If you haven't already done so, I'd suggest getting hold of the ePO Product Guide.
Once a policy is created in ePO and assigned to a client machine - either directly at the machine, or to a group that the machine belongs to - then on the next agent-to-server communication the new policy is sent to the client machine. It should be enforced on the client at that point.
Once the client machine has received the policy, it is enforced locally at each policy enforcement interval - it doesn't need to talk to the server to achieve this: it all happens locally.
To add to JoeBidgood's excellent answer: that local enforcment without the need for the server is the beauty of it. We have laptops that don't connect often to the network, yet we can be sure the policy is enforced at a regular interval (that is configurable in epo) even if the laptop does not connect to the epo server often.
Hi Joe, PG13,
Thanks for the answers it does clear up what I suspected, I have also downloaded a copy of EPO Product Guide and hopefully intened to do the examination sometime next year. When you say that the once received the policy is enforced locally could you elaborate? Do you mean that the policy is enforced on the local server similar to Super Agents?
Once again thanks for taking the time to answer my question.
Think of the policy as a collection of settings that you want the client machine to have - say, for example, that you want the on-access scanner to be running. In the ePO console you would create a policy object, and configure it how you wish: in our example you would tick the box that means "on-access scanner active." Then you would assign the policy so that it will be applied to the machines that you want to have it: for example by assigning it to a group in the directory tree.
At this point, the client machines are unaware of this, but the next time they communicate with the server they receive the new policy. (It's effectively an encrypted file that they store on their local hard drive.) The agent then enforces the policy - i.e. it adjusts the settings of the local products on the machine to match those specified in the policy.
Now that the client has the policy, it will continue to enforce it until it's told to do otherwise. (This is what I mean when I said "enforced locally.") The client machine can be disconnected from the network and completely unable to contact the sePO server, but after every policy enforcement interval, the agent will enforce the policy that it has. So if your policy enforcement interval is 5 minutes (which is the default) and the machine's user disables the on-access scanner, then five minutes later the agent will enforce the policy and turn it back on again.