Login
- Released At: 14-03-2024
- Page Views:
- Downloads:
- Table of Contents
- Related Documents
-
H3C EAD DAM Asset Control Policy
Configuration Examples
Document version: 5W100-20240314
Software version: DAM (E6204)
Copyright © 2024 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Contents
Example: Configuring DAM asset control policies
Configuring a desktop control scheme
Applying the desktop control scheme to assets
IMC monitoring, query, and audit
Introduction
The Intelligent Management Center Desktop Asset Manager Component (DAM) offers comprehensive management and monitoring capabilities for all assets. These assets refer to various endpoints accessing the network, such as PCs and servers. Based on the hardware and software information obtained from these assets, DAM effectively manages and monitors the usage and changes of the assets. Furthermore, DAM provides diverse statistical reports, enabling network administrators to thoroughly analyze the asset monitoring data.
Feature usage guide
Application scenarios
DAM is suitable for scenarios where you need to disable or monitor peripherals such as serial ports, parallel ports, USB, infrared, 1394, Bluetooth, Modem, floppy drive, PCMCIA, optical drive, etc. and to monitor printers.
Prerequisites
The user endpoints and the DAM server have Layer 3 connectivity. By using the iNode client for identity verification, asset registration is achieved. The iNode client automatically reports asset information.
Example: Configuring DAM asset control policies
Network configuration
As shown in Figure 1, a company plans to apply DAM asset management on its network. Users need to register assets when accessing the network, so that the company can manage the assets.
Software versions used
This configuration example was created and verified on the following software:
· DAM (E6204)
· iNode PC 7.3 (E0585)
Procedures
To configure asset management policies, perform the following tasks:
· Configuring a desktop control scheme
¡ Adding a peripheral management policy
¡ Adding an energy saving policy
¡ Adding a monitoring alarm policy
¡ Adding a desktop control scheme
· Applying the desktop control scheme to assets
· IMC monitoring, query, and audit
¡ Monitoring USB file transfer
¡ Viewing power on and power off logs
Configuring a desktop control scheme
Adding a peripheral management policy
1. On the top navigation bar, click Automation. From the navigation pane, select Endpoint Business > Desktop Asset Management > Desktop Control Policies. Click the Peripheral Policy tab.
Figure 2 Peripheral management policy list
2. Click Add to open the page for adding a peripheral management policy, as shown in Figure 3. Configure the following parameters:
¡ Policy Name: Enter the policy name, which is the unique identifier for the policy.
¡ Service Group: Select the service group to which this policy belongs. This parameter is available only when Enable is selected for the DAM Service Group parameter on the System Parameters page for DAM.
¡ Report Use of Unauthorized Devices: When the iNode client detects any unauthorized uses of peripherals, it reports the violations to the server, allowing you to conduct auditing on peripherals.
¡ USB File Transfer: When the iNode client detects read and write operations on a connected USB storage device at the endpoint, it reports the information to the server, allowing you to monitor USB file transfers.
¡ Monitor Printer Usage: When the iNode client detects an endpoint connection with a printer, it will report the information to the server, allowing you to monitor the printer usage.
¡ Unauthorized Devices: Select the peripheral devices you want to disable.
- USB Storage Device Allowlist: Allows the client to use USB storage devices with the specified vendor ID and product ID. After USB Storage is selected, you can configure the USB storage device allowlist. USB storage devices not on the allowlist are disabled. In special cases, some USB storage devices (such as USB keyboard and mouse) might be identified as storage devices, causing them to be unusable. In this situation, add these devices to the USB storage device allowlist.
