mevanginkel
Contributor
Contributor

UEM/DEM Synctool and Privilege Elevation

Jump to solution

At our school we use UEM 9.7 with synctool for our notebooks.
We would like to use privilege elevation, but we can't get it to work with the synctool where it should work sinds UEM 9.7.

I even updated the client to DEM 10.2, but without result. Whenever i try to refresh the privilege elevation setting the logfile keeps returning that privilege elevation is not supported in a synctool environment.

Any clues on how to get privilege elevation to work with synctool? See a fragment from the logfile below:

2021-04-20 11:46:46.739 [INFO ] Starting FlexEngine v10.2.0.976 [IFP#5c72498d-97226>>]
2021-04-20 11:46:46.739 [INFO ] Running in 'Offline Import' mode
2021-04-20 11:46:46.746 [DEBUG] Running as child of process #10260
2021-04-20 11:46:46.746 [INFO ] Performing path-based import
2021-04-20 11:46:46.747 [DEBUG] User: domain\user, Computer: L1096, OS: x64-win10 (Version 2009, BuildNumber 19042.928, SuiteMask 100, ProductType 1/4, Lang 0413, DEM 10.2.0.976 (2103E), ProcInfo 1/1/4/8, UTC+02:00D), PTS: 10392/10444/1C
2021-04-20 11:46:46.747 [DEBUG] Profile state: local (0x00000000)
2021-04-20 11:46:46.747 [DEBUG] Applied sync-related path changes
2021-04-20 11:46:46.747 [DEBUG] Recursively processing config files from path 'C:\Users\user\AppData\Local\Immidio\FlexSync\General'
2021-04-20 11:46:46.747 [DEBUG] Using profile archive path 'C:\Users\user\AppData\Local\Immidio\FlexSync\Profile Archives'
2021-04-20 11:46:46.747 [DEBUG] Logging to file 'C:\Users\user\AppData\Local\Immidio\FlexSync\FlexEngine.log'
2021-04-20 11:46:46.747 [DEBUG] Log file will be overwritten when larger than 200 kilobytes
2021-04-20 11:46:46.748 [DEBUG] Showing progress information
2021-04-20 11:46:46.756 [DEBUG] Setting import status flag
2021-04-20 11:46:46.783 [WARN ] Horizon Smart Policies settings cannot be applied during the session -- skipped
2021-04-20 11:46:46.794 [WARN ] Application blocking settings cannot be applied during the session -- skipped
2021-04-20 11:46:46.804 [WARN ] Privilege elevation settings cannot be applied during the session -- skipped
2021-04-20 11:46:46.811 [WARN ] ADMX-based settings cannot be applied during the session -- skipped
2021-04-20 11:46:46.822 [WARN ] App Volumes settings cannot be applied during the session -- skipped
2021-04-20 11:46:46.825 [DEBUG] Not launching FlexEngine in DirectFlex mode: no DirectFlex settings were found in the config files
2021-04-20 11:46:46.828 [INFO ] Done (89 ms) [<<IFP#5c72498d-97226]
2021-04-20 11:49:08.349 [INFO ] Performing user environment settings refresh [IFP#a9307117-97226>>]
2021-04-20 11:49:08.355 [DEBUG] Running as child process of 'cmd.exe' (3980)
2021-04-20 11:49:08.356 [DEBUG] User: domain\user, Computer: L1096, OS: x64-win10 (Version 2009, BuildNumber 19042.928, SuiteMask 100, ProductType 1/4, Lang 0413, DEM 10.2.0.976 (2103E), ProcInfo 1/1/4/8, UTC+02:00D), PTS: 13132/13028/1C
2021-04-20 11:49:08.356 [DEBUG] Applied sync-related path changes
2021-04-20 11:49:08.356 [DEBUG] Recursively processing config files from path 'C:\Users\user\AppData\Local\Immidio\FlexSync\General'
2021-04-20 11:49:08.356 [DEBUG] Logging to file 'C:\Users\user\AppData\Local\Immidio\FlexSync\FlexEngine.log'
2021-04-20 11:49:08.356 [DEBUG] Log file will be overwritten when larger than 200 kilobytes
2021-04-20 11:49:08.357 [DEBUG] Refreshing DEM privilege elevation settings
2021-04-20 11:49:08.357 [INFO ] Privilege elevation is not supported in SyncTool scenarios
2021-04-20 11:49:08.366 [INFO ] Done (17 ms) [<<IFP#a9307117-97226]

Labels (2)
0 Kudos
1 Solution

Accepted Solutions
DEMdev
VMware Employee
VMware Employee

Hi @mevanginkel,

Unfortunately, upgrading to the latest version of SyncTool won't help either... You've run into a limitation that we've only recently become aware of. (We will be documenting this as a known issue soon; sorry that you have wasted your time.)

