been assigned. Additionally, the page displays the schedule type and any details about the schedule. Press Finish to complete the wizard.
Figure 4: Devices folder in the ZENworks Control Center.
Figure 5: Select either the Workstations or Servers folder to drill into the folder and view any devices or subfolders.
Figure 6: The first page of the Assign Policy Wizard displays the devices that are to be assigned.
Figure 7: Press the Add menu item and select the desired policies from the Select Objects dialog.
Assigning a Policy in Folder Details
When you assign a policy to a folder, all the devices in that folder or any subfolder are assigned the specified policy. To assign a policy to a folder, complete the following steps:
Browse to the listing that presents the desired folder. For example, Figure 8 shows the Devices folder, which contains two subfolders: Workstations and Servers.
Press the check box next to the desired folder. This should cause the Action menu item to be activated.
Press the Action menu and choose Assign Policy from the popup menu.
This takes you through the Assign Policy Wizard, as described in the previous section.
Figure 8: Browse to the listing that presents the desired folder. For example, this Devices folder contains two folders: Workstations and Details.
You may also assign a policy to a folder by entering the folder's details. You enter a folder's details by pressing the Details link next to the folder name. Within that folder's details is an Effective Policies snapshot. You can use this method to assign policies in the same way as described in the following "Assign a Policy in Policy Details" section.
When a policy is assigned to a folder, all devices in that folder and any subfolders receive that policy. This "inheritance" of a policy through a folder above can be overwritten by assigning a policy closer, in a hierarchical fashion, to the device.
For example, if PolicyA were assigned to Folder1, any devices in Folder1 and Folder1.1 would have PolicyA applied if they met the system requirements for that policy. If a separate PolicyA (called PolicyA1) were applied to Folder1.1, the devices in Folder1.1 would get PolicyA1 and would not get PolicyA. To discover which policies will be applied to a device, you can pretend to enter ZENworks at the location where the device is in the object store. Then walk up the folders searching for a policy. When you find a policy, you stop searching for that particular type of policy. You may continue to search up the folder hierarchy looking for other policies, but you will not apply any policy of the type that you had previously found.
The only exception to this rule is the Generic GNOME policy. This policy is cumulative, meaning that it is a merge of all the effective Generic GNOME policies that are associated to the device or a group or container of the device.
Assigning a Policy in Policy Details
Within the ZENworks Control Center you can view the details of any policy. Within the details of the policy you can view or edit all the settings for the policy. Additionally, you can assign the policy to any device, group or folder. Figure 9 shows a policy details page.
Figure 9: You can assign the policy to any device, group or folder. Here, we see a policy details page.
To assign the displayed policy, complete the following steps:
Scroll to the Associations snapshot on the page.
Press the Edit menu item on the Associations snapshot. This opens the snapshot into full-screen mode and allows editing of the Associations list. (See Figure 10.)
To add additional devices, groups or folders to be assigned the policy, press the Add button. This brings up the Assign Policy Wizard as described earlier in the "Assigning a Policy Through List View" section.
When you complete the addition, press the Close button.
To remove assignments, select the devices, groups or folders from the list by checking the check box next to the item. This should activate the Remove menu item.
Press the Remove menu item to remove the assignment.
Press the Close button when finished.
Figure 10: Press the Edit menu item on the Associations snapshot. This opens the snapshot into full-screen mode and allows editing of the Associations list.
Assigning a Policy in Device Details
Within the ZENworks Control Center you can view the details of any device. Within the details of the device you can view or edit all its settings. Additionally, you can assign any policy to the device.
To assign a policy to the displayed device, complete the following steps:
Locate the Effective Policies snapshot on the page. Figure 11 shows an example of it.
Press the Edit menu item on the snapshot. This opens the snapshot in full-page mode. Figure 12 displays a sample of this page.
To assign a policy to this device, press the Add menu item. This brings up the Assign Policy Wizard as described earlier in the "Assigning a Policy Through List View" section.
When the addition is completed, press the Close button.
To remove assignments, select the policies from the list by checking the check box next to the item. This should activate the Remove menu item.
Press the Remove menu item to remove the assignment.
Press the Close button when finished.
Figure 11: Effective Policies snapshot on a device details page.
Figure 12: Effective Policies in full-page mode.
Assigning a Policy Through the command Line
When ZENworks Linux Management is installed, an additional command-line tool is also installed on the primary and secondary servers. This tool is zlman and is located in the /usr/bin directory. This commandline tool enables you to perform almost any administrative function that can be done via the Web browser interface.
To assign a policy using the commandline zlman tool, complete the following:
Log in to one of the ZENworks servers.
Use the following command: Zlman workstation-add-policy <options> <workstation> <policy>
Optionally add the following options: --user=, enter an administrator user name--password=, enter password for the user specified
Add additional options as desired. These can be found in Appendix A: Commands.
