Deploying the agent via Group Policy Object
The use of Microsoft Group Policy or Group Policy Objects (GPO) enables the SafeNet administrator to centrally manage the agent configuration for users and computers in an Active Directory environment. It allows to configure many important policy settings to provide flexibility and support extensive configuration information.
For more details about the Group Policy and Group Policy Objects, see Group Policy Overview.
Configuring the ADMX and ADML Settings
The SafeNet Agent for Windows Logon policy settings are stored in a Windows Administrative Template (ADMX) file. The settings can be edited using Windows tools. The settings can be propagated to the entire domain, or be applied to the local computer and domain controllers only.
Open the administrative template and perform the following steps to configure the settings:
Add ADMX and ADML File to Group Policy Object Editor
To add the SafeNet Agent for Windows Logon ADMX file to the GPO Editor, perform the following steps:
-
Copy the Local Group Policy definition (C:\Windows\PolicyDefinitions) to Domain Group Policy (C:\Windows\SYSVOL\sysvol\domain_name>\Policies).
-
Copy the downloaded ADMX file (<Application_name>_AgentConfig_<Date>.admx) from own Cloud to the following location on your domain controller/server:
C:\Windows\SYSVOL\sysvol\<domain_name>\Policies\PolicyDefinitions
-
Copy the appropriate ADML language file (<Application_name>_AgentConfig_<Date>.adml) to a language folder under the
\PolicyDefinitions
folders.For example,
- In Windows Server 2016, the English language file provided should be written to:
C:\Windows\SYSVOL\sysvol\<domain_name>\Policies\PolicyDefinitions\en-US
- In Windows Server 2016, the English language file provided should be written to:
Configure ADMX and ADML Settings
Open the administrative template and perform the following steps to configure the settings:
-
From the Windows taskbar, select Start > All Programs > Accessories > Run.
-
Enter gpmc.msc and click OK. The Group Policy Management window is displayed.
-
Perform one of the following actions:
-
To propagate the settings to all clients in the domain, right-click Default Domain Policy or newly created GPO under the domain node.
-
To apply the settings to the local machine and any other domain controllers in this domain, under the Domain Controllers node, right-click Default Domain Controllers Policy option.
-
From the drop-down menu, select Edit. The Group Policy Management Editor window is displayed.
-
In the left pane, navigate to Computer Configuration > Administrative Templates > WLA Policies > AuthGINA. The settings are displayed in the right pane.
-
Enable all the setting (except PrimaryServiceURL and OptionalSecondaryServiceURL), if not already enabled, with default value or user-defined value.
The PrimaryServiceURL and OptionalSecondaryServiceURL should be set to [Not Configured]. The value of both the settings gets configured via the .agent file.
Click here to see the description of the registry settings available with the agent.
Deploying the agent
Deploying SafeNet Agent for Windows Logon via GPO requires:
Creating a Distribution Point
To deploy an MSI through GPO, perform the following steps to create a distribution point on the Publishing Server:
-
Log in to the server as an administrator.
-
Create a shared network folder.
The shared network folder will contain the MSI package and Agent file.
-
Set permissions on this folder to allow access to the distribution package.
-
Copy and paste the MSI file (SafeNet Authentication Service Agent for Win 8-10-2012-2016 x64.msi) and Agent file in the previously created shared network folder.
Creating a Group Policy Object
An MSI package is deployed/distributed through GPO. To create an object, perform the following steps:
-
From the Windows taskbar, select Start > All Programs > Accessories > Run.
-
Enter gpmc.msc and click OK. The Group Policy Management window is displayed.
-
Expand Forest (your forest) > Domains (your domain).
-
Right-click the Group Policy Objects and select New.
-
Enter a name for your policy and leave Source Starter GPO as none.
-
Right-click the domain name and select Link an Existing GPO.
-
In Select GPO pop-up window, select newly created GPO and click OK.
