Policy-based management

LANDesk Management Suite lets you manage sets of applications on groups of devices using the policy-based management feature.

Read this chapter to learn about:

• About policy-based management
• Configuring policies
• Applying scope to application policies
• What users see on their devices
• Using the local software deployment portal

About policy-based management

Policy-based management (known as application policy management in earlier Management Suite releases) helps you easily manage sets of applications on groups of devices. Like any other scheduled task, policies require:

• An SWD package, MSI, executable, batch file, or Macintosh package that you create.
• A delivery method that supports policies, either policy or policy-supported push.
• Policy targets for the distribution packages, such as the results of an LDAP or core database query.
• A scheduled time at which the policy should be made available.

Policy-based management periodically reruns queries you have configured as part of the policy, applying your policies to any new managed devices. For example, perhaps you have a Department container in your LDAP directory that contains user objects. Any user whose Department object is "Marketing" uses a standard set of applications. After you set up a policy for Marketing users, new users who are added to Marketing automatically get the correct set of applications installed onto their computer.

Use the console to configure application policies, which are stored in the core database.

Policy-based management can deploy these file types:

• MSI
• Executable
• Batch file
• Macintosh
• Linux RPM
• LANDesk Application Virtualization
• Windows Script Host Package (.wsf)
• Legacy SWD package

The task flow for policy-based management is as follows:

1. Make sure the software distribution agents are on your devices.
2. If you don't have a package for the application you want a policy for, create one. For more information, see Software distribution.
3. Use the distribution packages window create a package definition for the package.
4. Create or select an existing policy-based delivery method.
5. Create a software distribution task in the Scheduled tasks window and select the package and delivery method from above.
6. Select the targets for the policy. This can include any combination of individual devices, database queries, device groups, LDAP items, and LDAP queries.
7. Schedule the task to run. When run, the distribution package will be made available for pull.
8. The policy-based management service on the core server periodically updates the policy target list by reevaluating the LDAP/database query results. This helps ensure that the core database has a current set of targeted users/computers.
9. A user logs on to a device, connects to the network, or otherwise starts the policy-based management agent.
10. The core server's policy-based management service determines the applicable policies based on the device's device ID and the logged-in user or LDAP device location.
11. The policy-based management service sends the policy information back to the policy-based management agent.
12. Depending on how you've configured the device to handle policies, the user selects the policies to run or the policies run automatically. Only recommended or optional policies are available in the list on the device. When an unprocessed recommended policy is in the list, it's checked by default. Periodic policies appear in the list once their execution intervals have lapsed. Selected policies execute sequentially.
13. The policy-based management agent sends the policy results to the core server, which stores the results in the core database. Policy-based management status is reported to the core server using HTTP for enhanced reliability. This status is reported in the Scheduled tasks window.

Configuring policies

Policy-based management requires a supported distribution package type for any policy you create. You can either create the packages ahead of time or you can create the packages while creating the policy. We recommend that you create the packages ahead of time to test them and ensure that they work before using them in a policy.

Normal distributions and policies can use the same distribution package. The difference is in the deployment, not the package creation. There are two delivery methods that support policy based distribution:

• Policy delivery methods: The policy-only distribution model. Only devices meeting the policy criteria receive the package.
• Policy-supported push delivery methods: The combined push distribution and policy model. First, software distribution attempts to install the package on all devices in the target list. This way, you can do an initial deployment using Targeted Multicast. Second, any devices that didn't get the package or that later become part of the target list (in the case of a dynamic target list) receive the package when the policy-based management agent on the device requests it.

The main difference between standard delivery methods and the policy-based delivery method is that the policy-based Delivery methods dialog box has a Job type and frequency page.

The job type and frequency options affect how target devices act when they receive the policy:

• Required: The policy-based management agent automatically applies required policies without user intervention. You can configure required policies to run silently. Any UI that appears on the device while a required task is installing should be non-blocking; in other words, the application being installed shouldn't require user input.
• Recommended: Users have the choice of when to install recommended policies. Recommended policies are selected by default on the device UI.
• Optional: Users have the choice of when to install optional policies. Optional policies aren't selected by default on the device UI.

You can also configure how frequently a policy can run:

• Run once: Once a policy successfully runs on a device, the device won't run that policy again.
• Periodic: When a recommended or optional policy is specified as being periodic, it will be removed from the UI when it's successfully processed and will be shown again in the UI after the specified interval has elapsed.
• As desired: Can be installed by users at any time.

