Deploying the Client Security agent in an Enterprise Manager environment

  • Article

Applies To: Forefront Client Security

In standard Client Security deployment, Client Security agents are deployed to target managed computers by creating and deploying a Client Security policy. This policy writes the names of the Client Security collection server and the Client Security Management group to the target computers. The computers then download the Client Security agent from the distribution server, and they install it with the configuration information from the Client Security policy. This results in the target computers reporting to the Client Security Management group that created the Client Security policy.

In an Enterprise Manager environment, Client Security policy is centrally managed by the Enterprise Manager server. Using the Client Security policy method of deploying the Client Security agent would result in all deployed Client Security agents reporting directly to the Enterprise Manager server. To prevent this from happening, you must take additional steps in configuring Client Security policy in an Enterprise Manager environment.

Configuring the Enterprise Manager environment for Client Security agent deployment is a three step process:

Step Description

Create a "caretaker" Client Security policy, linked at the root of the organization.

This policy sets the Client Security configuration information to disabled, preventing the installation of the Client Security agent from the distribution server.

Create Active Directory security groups for each down-level Client Security deployment and add the target managed computers to them.

These security groups are used to filter the scope of the Client Security policy used to deploy the Client Security agent.

Create the Client Security policies for deployment of each down-level Client Security server's managed computers and link each to the appropriate security group.

This will result in the computers in each security group installing the Client Security agent and reporting to the appropriate down-level Client Security server.

The caretaker policy

This Group Policy object must be created in the Group Policy Management Console, linked to each domain in the Enterprise Manager environment, and set to Enforced.

To create and link the caretaker Group Policy object

  1. On the Enterprise Manager server, click Start, point to Administrative Tools, and then click Group Policy Management.

  2. In the Group Policy Management tree, expand Forest, expand Domains, expand domainname, and then expand Group Policy Objects.

  3. Right-click Group Policy Objects, and then click New.

  4. In the New GPO dialog box, type a name for the new GPO, and then click OK.

  5. Right-click the new GPO, and then click Edit.

  6. In the Group Policy Object Editor, in the tree pane, right-click Administrative Templates, and then click Add/Remove Templates.

  7. In the Add/Remove Templates dialog box, click Add.

  8. In the Policy Templates dialog box, browse to the Enterprise Manager installation directory (the default location is %Program Files%\Microsoft Forefront\Client Security\Server), select fcsem.adm, click Open, and then in the Add/Remove Templates dialog box, click Close.

  9. In the Group Policy Object Editor, in the tree pane, expand Administrative Templates, and then click on Microsoft Forefront Client Security Enterprise Manager.

  10. In the details pane, right-click MOM Server and Management Group, and then click Properties.

  11. In the MOM Server and Management Group Properties dialog box, on the Setting tab, click Disabled, and then click OK.

  12. Close the Group Policy Object Editor.

  13. In the Group Policy Management console, right-click domainname, and then click Link an Existing GPO.

  14. In the Select GPO dialog box, under Group Policy Objects, select the caretaker GPO you created, and then click OK.

  15. In the Group Policy Management console, in the tree pane, right-click the linked object for the caretaker GPO you just linked, and then click Enforced.

Security groups for the down-level deployments

The next step is to divide all target Client Security agents into Active Directory security groups that correspond to their target Enterprise Manager down-level deployment. If your Active Directory forest is configured for Windows 2000 forest functional level, you must divide the computers into groups no larger than 5,000 members. If your Active Directory forest is configured for Windows Server 2003 interim functional level or higher, you may create groups larger than 5,000 members.

Important

Target computers must be members of only one of the down-level Client Security deployment security groups.

For more information about Windows Server 2003 forest functional levels, see Active Directory Functional Levels Technical Reference (https://go.microsoft.com/fwlink/?LinkId=104092).

Creating the down-level Client Security deployment policies

The final step is to create a Group Policy object for each down-level Client Security deployment and, using the Enterprise Manager policy template file, assign each policy to a particular down-level MOM Management server and Management group. You must then link each down-level GPO to the appropriate security groups.

To create and link the down-level Client Security deployment GPOs

  1. On the Enterprise Manager server, click Start, point to Administrative Tools, and then click Group Policy Management.

  2. In the Group Policy Management tree, expand Forest, expand Domains, expand domainname, and then expand Group Policy Objects.

  3. Right-click Group Policy Objects, and then click New.

  4. In the New GPO dialog box, type a name for the new GPO, and then click OK.

  5. Right-click the new GPO, and then click Edit.

  6. In the Group Policy Object Editor, in the tree pane, right-click Administrative Templates, and then click Add/Remove Templates.

  7. In the Add/Remove Templates dialog box, click Add.

  8. In the Policy Templates dialog box, browse to the Enterprise Manager installation directory (the default location is %Program Files%\Microsoft Forefront\Client Security\Server), select fcsem.adm, click Open, and then in the Add/Remove Templates dialog box, click Close.

  9. In the Group Policy Object Editor, in the tree pane, expand Administrative Templates, and then click on Microsoft Forefront Client Security Enterprise Manager.

  10. In the details pane, right-click MOM Server and Management Group, and then click Properties.

  11. In the MOM Server and Management Group Properties dialog box, on the Setting tab, select Enabled.

  12. In the MOM Management Group field, enter the Management group name you specified when you installed Client Security on the target down-level Client Security deployment.

  13. In the MOM Server field, enter the name of the down-level Client Security collection server, and then click OK.

  14. Close the Group Policy Object Editor.

  15. In the Group Policy Management console, in the tree pane, expand Group Policy Objects, and then click on the GPO you just created.

  16. In the details pane, under Security Filtering, click Add.

  17. In the Select User, Computer or Group dialog box, under Enter the object name to select, type the names of the security groups to which this GPO will be applied, and then click OK.

  18. In the Group Policy Management console, right-click domainname, and then click Link an Existing GPO.

  19. In the Select GPO dialog box, under Group Policy Objects, select the GPO you created, and then click OK.

  20. In the Group Policy Management console, in the tree pane, right-click the linked object for the GPO you just linked, and then click Enforced.

  21. In the tree, click domainname.

  22. On the Linked Group Policy Objects tab, select the GPO you created and click the up arrow button to move it above the caretaker GPO.

Pre-existing stand-alone Client Security deployments

All Enterprise Manager Client Security policies are centrally managed by the Enterprise Manager server. When migrating from multiple stand-alone Client Security deployments to an Enterprise Manager environment, you will need to document any existing Client Security policies that exist on the down-level management server.

After documenting the policies, you must recreate them on the Enterprise Manager server.

Note

Before recreating the policies, evaluate if there is still a need for those policies. By consolidating management of multiple down-level Client Security deployments, you may also be able to consolidate Client Security policies.

For more information about creating policies, see Working with policies (https://go.microsoft.com/fwlink/?LinkID=88415).