ZENworks 7 Linux Management makes it possible to create policy groups. A policy group constitutes a set of policies that can be assigned via a single group. Anywhere in the ZENworks Control Center a policy can be assigned, a policy group may be used. When a policy group is assigned to a device, group or folder, the action effectively assigns all policies in that policy group.
To create a policy group, complete the following tasks:
Go to a Policies subfolder.
Select the Add menu item in the list view. <options> <workstation> <policy>
Select the Policy Group menu item from the pop-up menu. This starts up the Create New Group Wizard.
Enter a unique group name into the Group Name field. See Figure 13 for a sample screen.
Browse and select the folder or sub-folder where you would like the policy group to reside. The policy group may be assigned to any device, group or folder, regardless of where it is stored in the ZENworks Control Center.
Enter any description you wish for the policy group. Press Next.
Press Next on the summary page to place policies into this newly created policy group.
The next screen displays the Add Group Members page, where you can browse to and select the policies you want to add to the group. See Figure 14 for a sample of this screen.
Press the Add menu item and browse to and select the policies you want to add to this policy group.
10. Remove any policies that you do not want to have in the group by selecting the check box next to the policy you want to remove. This should activate the Remove menu button.
Press the Remove button to remove the selected policies from the group. Press Next.
On the next page you can actually assign this group to any device, folder or group. Press Next when you have completed any assignments that you want. The summary page is displayed.
Review the summary page and press the Finished button to complete the policy group creation and membership assignments.
Figure 13: Sample policy group creation wizard screen.
Figure 14: Sample Add Group Members page of policy group creation wizard.
Available Policies in ZENworks 7 Linux Management
Several policies have been created and defined in the ZENworks 7 Linux Management system. This section discusses each of the available policies.
Epiphany is a Web browser provided as part of the GNOME desktop. ZENworks 7 Linux Management provides a policy that allows the configuration of an Epiphany browser on the assigned managed device.
Checking or unchecking the corresponding check box enables you to configure the following actions from the Epiphany policy. When a check box is selected, that action is activated.
Hide menu bar
Disable automatic downloading and opening of files
Disable manual URL entry
Disable bookmark editing
Disable toolbar editing
Disable loading of content from unsafe protocols. Default safe protocols are HTTP and HTTPS
Add protocol to the Safe Protocol list
The following options of the Epiphany browser policy have additional data entered. Additionally, beyond setting the values for the following options, the policy may lock the value. To lock the value, select the lock button next to the corresponding value. This prevents the user from modifying that value on the assigned managed device.
Home page URL Specify the default URL home page for the browser. No default home page URL is specified.
Download Folder Specify the local folder where the browser should place any downloaded files. No default folder is specified.
Allow Popups Specify whether pop-ups should be allowed. The default is Yes.
Allow Java Specify whether the execution of Java applications in the browser page should be allowed. The default is Yes.
Cookies Specify whether the cookies' acceptance should be set to Always Accept, Only from Sites You Visit or Never Accept. The default is Always Accept.
Disk Space for Temporary Files Specify the amount of space, in megabytes, that should be reserved for temporary files. The default is 50MB.
Evolution is an e-mail, calendaring and collaboration tool that is available from Novell, Inc. (See www.novell.com/products/desktop/features/evolution.html.)
Novell Evolution embraces mail, calendar and address book standards to ease data sharing. Supported mail protocols include IMAP, POP, SMTP and Authenticated SMTP, as well as Microsoft Exchange 2000 and 2003 and Novell GroupWise. iCalendar support enables users in disparate collaboration servers to share meeting information, publish this information and subscribe to calendars published on the Web (webcal). Lightweight Directory Access Protocol (LDAP) support enables users to access their existing company address books. Users can also share contact information by using vCard message attachments.
ZENworks provides a policy that enables administrators to configure Evolution clients on the managed devices. Configure settings by checking or unchecking the corresponding check box next to the setting. When a check box is selected, that component is activated and the user is unable to change that option. The following is a list of configurable settings of the Evolution policy:
Apply filters to new messages options
Secure Socket Layer (SSL) option
Email server authentication method
Automatically check for new mail option
Send and draft mail folder locations
Save password option
Receive mail configuration
Send mail configuration
Show only subscribed folders (for IMAP Mail Accounts)
Override server-supplied folder namespace (for IMAP Mail Accounts)
The following options of the Evolution policy have additional data entered. Additionally, beyond placing the default values for the following options, the policy may lock the value. Lock the value by selecting the lock button next to the corresponding value. This prevents the user from modifying that value on the assigned managed device.
Default Character Encoding for Display The default value is Western European (ISO-8859-1). Choose the drop-down list to select any of the other 25 language values.
