7 Replies Latest reply on Jan 6, 2011 4:08 AM by rsnooks

    When does first ePO policy enforcement occur for a new system?

    Attila Polinger

      Hello,

       

      I'd like to know when exactly the first ePO policy enforcement occur on a system that has been newly installed the agent upon:

       

      1. When the initial ASCI of the first contact in randomized 10 minutes interval ends (i.e right after that), or

      2. At the next time which is counted by adding the configured policy enforcement interval in ePO policy  which was downloaded to the current client time when the initial ASCI ends?

       

      Thank you in advance.

       

      Attila

        • 1. Re: When does first ePO policy enforcement occur for a new system?

          Based on what I've seen, I believe the policy is downloaded and applied instantly when the CMA first talks back to EPO.

           

          I hate the 10 min randomised functionality though... is there a way to speed this up? (Never send out the agent to 1000's of machines so it isn't an issue for me)

          1 of 1 people found this helpful
          • 2. Re: When does first ePO policy enforcement occur for a new system?
            Attila Polinger

            Thank you for responding Mjmurra.

             

            What I hate about the initial ASCI is that the remote access to agent log is disabled by default, and this prevents me from troubleshooting from the start until the policy downloads and gets enforced. Until then I always have to request logs manually from the users, explaining everytime the location and names.

             

            Right now I'm having this situation with a Windows 7 and requested the user to inform me whether he can see the agent log locally, this distinguishes policy problems from firewall problems, but I have to be sure of when policy gets enforced initially.

             

            Attila

            • 3. Re: When does first ePO policy enforcement occur for a new system?

              Why don't you just force an agent wakeup call from ePO?

               

              That way it won't wait for the 10 minute randomization and just force the policies to update (including allowing access to the remote log).

               

              That's all i do anyway...

              • 4. Re: When does first ePO policy enforcement occur for a new system?
                Attila Polinger

                Is the node not visible until the very first contact? Until then I think I cannot do it from ePO..( normally we do not add nodes, then push the agent, but vice versa: install agents which in turn creates the node on first ASCI).

                 

                This question arose when I made the agent installer available to one of our users with a Windows 7 (we do not run many nodes with this opsys). I wonder if McAfee Agent should configure Windows firewall to allow remote agent log port through... my user said he put this firewall exclusion in himself...

                 

                Attila

                 

                 

                Message was edited by: Attila Polinger on 06/01/11 09:17:57 CET
                • 5. Re: When does first ePO policy enforcement occur for a new system?

                  I guess it depends on your setup.

                   

                  Do you install the Agent on the systems via an OS Image, 3rd party deployment software (LANDesk for example) or manually?

                   

                  If so, then i could see why you might be having problems as like you said, the system won't show in ePO until the first contact is made...

                   

                  How about deploying the agent directly through ePO? That ensures that it is installed as well as allowing you to force a wakeup call immediately after installation is complete.

                  1 of 1 people found this helpful
                  • 6. Re: When does first ePO policy enforcement occur for a new system?
                    Attila Polinger

                    Generally we use desktop computer images with the agent preinstalled, and server network installations where agent and VirusScan is automatially installed (no image).

                     

                    But we have not introduced Windows 7 yet and therefore impatient users need to install it manually.

                     

                    The reason we do not use for example AD import for nodes and then push the agent is that we do not follow geographical location, nor any other - for me meaningful - structure in AD. In

                    • 7. Re: When does first ePO policy enforcement occur for a new system?

                      You could import the systems as a flat list into a top level group, then use system tree sorting to put them in the correct places after every synchronize?

                       

                      That's what we plan to do anyway!

                       

                      I've not been a huge fan of using preinstalled agents via images because of the very problem you are having now.

                       

                      I guess it's all down to personal preference though.