I might be misunderstanding your question, but why do you want to use tags for this task?
It seems to me that a simple ip subnet filter(x.x.x.x/xx) on a "VPN group" for the VPN adresses should get the clients connecting trough VPN into a new group (folder) where you can set whatever policy you like.
Granted i do not know your setup, so there might be some reason that this might not work.
In regards to tags i do not see an easy way of using them to set policies in 4.5. At least not without assigning them to groups. Which brings us straight back to my first solution.
Please let me know if i have missed something :-)
thank you for your response. I was facing the following situation: a number of managed computers are actually either used at home or on the road. These are sooner or later either brought in to company and connect to the LAN or establish a VPN (for example to upload their work's results). Problem is, that whole they are away from LAN it often occurs that their node just get deleted from ePO due to not checking in for a long time.
In addition, many VPN connections that some of the computers establish are varying in length but usually shorter than the agent ASCI.
Therefore I thought that these computers can have a radically shorter ASCI, say 5 minutes as long as they are using VPN so the likelihood of updating the node record will be higher (and minimizing the chance for these types of computers to get deleted from ePO).
The only possibility I saw was to tag these computers when they connect via VPN (receiving an IP from VPN range) and remove tag when they are in the company LAN.
We are considering setting up and Agent Handler in the DMZ but it is just planned since we upgraded to ePO 4.5 not long ago.
Aha, i am starting to see where you are going.
If you are using policies based on VPN ip ranges on a folder to reduce the ASCI then that will not take effect before the first comunication. Which kind of defeats the whole point. :-)
The same is true for tags really, unless you set a tag for those clients that runs a server task (or directs them to a folder) where they will get the 5 min ASCI policy. Unfortunately that will cause them to have it all the time, which is not optimal either.
I do not really see a way of directly setting this from the Mcafee console before the first communication have occured on VPN, unless you want it to stay active all the time.
There might be a workaround though.
If all you need is the Mcafee client to report in its status when you connect to VPN then it might be possible to use the command "Cmdagent /P" from a VPN startup script.
Most of the VPN clients on the market seems to have some kind of "Startup script" functionallity.Often with an option for running something 1 minute after connect, etc.
Not sure if the one you are using have it of course, but if it does it might be worth a try.
Since you now get the client to connect imidiately (if this works) you can determine if that is enough, or if you wish to add some group filtered by ip range to move the clients into to get the policy changed while the clients are on VPN.
Good luck :-)
thank you for the great tip, I will go that direction! I kinda felt the tagging/untagging awkward enough for this type of problem, but you have recommended the simplest resolution.