Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

How can I turn on/off a policy depending on time of day

Created: 21 Mar 2013 • Updated: 22 Mar 2013 | 8 comments

Hi team, I need to be able to activate and deactivate a policy depending of the time of day.

The requirements from work is to uninstall old applications from all users laptops/desktop and tablets during the night as the uninstall will reboot the users computers. What makes this hard is that it will run each night for a week and the user’s computer must be on the corporate network (e.g. I can't have it restarting the user’s computer if they have taken it home to do work for the night).

I thought the easiest would be checking schedule and if not found then install on the maintenance schedule but the issue is the users that take their computers home.

e.g. let say the policy checks between 8~11pm and the maintenance windows is 8~11pm. If the policy is turned on the local agent some time during the will schedule up the check for  8pm , as long as they are connected  to a network of any kind at 8pm the applications will start to be removed -- bad.

I thought the easiest would be to turn the policy on and off e.g. policy gets turned on at 8pm and turned off at 11pm, this way the computers on the home network will not see the new policy and wont restart.

Any ideas how to achieve this, I'm expect a sql statement on the servers window scheduler but hoping for an easier option.

 

Operating Systems:

Comments 8 CommentsJump to latest comment

andykn101's picture

The short answer is to use the Advanced options of the Schedule under Compliance, Only perform check if: Computer is connected to the Network.

The longer answer is maybe to treat laptops seperately, maybe try and put a REBOOT=ReallySuppress public property into the uninstall for laptops and do it during the day when laptops are more likely to be around.

Authorised Symantec Consultant (ASC) with Endpoint Management Limited, an Authorised Symantec Delivery Provider based in the UK.

Connect Etiquette: Please "Mark as Solution" posts that fix your problem.

john.ward's picture

Thanks Andy, does "Computer is connected to the Network" mean that the client needs to see the Altiris server as I have done a test with this setting and it seemed to have been triggered if when I knew the computer couldn't see the Altiris server.

It seemed to work if the computer was connected to any network.

This is how I tested it

In the policy

set the time for  schedule windows start time to 10 mins ahead of the current time

Set the "During windows, check every : 1 min

Set "Repeat" to daily

on the advance button ticked

  • Computer is connected to the network.

save policy

 

On a clean computer (using vmware and snapshots)

update local agent to see policy

notice that the next sechdule date is the same as the start time of the "Schedule Window"

next go into the network adaptor and set  ip to 192.168.0.1

ping the altiris server to make sure it can not see it.

Wait for the time to pass

 

When the client hits the "Schedule Window" it still start the policy even though the advnace settings on the server was set to "Computer is connected to the network"

 

So I don't think this setting it working as we expected it to, as in along as the computer is connected to any network the policy will start.

 

This option does appear to work if I totally dissconct the network cable  

 

andykn101's picture

I'm afraid I don't how this option works, I've never needed to use it.

Authorised Symantec Consultant (ASC) with Endpoint Management Limited, an Authorised Symantec Delivery Provider based in the UK.

Connect Etiquette: Please "Mark as Solution" posts that fix your problem.

AngelD's picture

This is Mike's answer regarding "Computer is connected to the Network" from another thread:

 

Connected to the network means connected to the server, yes.  That's because policies are stored in an .xml file locally on the clients, so it's possible for clients to execute software even if they can't reach the NS.
 

john.ward's picture

AngelD, I've tested this and it works when the agent can't see the server, so either your statement is flipped around or there is a bug in our system.

Also your statment doesn't make sense, you say it needs to see the server becuase the .xml files are stored locally on the clients ?? maybe I've read it wrong.

 

 

andykn101's picture

How about ensuring that the uninstall has the option selected to require a package, even if it doesn't, then use the Advanced Compliance option (not the Advanced package option) to only run if connected to a network.

So, if the user is connected to the internet at home the Compliance check will run but the uninstall will only run if it can download the package. I'm not on a system myself but could you maybe set the package to expire after a day so if they download the package but don't complete the uninstall the next time a Compliance check runs it will have to try and redownload the package.

Authorised Symantec Consultant (ASC) with Endpoint Management Limited, an Authorised Symantec Delivery Provider based in the UK.

Connect Etiquette: Please "Mark as Solution" posts that fix your problem.

john.ward's picture

thanks Andy, in the end because I was using VBS I could do it like this

for the Schedule I set up a Schedule Window that was 24 hours repeated every day and checked every 15 minutes

Under Remdiation I set to to "At next Maintenance window", this was set between the hours of 8 and 10pm

in the vbs code one of the first things I did was to check if the computer can see the software library of the altiris server, if it can't see it then exit with suscess.

also in the vbs code I have the REBOOT=ReallySuppress.

 

This seems to have worked really well.

 

Thanks for you help

 

 

andykn101's picture

The trouble with using your own management methods is that you lose some of the ones built in to Altiris, often any return code, unless you add that to your script, then it gets more and more complicated.

Authorised Symantec Consultant (ASC) with Endpoint Management Limited, an Authorised Symantec Delivery Provider based in the UK.

Connect Etiquette: Please "Mark as Solution" posts that fix your problem.