You don't need to write a custom client side script.
Just set machine property under Synch tab, to sync on boot (with some delay) and Automatically resynchronize every so many minutes (240 would be fine).
For initial synch properties, use "defscm.ini" with appropriate SynchInterval value, when you create client install set.
Same issue for us, same solution:
Create defscm.ini in the \sbadmin\ folder
Set synch interval to 10 minutes (We also added a 10 minuted initial delay, but it's not really needed)
Set the synch interval for your group to 240 (or whatever), and set an initial delay (so the remote client can get VPN connected) to 10 mins.
Now create the install set from the group
When the client initially installs, it'll attempt to synch every 10 minutes. Once it successfully syncs, it'll pick up the group setting, and it'll back off syncing to whatever the group setting is (240 or whatever).
The agent will attempt to resync at it's specified interval. If it fails, it'll go back to sleep until the next specified interval (there aren't any intermediate retries).
Along with the other's suggestions, we have also popped a hole in our firewall to the EEM server on port 5557 so our clients can sync over the Internet. This helps alot and McAfee assured us there were no known attacks against that port.
Open port from the Internet makes it a bunch more complicated.
Name resolution: The client has to know both the inside name, and the public name (or IP).
Individual companies may not permit direct Internet/inbound connections directly to internal servers. (we certainly don't)
Port 5557? Did you customize it? Normally it is 5555.
Oops, no customization. 5555 it is.
Our firewall group had concerns about doing this, but McAfee actually had a guide for allowing access through the Internet and were able to assure our firewall people that this was secure. Individual company policies are different though, so YMMV.
by default the client talks on 5555 and listens on 5556. 5557 is for the PDA's
thanks for your tips.
But thing is we have already created and finished deploying installset.
I think it'll be hard for me to create another installset for all staff and deply,,..
Aren't there any other ways to force the 'never-synced PC' to sync in server or client side?
In that case you have to modify each client's "SCM.INI" file located in "C:\Program Files\.......\your EE Client program directory".
First sync will be performed 5 min after Windows startup, with retries every 10 min, until server is contacted. Then, encryption should start and group properties will be applied, hopefully with different settings (sync every 240 min, for example).