-
Click the newly created GPO. In the right pane, right-click the linked domain name and select enforce. The GPO will be linked with the domain.
Deploying the MSI
Prerequisites
- Ensure that the MST File is created.
To create an MST file, please refer Creating the MST file section.
To deploy the WLA MSI, you need to set AGENTMODE and JSONFILEPATH. For this purpose, it is advisable to use parameterized MSI Installation with the help of a transform (.mst) file.
To deploy the MSI to the client machines, perform the following steps:
Copy the Agent file to the client machines
Perform the following steps to place the Agent file in client machines using GPO file distribution:
-
Go to Computer Configuration > Preferences > Windows Settings > Files.
-
Right-click the Files option and then click New > File.
-
In the New File Properties, select Create from the Action drop-down.
-
Enter the Source file(s) (UNC path of shared folder) and Destination File (a path on the client machine where you want to put the agent file).
Keep the source file, that is, the Agent file in shared location.
Deploying MST and MSI files
Perform the following steps to deploy the MST and MSI files:
-
Open Group Policy Management Editor and select Edit.
-
Go to Computer Configuration > Policies > Software Settings > Software Installation.
-
Right-click Software Installation and then click New > Package.
-
Select the SafeNet Agent for Windows Logon MSI file (SafeNet Authentication Service Agent for Win 8-10-2012-2016 x64.msi) from the previously created shared folder.
-
In the Deploy Software pop-up window, select Advanced and then click OK.
-
Go to the Modifications tab and click Add.
-
Select the MST file from the created shared folder and click OK.
Put the MST and MSI files in shared folder.
-
Under the Security tab, select the client machine and give permission, and then click OK.
Setting the order of GPO
If you have more than one GPO linked to an OU/Domain, then the processing order of the GPOs is determined by link order. The GPO with the lowest link order will be processed at the last. So, you need to set the GPOs in-order.
-
Open the GPMC console.
-
Select the Domain/OU to which GPOs are linked.
-
In the right-pane, click Linked Group Policy Object tab.
-
Ensure that the GPO for Deploy MST and MSI file have lower Link order than GPO for the Copy the agent file. Change the link order accordingly, if required.
Creating the MST file
To create an MST file, you need to install the ORCA tool. It is a free utility from Microsoft, available with the Windows SDK package (Developer Tool).
To install the ORCA tool, click here.
-
After the successful installation of the tool, right-click the SafeNet Agent for Windows Logon MSI file (SafeNet Authentication Service Agent for Win 8-10-2012-2016 x64.msi) from the previously created shared folder.
-
Click Edit with Orca.
-
Click Transform > New Transform.
-
In the Orca Editor, in the left pane, under Tables, click Property.
-
Double-click the value of property AGENTMODE and set it as 1.
-
Double-click the value of property JSONFILE and set the path of client machine, which contains the Agent file.
-
Click Transform > Generate Transform.
-
Save your Transform (.mst) file with a desired name in the previously created shared folder.
Upgrading the agent
Perform the following steps to upgrade the existing WLA package with a new package:
-
Perform Step 1 to Step 5 in Deploying MST and MSI files section.
-
Go to the Upgrades tab and click Add.
The Add Upgrade Package window is displayed.
-
Under Choose a package from, select Current Group Policy Object (GPO) or click Browse to select a specific GPO.
-
Under Package to upgrade, select the desired package from the list, and then select Package can upgrade over the existing package.
-
Click OK.
-
-
Click OK.
Uninstalling the agent
Perform the following steps to uninstall the agent:
-
Perform Step 1 to Step 3 in Creating a Group Policy Object section.
-
Select Group Policy Objects, right-click the desired group policy, and then click Edit.
-
In the left pane, go to Computer Configuration > Policies > Software Settings > Software installation.
-
In the right pane, right-click the software package that you want to uninstall, hover on All Tasks, and then click Remove.
-
On the Remove Software window, select Immediately uninstall the software from users and computer, and then click OK.