cancel
Showing results for 
Search instead for 
Did you mean: 
Quitch
Level 7
Report Inappropriate Content
Message 1 of 13

Clarifying "Every policy enforcement"

Just want to double-check the working of this setting.

Say I am deploying VSE and I leave this setting unchecked in the deployment task which I setup as Run Immediately. Now the client connects to the server and collects the task, but it doesn't execute it. The next time it connects to the server it does. If "Every policy enforcement" was checked it would have executed five minutes later instead of sixty (assuming default values), correct?

EDIT: Except I see that this clearly isn't what it does... is it simply used to verify every five minutes that a task is being enforced, even after completion, so in the case of VSE once it has been deployed it will check every five minutes to see that it is still deployed, as opposed to every sixty...?
12 Replies
metalhead
Level 12
Report Inappropriate Content
Message 2 of 13

RE: Clarifying "Every policy enforcement"

It is working this way:

1) No checkmark

The client connects to your epo during a normal communication intervall (default 60 minutes) -- it "sees" your new deployment task, downloads it and is executing it immediately and only ONCE.

2) With checkmark
The same behaviour as above but additionally the task is run at every policy enforcement (default 5 minutes). So every 5 minutes the agent will recheck if all the products are installed on the client. Therfore it connects to the next available repository
Quitch
Level 7
Report Inappropriate Content
Message 3 of 13

RE: Clarifying "Every policy enforcement"

So it's a sort of protection against it being uninstalled or otherwise removed?

I noticed in the log it was running a verification every five minutes. Is there a performance impact? What level of protection does this provide, is it based on the files it can see, or does it just check a registry key?
metalhead
Level 12
Report Inappropriate Content
Message 4 of 13

RE: Clarifying "Every policy enforcement"

> So it's a sort of protection against it being uninstalled or otherwise removed?

Yes

> I noticed in the log it was running a verification every five minutes. Is there a performance impact?

No but I would set the PE interval to at least 30 minutes

> What level of protection does this provide, is it based on the files it can see, or does it just check a registry
> key?

AFAIK it is registry key based
Quitch
Level 7
Report Inappropriate Content
Message 5 of 13

RE: Clarifying "Every policy enforcement"

If there is no performance impact why would you change the PE?

Does it not verify products are installed upon connecting to server after initial installation?
metalhead
Level 12
Report Inappropriate Content
Message 6 of 13

RE: Clarifying "Every policy enforcement"

Its for saving bandwith - I thought you where speaking of client performance ...
Quitch
Level 7
Report Inappropriate Content
Message 7 of 13

RE: Clarifying "Every policy enforcement"

I thought a policy enforcement was a purely local action, it scans the policy list it downloaded from the server, then carries out any actions requires, which 99% of the time will be zero.

Am I mistaken?
metalhead
Level 12
Report Inappropriate Content
Message 8 of 13

RE: Clarifying "Every policy enforcement"

No as far as you do not check the "Run at every policy enforcement" interval in your deployment task.
Quitch
Level 7
Report Inappropriate Content
Message 9 of 13

RE: Clarifying "Every policy enforcement"

What I am not understanding is why you would advise setting PE to 30 minutes instead of 5 when the VSE install is executed on first connected anyway (thus the PE interval doesn't matter), and apart from that policy enforcement is a purely local task so does not draw on bandwidth. Situations where the product has been removed are edge cases and should be rare, therefore I do not see a larger interval saving on bandwidth their either.

In this instance I do not understand why you would change the interval. Can you explain?
twenden
Level 13
Report Inappropriate Content
Message 10 of 13

RE: Clarifying "Every policy enforcement"



In our environment, we have set the PE to 30 minutes to allow the end user to disable On-access for a 30 miinute period if necessary. We have people who transfer large files and who complained about McAfee slowing it down. Allowing the user to disable the OAS temporarily, cut down on these complaints. By setting the PE to 5 minutes, the user would only be able to disable the OAS for 5minutes at a time before the EPO policies get applied.