Default Character Encoding for Composed Mail The default value is Western European (ISO-8859-1). Choose the drop-down list to select any of the other 25 language values.
Empty Trash Folders on Exit The default value is Never. However, the optional values include Every Time, Once per Day, Once per Week or Once per Month.
Check Inbox for Junk Mail The default value is Yes.
Include Remote Junk Mail Tests The default value is Yes.
Loading Images The default value for this field is Never Load Images off the Net. Optional values include Load Images if Sender Is in Address Book or Always Load Images off the Net.
Mime Types Available for Viewing Attachments By default there are no mime types selected. The optional mime types that can be put into the available list include such items as PDF, GPG, PostScript, RTF and 234 additional mime types. Select the mime types that you want to allow from the available list and then click the arrow buttons to move the selected items into and out of the selected list.
Firefox is a streamlined Web browser provided by Mozilla. ZENworks Linux Management provides a policy that enables you to configure and lock down the Firefox browser on any of the managed devices.
You can configure the following options for the Firefox policy by checking or unchecking the corresponding check box.
Disable URL bar
Disable bookmark editing
Disable toolbar editing
Disable saving of passwords
Disable updates to themes
Disable updates to extensions
When a check box is selected, that component is activated.
The following options of the Firefox policy have additional data entered. Additionally, beyond placing the default values for the following options, the policy may lock the value. To lock the value, select the lock button next to the corresponding value. This prevents the user from modifying that value on the assigned managed device.
Homepage URL The default value is not initially defined. You need to enter the default value into the Homepage field.
Allow Popups The default value is Yes.
Allow Java The default value is Ye
Allow Sites to Set Cookies The default value for this setting is Yes. There is then an additional value that complements this setting: Keep Cookies. The Keep Cookies value defaults to Until They Expire. Optional values for this setting include Ask Me Every Time or Until I Close Firefox.
Allow Loading of Images The default value for this setting is Anywhere. Optional values include From Originating Website Only or Never.
Disk Space for Temporary Files The default value for this field is set at 50MB.
Generic GNOME Policy
The Generic GNOME policy is unlike any of the other policies that are available in ZENworks Linux Management. This policy allows the free selecting and setting of any Gconf configuration setting. These settings are used by operating systems and many applications. Providing this generic policy enables administrations to manage keys within the system.
There are two ways to create the GNOME policy: import settings from an existing managed desktop or manually. The first page of the wizard asks you which you would prefer.
Should you choose to have ZENworks automatically retrieve effective settings from a managed device, the following steps will be taken:
On the next page of the wizard you are asked to either select a device from the ZENworks system (because the device had been previously registered with the system) or enter a DNS name or IP address for a workstation to which you want to connect. You must also enter the user that represents the effective settings you want to collect. Press Next.
The collected keys are displayed on the next wizard page. If you chose to not collect keys from a device, an empty Gconf tree is displayed. Complete the following to edit the directories, keys and values:
To add a key or a directory, press the Add menu item and choose either Directory or Key. Enter the Directory or Key name and then for the key, the corresponding value.
To remove a key, select a set of keys or directories from the list and press the Delete menu item. Deleted directories remove all keys in that directory and subdirectories.
To edit a key, select the key and a pop-up dialog is presented where you can modify the key name and/or value.
Novell Linux Desktop Policy
The Novell Linux Desktop policy enables you to configure a Novell Linux Desktop workstation.
You can configure the following options for the Novell Linux Desktop policy by checking or unchecking the corresponding check box. When a check box is selected, that component is activated.
Disable launching of command line programs
Disable screen locking
Disable logging off
Disable panel configuration
Disable print setup
Disable applets (This setting also includes the set of applets that are available on the desktop. You can select any of the set of applets and press the arrow buttons to move or remove the applets from the Applets to Be Disabled box. The list of available applets includes Dictionary, Clock, Fish, Weather, OpenOffice Quickstart, Sticky Notes, Stock Update, Geyes, CD Player, Volume Control and Address Book.)
The following options of the Novell Linux Desktop policy have additional data entered. Additionally, beyond setting the default values for the following options, the policy may lock the value. Lock the value by selecting the lock button next to the corresponding value. This prevents the user from modifying that value on the assigned managed device.
Background image file name There is no default filename specified. You must specify a file local to the managed device (for example, /opt/gnome/share/images/roses.jpeg).
Background position The default setting is Centered. The optional values include Fill Screen, Scaled, Tiled and No Background.
Background shade The default value is Solid. The optional values include Vertical or Horizontal.
Theme file name There is no default filename specified for this value. You must specify a local theme file for the managed device (for example, /opt/gnome/share/themes/small.gtk).