To create a policy-based distribution

1. In the console, click Tools > Distribution > Delivery methods.
2. Right-click either Policy-based distribution or Policy-supported push distribution, then click New delivery method.
3. Configure the delivery method options you want. Click Help for more information on each page.
4. Set the Type and frequency of policy options you want.
5. Click OK when you're done.
6. Click Tools > Distribution > Scheduled tasks.
7. Click the Create software distribution task toolbar button.
8. Configure the task options you want and click OK.
9. With the policy-based distribution task selected, drag the policy targets to the right window pane.

Policy-based distributions take effect as soon as the policy task is started and there are targets resolved. Policy-supported push distributions take effect after the initial push-based distribution completes.

Adding static targets

Policy-based management can use static targets as policy targets. Static targets are a list of specific devices or users that doesn't change unless you manually change it. Add static targets by selecting individual devices from the network view as targets. Individual LDAP devices can't be added as static targets.

Adding dynamic targets

Policy-based management can use queries to determine policy targets. Queries are stored only in the core database. For more information on queries, see Database queries.

Dynamic targets can include network view device groups, LDAP objects, LDAP queries, and inventory queries.

In order for devices to receive policies that are targeted through Active Directory or NetWare Directory Services, they have to be configured to log in to the directory. This means that they need to have all the correct agent software installed, and they need to actually log in to the correct directory so that their fully distinguished name will match the name that was targeted through Directory Manager and Scheduled Tasks Application Policy Manager.

Windows 95/98 and NT devices need to be configured to log in to the domain where the Active Directory resides. Windows NT and Windows 95/98 don't include Active Directory support. You must install Active Directory support on devices that log in to a directory and require policy-based management application policy management. As of this printing, more information on installing Active Directory client support was available here:

http://www.microsoft.com/technet/archive/ntwrkstn/downloads/utils/dsclient.mspx

In order to target a device from LDAP, each Windows NT/2000/2003/XP device must have a computer account on the Active Directory domain controller. This means that the computer being used as the device must be logged in to the domain where the Active Directory exists. You can't simply map a network drive using the fully-qualified Windows NT domain name. The policy won't take effect this way.

To use Directory Manager to create a query

1. Click Tools > Distribution > Directory Manager.
2. Click the Manage directory toolbar button.
3. Enter the directory URL and authentication information and click OK.
4. Click the New query toolbar icon.
5. Create your query. For more information, see LDAP queries.

Adding additional targets

When creating a policy-based task, it is often a good idea to initially deploy the policy to a small target set. This is done so that if problems are encountered when deploying the policy it will only impact a small set of users. Once the results of the deployment to the small set of users have been validated, add additional targets to the policy. When new targets are added to an active policy task, the policy immediately becomes available to the newly-targeted devices or LDAP items.

Applying scope to application policies

Multiple scopes can filter the policy-based management target details pane for a target lists. However, the final scope that a policy uses is always the scope of a task owner. If the policy task is listed in Common tasks, and another Management Suite user with a different scope looks at the target details pane for the task (let's call this second person a target list "editor"), the target details pane is filtered by the editor's scope. In this case, the editor may not see all the targets the policy will be applied to in the target details pane, because the editor's scope may not allow them to see all targets in the creator's scope.

What users see on their devices

Application policies are always processed using a pull model. Devices check with the core server for new policies that might apply to them. When this check occurs, a dialog appears at the device showing only unprocessed, recommended and optional policies, not required policies. When an unprocessed, recommended policy appears in the UI, it is selected by default to encourage the end user to process it.

Once a policy is processed, it may still show up in the UI if it's set up to run periodically. If this is the case, it will continue to be selected, even if it's a recommended policy. A policy may also continue to appear in the UI if it wasn't applied correctly.

Users can manually launch the policy-based agent by clicking Start > Programs > LANDesk > Policy-based delivery.

Using the local software deployment portal

The software distribution agent on managed devices also provides a software deployment portal. The portal checks the local software distribution cache for policies that apply to the local device/user. The portal then displays a Web page listing available policies. Users can select a policy from the list and click Download selected to install the packages associated with the policy.

To use the software deployment portal

1. On the managed device, click Start > Programs > LANDesk Management > LANDesk Software Deployment Portal.
2. Click the policy you want to apply.
3. Click Download selected.