1 2 Previous Next 12 Replies Latest reply on Nov 6, 2008 11:37 AM by Hoggy

    Clarifying "Every policy enforcement"

    Quitch
      Just want to double-check the working of this setting.

      Say I am deploying VSE and I leave this setting unchecked in the deployment task which I setup as Run Immediately. Now the client connects to the server and collects the task, but it doesn't execute it. The next time it connects to the server it does. If "Every policy enforcement" was checked it would have executed five minutes later instead of sixty (assuming default values), correct?

      EDIT: Except I see that this clearly isn't what it does... is it simply used to verify every five minutes that a task is being enforced, even after completion, so in the case of VSE once it has been deployed it will check every five minutes to see that it is still deployed, as opposed to every sixty...?
        • 1. RE: Clarifying "Every policy enforcement"
          metalhead
          It is working this way:

          1) No checkmark

          The client connects to your epo during a normal communication intervall (default 60 minutes) -- it "sees" your new deployment task, downloads it and is executing it immediately and only ONCE.

          2) With checkmark
          The same behaviour as above but additionally the task is run at every policy enforcement (default 5 minutes). So every 5 minutes the agent will recheck if all the products are installed on the client. Therfore it connects to the next available repository
          • 2. RE: Clarifying "Every policy enforcement"
            Quitch
            So it's a sort of protection against it being uninstalled or otherwise removed?

            I noticed in the log it was running a verification every five minutes. Is there a performance impact? What level of protection does this provide, is it based on the files it can see, or does it just check a registry key?
            • 3. RE: Clarifying "Every policy enforcement"
              metalhead
              > So it's a sort of protection against it being uninstalled or otherwise removed?

              Yes

              > I noticed in the log it was running a verification every five minutes. Is there a performance impact?

              No but I would set the PE interval to at least 30 minutes

              > What level of protection does this provide, is it based on the files it can see, or does it just check a registry
              > key?

              AFAIK it is registry key based
              • 4. RE: Clarifying "Every policy enforcement"
                Quitch
                If there is no performance impact why would you change the PE?

                Does it not verify products are installed upon connecting to server after initial installation?
                • 5. RE: Clarifying "Every policy enforcement"
                  metalhead
                  Its for saving bandwith - I thought you where speaking of client performance ...
                  • 6. RE: Clarifying "Every policy enforcement"
                    Quitch
                    I thought a policy enforcement was a purely local action, it scans the policy list it downloaded from the server, then carries out any actions requires, which 99% of the time will be zero.

                    Am I mistaken?
                    • 7. RE: Clarifying "Every policy enforcement"
                      metalhead
                      No as far as you do not check the "Run at every policy enforcement" interval in your deployment task.
                      • 8. RE: Clarifying "Every policy enforcement"
                        Quitch
                        What I am not understanding is why you would advise setting PE to 30 minutes instead of 5 when the VSE install is executed on first connected anyway (thus the PE interval doesn't matter), and apart from that policy enforcement is a purely local task so does not draw on bandwidth. Situations where the product has been removed are edge cases and should be rare, therefore I do not see a larger interval saving on bandwidth their either.

                        In this instance I do not understand why you would change the interval. Can you explain?
                        • 9. RE: Clarifying "Every policy enforcement"
                          twenden


                          In our environment, we have set the PE to 30 minutes to allow the end user to disable On-access for a 30 miinute period if necessary. We have people who transfer large files and who complained about McAfee slowing it down. Allowing the user to disable the OAS temporarily, cut down on these complaints. By setting the PE to 5 minutes, the user would only be able to disable the OAS for 5minutes at a time before the EPO policies get applied.
                          1 2 Previous Next