Deep Freeze and Your Management Solution - ZENWorks Example

Introduction

This white paper provides some background information on integrating a ZENworks environment with Deep Freeze. ZENworks gives a certain amount of desktop management control, and in combination with Deep Freeze, users gain even more control, particularly in lab environments like schools and universities.

When using ZENworks, administrators are often concerned about how far to lock down computers in order to prevent students from corrupting systems and making them unusable for others. However, in most learning environments, administrators need computers to be open enough to provide the hands-on experience necessary for student learning. Deep Freeze, in combination with ZENworks, makes this possible.

With a Frozen installation image deployed on lab machines, students can use the computers in an unrestricted manner; any configuration changes made are gone when the system reboots. Deep Freeze gives a solid system image with every reboot of the machine, and in combination with ZENworks’ ability to inventory computers and distribute applications, the result is a great solution for desktop management.

To integrate Deep Freeze into a ZENworks environment, a script is used to put a machine into a Thawed state. ZENworks is then used to deploy applications or registry changes. The script concludes by instructing Deep Freeze to return the machine to its Frozen state, with the settings updated.

This process can be done remotely using Deep Freeze’s command line control (DFC), simple scripting, and ZENworks’ application deployment.

Batch File Scripts

Using a batch file is the simplest way to use DFC without any additional scripting programs. Batch files are a capability of the DOS/Windows operating system itself.

The following batch file puts the machine in a Thawed state:

REM Thawit.bat
REM Test machine for De-activation of Deepfreeze.
\\server\volume\directory\DFC get /ISFROZEN
if errorlevel 1 goto thaw
exit
:thaw
REM This section will Thaw the machine and reboot, if errorlevel above equals REM ‘1’, which
REM is passed by the DFC program.
\\server\volume\directory\DFC <command-line password> /BOOTTHAWED
REM ECHO %errorlevel%
REM You can debug DFC by using the above line, just remove the REM, which is a REM remark command used to ignore statements in batch script, so that comments
REM can be made as I’m doing here. SEE DFC WHITE PAPER included for error
REM codes DFC passes.

This script puts all Frozen machines into a Thawed state. No password is asked for, because it is included in the script. The </BOOTTHAWED> parameter tells the machine to reboot into a Thawed state.

The following script sets the workstation into a Frozen state:

REM Freezeit.bat
REM Test system for activating Deep Freeze protection on a machine with Deep REM Freeze installed.
\\server\volume\directory\DFC get /ISFROZEN
if errorlevel 1 goto activatedalready
REM Following line Freezes machine if errorlevel is NOT equal to 1. If
REM errorlevel equals‘1’ then it skips the next line until it finds
REM :activatedalready, which is a batch script
REM label. It then executes statements following the label, in this case an REM exit command.
\\server\volume\directory\DFC <command-line password> /BOOTFROZEN
:activatedalready
exit

Setting workstations into either a Thawed or a Frozen state on-command is easily done with these scripts. They can be especially useful in login scripts; when a user logs in, the log in script sets the workstation into a Thawed or Frozen state based on the command in the script.

If there is a concern about a Deep Freeze password being viewable in clear-text, freeware programs are available on the Internet to convert .BAT files into .COM files . These programs can encrypt the clear-text file into unreadable machine code.

Using the Batch Script with ZENworks

Script files can also be used in ZENworks to do many useful things. To use scripts in ZENworks, two application objects must be made: one to set workstations in a Thawed state, and the other to set workstations in a Frozen state.
The following instructions detail how to create an application object to set a computer in a Frozen state.

1. Create a new Application object.

The following screen appears:

2. Click Next to create the simple application.

3. Give the application a name, and click Next.

The following screen appears:

4. The above dialog asks for a Path to file; leave this field blank and click Next.

The screen to select application requirements appears:

5. Click Next to accept the default settings. Click Add to learn more about other options.

6. The above screen allows administrators to associate the application with a user or a group of users.

Check the first box, which indicates the use of the Force Run option when Thawing or Freezing workstations. Force Run means the application is forced to run when a user logs in or the application is refreshed. The second box is checked by default, and indicates that the application is listed in Application Explorer.

7. Click Next to see the final summary screen.

8. Check Display details after creation, and click Finish.

The Properties dialog for the new application appear:

Configuring the Application Properties

Now that the object has been created, a number of configuration options are available.

