Managing the Endpoint Security Client 3.5 179novdocx (en) 17 September 20097.5.1 Multiple User SupportFor machines that have multiple users logging on to them, each user account has its own, separateNovell environment. Users can have separate policies and saved network environments. Eachaccount needs to log in to the Management Service separately to receive its credential in order todownload its published policy.If a user can’t log in or refuses to do so, that user gets the initial policy that was included at EndpointSecurity Client installation. This helps discourage a user from creating a different account to avoidpolicy restrictions.Multiple user support is set at the time you install the client, and can only be changed through anMSI property (POLICYTYPE 0=user or 1=computer) when you upgrade the client (see “MSIInstallation” the ZENworks Endpoint Security Management Installation Guide for details).Because only one policy can be enforced at a time, the Microsoft Fast User Switching (FUS) is notsupported. The Endpoint Security Client turns off FUS at installation.For an unmanaged client, the first policy that is pushed to one of the users is applied to all users untilthe other users enforce their policies.The users on a single computer must all be managed or unmanaged. If they are managed, all theusers must use the same Management and Policy Distribution Service.7.5.2 Machine-Based Policies (Active Directory Only)The option for using machine-based rather than user-based policies is set at Endpoint Security Clientinstallation (see the ZENworks Endpoint Security Management Installation Guide for details). Whenthis option is selected, the machine is assigned the policy from the Management Service, and thepolicy is applied to all users who log on to that machine. Users who have a policy assigned to themon another machine do not have that policy accompany them when they log on to a machine with amachine-based policy. Instead, the machine-based policy is enforced.NOTE: The machine must be a member of the Policy Distribution Service's domain for the firstpolicy sent down. Occasionally, Microsoft does not immediately generate the SID, which canprevent the Endpoint Security Client on that machine from receiving its credential from theManagement Service. When this occurs, reboot the machine when the Endpoint Security Clientinstallation is finished to receive the credentials.When you switch an Endpoint Security Client from accepting user-based policies to acceptingmachine-based policies, the client continues to enforce and use the last policy downloaded by thecurrent user, until credentials are provided. If multiple users exist on the machine, the machine usesonly the policy assigned to the currently logged-in user. If a new user logs in, and the SID isunavailable, the machine uses the default policy included at installation, until the SID is available.After the SID is available for the endpoint, all users have the machine-based policy applied.7.5.3 Distributing Unmanaged PoliciesTo distribute polices to unmanaged Endpoint Security Clients:1 Locate and copy the Management Console's setup.sen file to a separate folder. Thesetup.sen file is generated at installation of the Management Console, and placed in the\Program Files\Novell\ESM Management Console\ directory.