Figure 3 Adding a peripheral management policy
3. Click OK.
|
|
IMPORTANT: · The policy name for a peripheral management policy must be unique. You cannot edit the policy name or service group for a peripheral management policy. · The USB interface allows for the insertion of both storage and non-storage devices, and management policies can be set up separately for these two types of devices in DAM. Devices like flash drives and portable hard disks are generally identified as USB storage devices, while devices like USB mice, USB keyboards, USB printers, USB wireless network cards, and 3G Internet cards with USB interfaces are usually recognized as non-storage devices. Identify whether your USB devices are recognized as storage or non-storage devices, and then configure proper policies accordingly. · When you add or edit the USB storage device allowlist, if a duplicate entry is configured, the system will automatically consolidate the duplicate entries. · PCMCIA is a universal interface that can accept storage cards and 3G Internet cards. If this interface is disabled, all devices that use this interface will not be able to function. · In special cases, some USB storage devices (such as USB keyboard and mouse) are identified as storage devices, causing them to be unusable. In this situation, adding these devices to the USB storage device allowlist will make them usable again. · When you edit a peripheral management policy or desktop control policy, you cannot change its name and its associated service group. · If the Auto Number parameter is set to Enable, you cannot manually add assets. |
Adding an energy saving policy
1. On the top navigation bar, click Automation. From the navigation pane, select Endpoint Business > Desktop Asset Management > Desktop Control Policies. Click the Energy Saving Policy tab.
Figure 4 Energy saving policy list
2. Click Add to open the page for adding an energy saving policy, as shown in Figure 5. Configure the following parameters:
¡ Policy Name: Enter the policy name, which is the unique identifier for the policy.
¡ Service Group: Select the service group to which this policy belongs. This parameter is available only when Enable is selected for the DAM Service Group parameter on the System Parameters page for DAM.
¡ Auto Shutdown/Reboot: Shut down or reboot the computer automatically. If you leave this parameter blank, it means no shutdown or reboot will be performed automatically.
¡ Auto Shutdown at: Specify the time when shutdown or reboot will be performed. This parameter must be configured for the auto shutdown/reboot feature to take effect.
¡ Turn Off Screen After: Set the time to turn off the monitor. Leaving it blank means not setting the monitor turnoff time.
¡ Sleep (Standby, Lock) After: Set the time for the computer to enter sleep mode. Leaving it blank means not setting the sleep time.
¡ Hibernate After: Set the hibernate sleep time for the computer. Leaving it blank means not setting the sleep time.
Figure 5 Adding an energy saving policy
3. Click OK.
|
|
IMPORTANT: · When adding a policy, you must specify a unique name for the policy. When editing a policy, you cannot change the policy name. · The shutdown time uses the system time of the user asset. · When editing a policy, you cannot change the service group it belongs to. |
Adding a monitoring alarm policy
1. On the top navigation bar, click Automation. From the navigation pane, select Endpoint Business > Desktop Asset Management > Desktop Control Policies. Click the Monitoring Alarm Policy tab.
Figure 6 Monitoring alarm policy list
2. Click Add to open the page for adding a monitoring alarm policy, as shown in Figure 7. Configure the following parameters:
¡ Policy Name: Enter the policy name, which is the unique identifier for the policy.
¡ Service Group: Select the service group to which this policy belongs. This parameter is available only when Enable is selected for the DAM Service Group parameter on the System Parameters page for DAM.
¡ Keywords to Trigger Alarms: DAM will monitor whether the names of the USB and printer operated files contain any of the specified keywords.
Figure 7 Adding a monitoring alarm policy
3. Click OK.
|
|
IMPORTANT: · When adding a policy, you must specify a unique name for the policy. · A monitoring alarm policy must contain a minimum of one of the following basic monitoring policies: USB monitoring, printer use, hardware changes monitoring, and software changes monitoring. · In the software changes to trigger alarms, if you select the OS or Patch Reinstallation option, the system will only generate a related syslog message after the asset reinstalls its operating system. If this option is not selected and other software change options are selected, after the asset reinstalls its operating system, even though multiple software changes will occur, the system will not send syslog messages. · After hardware or software changes occur, you can use the change time provided in the syslog messages to query the specific change information in the hardware or software change list. |
Adding a desktop control scheme
1. On the top navigation bar, click Automation. From the navigation pane, select Endpoint Business > Desktop Asset Management > Desktop Control Policies. The Control Scheme tab is displayed by default.
Figure 8 Desktop control scheme list
2. Click Add to
create a desktop control policy or click the Modify icon 
for an
existing desktop control policy to edit the policy. Configure the following
parameters:
¡ Name: Name of the desktop control scheme, which is the unique identifier for the scheme.
¡ Service Group: Select the service group to which this desktop control scheme belongs.