Distribution Options Tab

The Path to file field was left blank in the process of creating the application, the reason being that newer versions of ZENworks allow Distribution Scripts to be run, which allow a pre-script to be run before running an actual program. When Distribution Scripts are used with Deep Freeze, the batch script file is copied into the Run before Distribution window, as shown in the following screen:

This above script is the same one used in the batch file.

The text in the Script Engine Location is necessary for ZENworks to execute the above script. This information tells ZENworks to use the Operating System to run the script commands above. The %*winsysdir% variable is one of many that can be used with ZENworks. The variable tells ZENworks to look in the operating system’s system directory to find and launch the cmd.exe command. The ‘/C’ parameter is necessary for ZENworks to spawn a new command environment and execute the above code successfully.

Any script can be used at this point in the process, depending on what the administrator wants to do.

NOTE: It is possible to run other more versatile and complex scripts, such as VBscript, by selecting the appropriate Script Engine Location.

Run Options Tab

Alternatively, instead of using the Distribution Options, the Run Options tab is a different route to take. Run Options, as shown in the following screen, is the place that tells ZENworks what programs to run and how to run them when ZENworks launches the application object.

In the above screen, the Path to file field is filled in. While this field can be filled in when the application object is created, it is not recommended. The necessary parameters may be forgotten in later stages of configuration. Also, this option does not need to be set if Distribution Scripts are going to be used. If Distribution Scripts are going to be used, select the Install only option.

According to the parameters in the dialog, the application is running the CMD.exe from the server. This can also be set to run locally using the %*winsysdir% variable. This tells ZENworks to run a command shell prompt and spawn a new command. The new command is running a batch file on the server that has the Freeze-it script inside it.

CMD.EXE is the NT or greater version of COMMAND.COM used with 9x operating systems. Simply switch this if you are running it for 9x environments.

Batch Files versus Distribution Scripts

The difference between using the CMD.EXE and using Distribution Scripts depends on the administrator’s preferred method, as well as the version of ZENworks being used. Older versions of ZENworks do not have the option of using Distribution Scripts.

The advantage of using Distribution Scripts is that batch files do not have to be run from the server. Everything is inside the application object. This means greater security, because if users don’t have access to the object, they can’t read the script inside it. The only thing needed on the server is the DFC.exe program that is executed.

If a batch file is used, unless a program is used to convert it from batch to an executable, the clear-text batch file setting is on the server with the Deep Freeze password inside it. Distribution Scripts can also give much more flexibility when being used with more advanced scripting engines.

Defining Application Rights

Once a method is chosen, using either the Standard Run Options or the more advanced method of Distribution Scripts, the rights for the application need to be defined.

The easiest way to do this is by giving the application object rights to the DFC program on the server.With an older version of ZENworks, the rights need to be given to a user or a group of users. If rights are assigned through the application object, the user or workstation has those rights as long as it is associated with that application object, regardless of run-once statements, etc.

Application Deployment Example

The following example explains how to install an application in a lab that has Deep Freeze enabled.

1. Create the application to install. The example is a browser tweak called IETweak.
   After the application is created, edit the Freeze-it application.
   
   
   
   
2. Select Application Dependencies from the Run Options menu, as shown in the following screen.
   
   
   
   
3. Add the Thaw-it application, created in the same manner as the Freeze-it application.
4. Add the application to be installed.
5. In the above screen, the Thaw-it application is set to wait on reboot.

This is actually telling the Freeze-it object to stop installing other applications until the machine reboots in a Thawed state. Once the machine reboots, the installation process continues, installing the application to the specified machines, and eventually running the Freeze-it program itself, returning the machine to a Frozen state.

This is an example of how ZENworks and Deep Freeze can coexist peacefully. There are limitless combinations of options available in ZENworks.

The following are more advanced options:

1. Schedule application deployments using these scripts and wake-on LAN features available in ZENworks.
2. Do hands-off deployment without users logging in to workstations.
3. Shut-down machines when deployment is done.
4. Using the new Enterprise version of Deep Freeze, you can:
1. See which machines are Thawed or Frozen after an application deployment.
2. Shutdown/Restart machines manually from a central location.

There are truly limitless options available when using ZENworks and Deep Freeze in combination. Together they give flexibility, versatility, and stability in desktop management facilities.