Hitachi

JP1 Version 12 JP1/IT Desktop Management 2 Administration Guide

9.3.9 Applying a security policy to an offline-managed computer

You can apply a security policy to an offline-managed computer. In the Security Policies view of the Security module, create and manage a security policy for offline-managed computers.

Important

It is possible to create multiple security policies for offline-managed computers, but it is recommended to have one for a system to prevent accidental application of the security policy.

Organization of this subsection

(1) Preparing for the application of a security policy

To prepare for applying a security policy to an offline-managed computer:

  1. Create a security policy.

  2. Assign the security policy to a group.

  3. Create a tool for applying policy offline.

  4. Add agent configurations for offline computers.

  5. Create an installation set.

The following describes the detailed procedure of the preparation for applying the security policy.

Creating a security policy:

Create a security policy for the offline-managed computer. For details about how to add a security policy, see 9.3.1 Adding security policies.

Important

  • In Other Access Restrictions of Security Configuration Items, enable USB devices.

    Note that for Limit the assets that can be used, accept the default (and do not select it). If it is selected, all USB devices are prohibited to use.

  • In Operations Logs and Common settings for prohibited operations and operation logs of Security Configuration Items, accept the defaults and do not change them.

Assigning the security policy to a group:

When you create a group for offline-managed computers, assign the security policy to the group. For details about how to assign the security policy to the group, see 9.3.5 Assigning security policies.

Note

If you do not create a group for offline-managed computers, you can skip this step.

Tip

If you create a group for offline-managed computers and assign a security policy to the group, perform the following in advance:

  1. Add an item to "obtain any registry information" to the hardware asset information.

    For details about how to add an asset field, see 15.4.1 Adding asset management items. The following table shows an example of configuring the item name and the data source of information:

    Field Name

    Offline identifier information

    Data Source

    Registry

    Type

    Text

    Registry Path

    Root Key

    HKEY_LOCAL_MACHINE

    Path

    SOFTWARE\Hitachi\JP1/IT Desktop Management - Agent

    Registry Name

    OfflineInfo

  2. Create a user-defined group.

    For details about how to add a user-defined group, see 5.5.1 Adding a user-defined group. The following table shows an example of configuring the user-defined group and user-defined group conditions:

    User-defined group name

    OfflinePC group

    User-Defined Group Conditions

    Target Item

    Offline identifier information

    Judgment Condition

    Equals the judgment value

    Judgment Value

    OfflinePC

Creating a tool for applying policy offline:

To create the tool:

  1. Open the Security module.

  2. In the menu area, select Security Policies and then Security Policy List.

  3. Select the security policy you created in Creating a security policy, and from Action, select Create Tool for Applying Policy Offline.

  4. Check the displayed dialog box, and then click the Save button to save the tool for applying policy offline in any location.

Adding agent configurations for offline computers:

For details about how to add an agent configuration, see 15.1.2 Adding agent configurations.

Important

In the Basic Settings view for the agent configuration, under Timing of communication with the higher system, clear the Communicate with the higher system check box.

Creating an installation set:

For details about how to create an installation set, see 6.2 Creating an installation set.

In Files to Be Automatically Executed Settings in the Create Agent Installer view, register the tool for applying policy offline (ZIP file) you saved in Creating a tool for applying policy offline. In the Add Information about the File Required for Automatic Execution dialog box, configure the following settings and click the OK button:

Tip

When you create a group for offline-managed computers and assign a security policy to it, you need to create a registry before executing a tool for applying policy offline. When you create a registry by using a batch file, perform the following:

  1. Create a batch file to make a registry entry. An example of the command is as follows:

    reg add "HKLM\SOFTWARE\Hitachi\JP1/IT Desktop Management - Agent" /v OfflineInfo /t REG_SZ /d OfflinePC

  2. In the Set Files to Be Automatically Executed view, click the Add button to show the Add Information about the File Required for Automatic Execution dialog box. Click the Browse button , select the batch file you created in step 1, and select the Execute this file after installing the agent check box.

After the file described above is registered, click the Create button to save the installation set. Store the saved installation set in an external storage medium.

To Page Top

(2) Applying a security policy to an offline-managed computer

To apply a security policy to an offline-managed computer:

  1. Execute the installation set.

    On the offline-managed computer, execute the installation set (ZIP file). When you click the OK button in the execution confirmation window, the security policy is applied and inventories are collected.

    Tip

    If you specify /silent in the Arguments when creating the installation set, the execution confirmation window is not displayed.

  2. Send the inventory information to the administrator.

    The Data folder has been created in the folder where setsecpolicy.vbs is stored. Store the Data folder in an external storage medium and send the medium to the administrator.

To Page Top

(3) Checking the inventory information collected from an offline-managed computer

To check the inventory information collected from an offline-managed computer:

  1. Report the collected inventory information to the management server.

  2. Check the offline-managed computer in the management console.

  3. Change the name of the assigned policy.

The following describes the detailed procedure for checking the inventory information collected from the offline-managed computer.

Reporting the collected inventory information to the management server:

For details about how to report the collected inventory information, see 6.14 Notification of the device information collected by using the information collection tool.

Checking the offline-managed computer in the management console:

Go to Device Inventory (Device List) in the Inventory module and check that offline PCs are registered.

Important

You can check that the security policy has been applied by viewing the registration in Device Inventory (Device List) because a command is used to apply the security policy and collect the inventory information at one time.

Changing the name of the assigned policy:

If a security policy is applied to a computer without creating a group, follow the procedure described below to manually change the name of the assigned policy:

  1. Under Computer Security Status of the menu area in the Security module, select all offline-managed computers in Device Inventory (Device List).

  2. From Action, select Assign Policy, and in the displayed dialog box, from Select Policy, select the security policy for offline-managed computers and then click the OK button. Assigned Policy is changed.

    Important

    If you change the name of the policy assigned to an offline-managed computer, make sure that you apply a filter with the conditions described below to show the list of offline-managed computers only before changing the name.

    Filter conditions

    - Assigned Policy - is - Default Policy

    - Management Status - contains any of - Offline management

To Page Top

(4) Reapplying a security policy to an offline-managed computer

If a security principle is modified, you need to reapply the security policy. To reapply the security policy:

  1. Re-create the tool for applying the security policy.

    If you modify the security policy, or if you register an additional USB device for use on the offline PC, re-create the tool for applying the security policy. For details about the procedure, see Creating a tool for applying policy offline: in (1) Preparing for the application of a security policy.

  2. Unzip the re-created tool for applying policy offline (ZIP file) and then store it in an external storage medium.

  3. Connect the external storage medium to the offline-managed computer, and apply the security policy.

    When you execute the stored setsecpolicy.vbs (security policy application command) and click the OK button in the execution confirmation window, the security policy is applied and inventories are collected.

    For details about the security policy application command, see 17.41 setsecpolicy.vbs (applying a security policy to the offline-managed computer and collecting device information).

  4. Send the inventory information to the administrator.

    The Data folder has been created in the folder where setsecpolicy.vbs is stored. Store the Data folder in an external storage medium and send the medium to the administrator.

Tip

If a setting of the offline-managed computer is modified, you need to re-create and re-execute the installation set or the tool for applying the security policy depending on the modified setting. For details about which setting requires re-execution if modified, see A.11 Conditions where the tools must be re-executed on an offline-managed computer.

To Page Top

Copyright (C) 2019, 2022, Hitachi, Ltd.

Copyright (C) 2019, 2022, Hitachi Solutions, Ltd.

Copyright, patent, trademark, and other intellectual property rights related to the "TMEng.dll" file are owned exclusively by Trend Micro Incorporated.