¡ Policy List: Policies included in the desktop control scheme, which can be a peripheral management policy, energy saving policy, or monitoring alarm policy. Of one policy type, only one policy can be specified for the desktop control scheme.
Figure 9 Adding a desktop control scheme
3. Click OK.
|
|
IMPORTANT: · When editing a desktop control scheme, you cannot change the service group it belongs to. · For an asset, DAM prefers to use the policies specified in the desktop control scheme applied to that asset. If no control scheme is applied to that asset, DAM uses the control scheme applied to the asset group to which the asset belongs. · Desktop control policies take effect only on managed assets. To monitor assets by using desktop control policies, make sure the assets are registered first. |
Coming online through iNode
1. On the top navigation bar, click Automation. From the navigation pane, select Endpoint Business > Desktop Asset Management > Desktop Assets. The All Assets tab is displayed by default.
2. Click Add to add an asset.
3. After completing the configuration, click OK.
4. Open the iNode client, a page will pop up for you to enter the asset number.
5. Click OK to register the asset. A message will be displayed once the registration is successful.
Applying the desktop control scheme to assets
1. On the top navigation bar, click Automation. From the navigation pane, select Endpoint Business > Desktop Asset Management > Desktop Assets. The All Assets tab is displayed by default.
2. Click the Modify icon for an asset to open the asset modification page, as shown in Figure 13. Select the desktop control scheme test configured in “Adding a desktop control scheme.” Adjust other parameters as needed.
3. Click OK.
4. The iNode client communicates with the DAM server to obtain the desktop control scheme for the asset. It retrieves the desktop control policies from the scheme and disables or monitors the usage of peripheral devices accordingly, and reports the results to the server.
IMC monitoring, query, and audit
DAM monitors and audits the various behaviors of assets by recording various logs. DAM does not record logs periodically, but adopts the method of recording as soon as the client reports. For example, if the client detects that the asset has performed USB storage device plug and pull operations, it will record and report logs to DAM. DAM then records the logs for administrator review.
Monitoring USB file transfer
On the top navigation bar, click Automation. From the navigation pane, select Endpoint Business > Desktop Asset Management > Desktop Assets. Click the Desktop asset audit tab, and then click USB File Transfer. The USB file transfer log list is displayed, as shown in Figure 14. You can enter query criteria to search for the needed information. Click Export to export the log entries to a specified file.
Figure 14 USB file transfer log list
Monitoring printer use
On the top navigation bar, click Automation. From the navigation pane, select Endpoint Business > Desktop Asset Management > Desktop Assets. Click the Desktop asset audit tab, and then click Printer Use. The printer monitoring log list is displayed, as shown in Figure 15. You can enter query criteria to search for the needed information. Click Export to export the log entries to a specified file.
Figure 15 Printer monitoring log list
Monitoring peripheral use
On the top navigation bar, click Automation. From the navigation pane, select Endpoint Business > Desktop Asset Management > Desktop Assets. Click the Desktop asset audit tab, and then click Peripheral Use. The USB file transfer log list is displayed, as shown in Figure 16. You can enter query criteria to search for the needed information. Click Export to export the log entries to a specified file.
Figure 16 Peripheral monitoring log list
Checking asset files
Asset file check can assist administrators in identifying the presence of dubious files in specified directories of online assets. Administrators simply need to specify the file path and filename to audit all files within that path and its subdirectories. Additionally, filename supports fuzzy matching, making file auditing more efficient and convenient.
On the top navigation bar, click Automation. From the navigation pane, select Endpoint Business > Desktop Asset Management > Desktop Assets. Click the Desktop asset audit tab, and then click Asset File Check. The asset file check log list is displayed, as shown in Figure 17. Note that if the asset has a firewall installed, file checking might not be available for this asset.
Figure 17 Asset file check log list
To add a check task, click Add Check Task.
Viewing power on and power off logs
On the top navigation bar, click Automation. From the navigation pane, select Endpoint Business > Desktop Asset Management > Desktop Assets. Click the Desktop asset audit tab, and then click Power Logs. The power on/off log list is displayed, as shown in Figure 19. You can enter query criteria to search for the needed information.
Figure 19 Power on/off log list