Windows does not "trigger" Group Policy client-side extensions when you log on in an offline scenario, which is why for SyncTool scenarios a logon script must be configured as well, to launch FlexEngine.exe in 'Offline Import' mode. That's sufficient for FlexEngine to function, but unfortunately the logic to allow application blocking and privilege elevation functionality requires that the SyncTool logic did run at logon.

Would it be an option to use NoAD mode for DEM agent configuration on your notebooks instead of Group Policy? With NoAD SyncTool and FlexEngine get to run at logon even in offline scenarios.

View solution in original post

0 Kudos
5 Replies
Pim_van_de_Vis
VMware Employee
VMware Employee

Did you also update the SyncTool to the latest version? You should be able to check the SyncTool version in the seperate logfile that gets created by the SyncTool

0 Kudos
DEMdev
VMware Employee
VMware Employee

Hi @mevanginkel,

Unfortunately, upgrading to the latest version of SyncTool won't help either... You've run into a limitation that we've only recently become aware of. (We will be documenting this as a known issue soon; sorry that you have wasted your time.)

Windows does not "trigger" Group Policy client-side extensions when you log on in an offline scenario, which is why for SyncTool scenarios a logon script must be configured as well, to launch FlexEngine.exe in 'Offline Import' mode. That's sufficient for FlexEngine to function, but unfortunately the logic to allow application blocking and privilege elevation functionality requires that the SyncTool logic did run at logon.

Would it be an option to use NoAD mode for DEM agent configuration on your notebooks instead of Group Policy? With NoAD SyncTool and FlexEngine get to run at logon even in offline scenarios.

View solution in original post

0 Kudos
mevanginkel
Contributor
Contributor

Hello @DEMdev, thank you for your reply. May i ask some questions about NoAD mode?

1. Are there any disadvantages / known issues when using NoAD instead of a GPO?

2. I will create a new VM for the newest DEM version to test with. When all is fine, will it just be a matter of configuring the Flexengine MSI and push both new Flexengine + Synctool MSI files with the customized XML file to the clients and disabling the GPO?

3. When a users logs in on a freshly installed notebook, will the new Flexengine and Synctool version in NoAD mode recognize the "old" Flexprofiles data on the network share and import the data correctly?

4. When i push the new clients over the internet in NoAD mode, will the client pickup the "old" offline data? Or is a one time connection to the domain required to pick up all the settings and profile data?

 

0 Kudos
DEMdev
VMware Employee
VMware Employee

Hi @mevanginkel,

NoAD mode differs from "GPO mode" in just two ways:

  1. DEM agent configuration settings are supplied via an XML file (\\your\config\share\general\FlexRepository\NoAD\NoAD.xml) instead of a GPO;
  2. The DEM agent "automatically" runs at logon and logoff, without the need for (fallback) logon and logoff scripts, even in disconnected scenarios.

There's no difference in how existing settings on the profile archive share are dealt with, so switching between these two modes does not cause users to lose their settings. The same applies to the "local sync cache" on each endpoint, in SyncTool scenarios.

Switching to NoAD mode does require a reinstall of the DEM agent on each laptop. Also, the device needs to be connected to the domain the first time the user logs on, to ensure the NoAD.xml settings can be picked up.

As for disadvantages / known issues:

  • One known issue in 10.0 and 10.1; fixed in 10.2.
  • With Group Policy you could combine multiple GPO's to target different DEM agent configuration to different groups of users. That use case is not really supported for NoAD.
0 Kudos
mevanginkel
Contributor
Contributor

Thank you very much. All my questions are answered