1 Reply Latest reply on Jan 5, 2012 1:39 PM by Steve Aughinbaugh

    Is it possible to schedule audits in Policy Auditor 6.0?

        Hi folks,

       

        Is it possible to schedule audits to run at particular times; say, only in the evenings after 6:00PM and before 6:00 AM the next morning?

       

        On a related note, there is concerns in our enviorment that the "user experience" is being impacted in a negative way with various system agents that run scans, inventories, and checks. The burden these agents place on systems is especially noticable on laptops when the are first booted up.

       

        With that in mind, is there a way to control when an ePO/PA agent communicates with the server so as to not immediate run an audit or perfrom a system update immeidately after bootup?

       

       

       

                                                                                                                                Best Regards,

       

                                                                                                                                 Landmissle

        • 1. Re: Is it possible to schedule audits in Policy Auditor 6.0?

          Yes, for Policy Auditor auditing,  go to the ePO policy catalog, select the Policy Auditor Agent product and then edit the general ePO policy. In the policy you will see the BlackOut/WhiteOut Settings. Click on the blocks, hours or days in the matrix to togle the blackout/whiteout  for those periods of time during the week when  you do not want to have PA audits running. You can set the blackout period to be every weekday from 6 AM to 6 PM. You then need to ensure that the policy that you edited or created if you create a new one is assigned to the devices you want the policy assigned to.

           

          On the second question, you need to ask it in the ePO or MA section also. Here is what I think happens. On Windows when the system is first started the McAfee Framework Service Agent (MA) service is started along with the McAfee Audit Manager (PA plugin) service. The MA service will wait for whatever the ePO Policy Enforcement interval is (5 minutes is the default) after start up. At this point it will enforce the various ePO policies. When the PA plugin is told to do its enforcement, it wakes up and looks at the whiteout/blackout status and if it is during a blackout period it does nothing. If it is during a whiteout period AND and audit results is within 12 hours of expiring, run the audit. Then check the next audit result of multiple ones of been assign, otherwise do nothing.

           

          So, the audits (and other potential activity) will not occur immediately after start up, but close if the default enforcement interval is set. You can change the enforcement interval to 15 minute or something even longer depending on your needs, but that is a global setting for the device and effects more than just the PA plugin.

           

          There is also another setting that effects when the policy enforcement occurs and that is the MA ASCI the "Initiate agent-to-server communication within 10 minutes after startup if policies are older than x days" where the default is 1 day.

           

          So, you can cause the startup actiivty to be moved a bit out from just after a reboot within limits.

           

          It is also true that the PA audit scanning process runs at below normal dispatching priority so that it does not impact the normal and higher priority work that a user may be doing. There is also a setting for MA itself that it will run at below normal priority also on Windows only (which is the default).

           

          For example, on a Windows system that I tested this on. MA had been stopped for about 15 hours, when I started it (simulating a reboot), it started at 1:13:58 and sat there doing nothing until 1:18:58 when it then enforced policies. On my test system, the audit results were still current, so the audit scan did not run. And my enforment interval is set to 5 minutes. But at 1:21:24, MA did an ASCI and at 1:21:26 it enforced policies again as a part of the ASCI process.

           

          Hope this helps.