cancel
Showing results for 
Search instead for 
Did you mean: 
apoling
Level 14
Report Inappropriate Content
Message 1 of 8

When does first ePO policy enforcement occur for a new system?

Jump to solution

Hello,

I'd like to know when exactly the first ePO policy enforcement occur on a system that has been newly installed the agent upon:

1. When the initial ASCI of the first contact in randomized 10 minutes interval ends (i.e right after that), or

2. At the next time which is counted by adding the configured policy enforcement interval in ePO policy  which was downloaded to the current client time when the initial ASCI ends?

Thank you in advance.

Attila

1 Solution

Accepted Solutions

Re: When does first ePO policy enforcement occur for a new system?

Jump to solution

You could import the systems as a flat list into a top level group, then use system tree sorting to put them in the correct places after every synchronize?

That's what we plan to do anyway!

I've not been a huge fan of using preinstalled agents via images because of the very problem you are having now.

I guess it's all down to personal preference though.

7 Replies
mjmurra
Level 12
Report Inappropriate Content
Message 2 of 8

Re: When does first ePO policy enforcement occur for a new system?

Jump to solution

Based on what I've seen, I believe the policy is downloaded and applied instantly when the CMA first talks back to EPO.

I hate the 10 min randomised functionality though... is there a way to speed this up? (Never send out the agent to 1000's of machines so it isn't an issue for me)

apoling
Level 14
Report Inappropriate Content
Message 3 of 8

Re: When does first ePO policy enforcement occur for a new system?

Jump to solution

Thank you for responding Mjmurra.

What I hate about the initial ASCI is that the remote access to agent log is disabled by default, and this prevents me from troubleshooting from the start until the policy downloads and gets enforced. Until then I always have to request logs manually from the users, explaining everytime the location and names.

Right now I'm having this situation with a Windows 7 and requested the user to inform me whether he can see the agent log locally, this distinguishes policy problems from firewall problems, but I have to be sure of when policy gets enforced initially.

Attila

Re: When does first ePO policy enforcement occur for a new system?

Jump to solution

Why don't you just force an agent wakeup call from ePO?

That way it won't wait for the 10 minute randomization and just force the policies to update (including allowing access to the remote log).

That's all i do anyway...

apoling
Level 14
Report Inappropriate Content
Message 5 of 8

Re: When does first ePO policy enforcement occur for a new system?

Jump to solution

Is the node not visible until the very first contact? Until then I think I cannot do it from ePO..( normally we do not add nodes, then push the agent, but vice versa: install agents which in turn creates the node on first ASCI).

This question arose when I made the agent installer available to one of our users with a Windows 7 (we do not run many nodes with this opsys). I wonder if McAfee Agent should configure Windows firewall to allow remote agent log port through... my user said he put this firewall exclusion in himself...

Attila

Message was edited by: Attila Polinger on 06/01/11 09:17:57 CET

Re: When does first ePO policy enforcement occur for a new system?

Jump to solution

I guess it depends on your setup.

Do you install the Agent on the systems via an OS Image, 3rd party deployment software (LANDesk for example) or manually?

If so, then i could see why you might be having problems as like you said, the system won't show in ePO until the first contact is made...

How about deploying the agent directly through ePO? That ensures that it is installed as well as allowing you to force a wakeup call immediately after installation is complete.

apoling
Level 14
Report Inappropriate Content
Message 7 of 8

Re: When does first ePO policy enforcement occur for a new system?

Jump to solution

Generally we use desktop computer images with the agent preinstalled, and server network installations where agent and VirusScan is automatially installed (no image).

But we have not introduced Windows 7 yet and therefore impatient users need to install it manually.

The reason we do not use for example AD import for nodes and then push the agent is that we do not follow geographical location, nor any other - for me meaningful - structure in AD. In

Re: When does first ePO policy enforcement occur for a new system?

Jump to solution

You could import the systems as a flat list into a top level group, then use system tree sorting to put them in the correct places after every synchronize?

That's what we plan to do anyway!

I've not been a huge fan of using preinstalled agents via images because of the very problem you are having now.

I guess it's all down to personal preference though.