Proxy settings This setting enables you to choose one of the following options:
Direct Internet connection.
Manual proxy configuration--under this setting you may specify the following parameters: HTTP Proxy Address and Port, HTTP Secure Proxy and Port, FTP Proxy Address and Port and Socks Proxy and Port.
Automatic proxy configuration with a specified Autoconfiguration URL.
Remote Execute Policy
The Remote Execute policy enables you to specify when a script should be executed on the assigned managed device.
Execute the following to construct a Remote Execute policy:
After you specify the name and folder for the policy and any optional description, press Next.
Specify the executable type for this policy. Values include Script, Binary or Java.
Specify the maximum wait time for the execution to complete. You may choose from any of three choices:
Do not wait.
Wait until the program completes the execution.
Wait for X seconds. You may enter the number of seconds for ZENworks to wait for the execution to complete.
If you chose to run a script, follow these steps:
Specify the script to run. Your choices include Specify a File or Define Your Own Script. If you choose to specify a file, enter the path to the script file in the Script File Name field. The script must already be on the managed device. If you choose to define your own script, a box appears on the screen and you can enter the script manually into the box.
Specify the additional parameters for the script: Script Parameters, Script Engine and Script Engine Parameters. When the script is to be executed, ZENworks launches the specified script engine to run the script, with the parameters specified. Press Next.
If you chose to run a Binary or Java file, follow these steps:
Specify the executable filename. The executable file must already exist on the managed device.
Specify any executable parameters you want to give to the executable file.
If you chose to run a Java file, follow these steps:
Enter the Java program name. The Java file must already exist on the managed device.
Enter any program parameters you want to send to the Java program when it is launched.
Enter the path to the JRE (Java Run-time Engine) that will be used to run the Java program. The JRE must already have been installed on the managed device.
Enter the JRE parameters you want included in the launching of the program.
Press Next to get a summary of the execution policy and then Finish to create the policy.
Text File Policy
The Text File policy enables the administrator to modify any text files on the managed device.
Complete the following steps to create and define your Text File policy:
Complete the name and folder where you want to have the policy. Enter any additional description and press Next.
Enter the name of the file you want to modify.
Enter the maximum number of revisions you want to keep. The default value is 5. Whenever ZENworks begins to modify a text file, it saves a backup copy of the file before proceeding. This parameter specifies the number of copies to keep.
Enter a change name. You may have a number of changes in the Text File policy. Each change must be given a name.
Choose the type of change: Search File, Append Lines to File, Prepend Lines to File.
If you choose the Search File type, complete the following:
Enter in a search string, using regular expression formats.
Mark whether the search should be case sensitive. The default is to be case sensitive.
Select the search occurrence option. This option may be any of the following: First Occurrence, Last Occurrence or Find All Occurrences.
Select the resulting action after an occurrence is found. The options include the following:
Add Lines After the Current Line
Add Lines Before the Current Line
Add String After
Add String Before
Add Word After
Add Word Before
Append String to Line
Prepend String to Line
Delete All Lines After
Delete All Lines Before
Replace All Lines After
Replace All Lines Before
Append String to File if Not Found
Prepend String to File if Not Found
Enter the new string in the text box provided and press Next.
If you choose to append or prepend lines to the file, just enter the text you want placed into the file. Press Next.
The Text File Policy also enables you to specify that a script, binary file or Java application should be executed before changes are made to the text file. This can be useful, for example, if you need to stop some daemon before its configuration file is modified. The additional administration involved in choosing Script or Binary or Java is the same as described earlier in the "Remote Execute Policy" section.
Execute the following to complete the policy:
After entering any execution that should be completed prior to changes, select how you want ZENworks to behave should the execution fail. The execution fails if it returns a non-zero value to ZENworks. The options include Continue Modifying the Text Files and Do Not Modify the Text Files.
Choose any executable you want to run after the text file editing has been completed. This is defined in the same manner as in the prior step. Press Next.
Complete the wizard and press Finish.
To add changes to the policy, you must browse to the policy and then select to see the details of that policy. There you may add changes to the one file or add files to change.
To add changes, select the file and select New, Change and enter the changes requested. All the changes are entered into a dialog box that mimics the wizard.
To add another text file to change, select the New, File menu option and enter the filename. All the changes are entered into a dialog box that mimics the wizard.
Any editing to policies may be completed by browsing to the policy and selecting the details of the policy.
Policies can be very powerful tools that enable you to manage many devices by simply creating the policy and assigning it to as many devices as you choose. The system automatically applies the assigned policies to that managed device.
All assignments of policies are reflected in the Effective Policies snapshot that is present on all devices. Additionally, messages are sent from the devices to the ZENworks server to record whether and when policies are applied to the managed devices.
* Originally published in Novell Connection Magazine
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.