We’re excited to be working with you on getting PolicyPak working inside your environment.
Remember: We have 60 minutes or 90 minutes to work together. That SOUNDS like a lot of time, but it really isn’t. As such, IT'S BEST TO BE PREPARED before we arrive.
If you are unable to complete these steps we can still meet. But then we’ll spend a good portion of our allotted time getting set up, and may have to schedule the ACTUAL GOOD STUFF for some LATER TIME and not get to everything YOU want to do and see.
Having these steps below completed ahead of time ENSURES a GUARANTEED WIN instead of spending most of our allotted time getting software downloaded and troubleshooting connectivity issues.
There are MANY PARTS to this letter, please read ALL PARTS… If you have questions about the steps, contact your TECHNICAL LEAD who is assigned to your Onboarding.
Before our meeting together please have:
- All the items done as per these instructions on VMs or real machines, and ensure those machines are up and ready to go,
- All software installed, (or at least downloaded and accessible to all the machines you plan to use during our meeting),
- Everyone on the call you need/want in the room and ready to go.
- (Optional if testing PolicyPak Cloud) you’ve verified you can LOG ON to PolicyPak Cloud.
This document is long, the steps are not trivial.. and could take around an hour or more depending on what you already have/don’t have ready to go.
PART 1: ENABLING US TO CONTROL OR VIEW YOUR GPMC MACHINE
We need to remote control (or at least view) YOUR ADMIN / GPMC MACHINE. That way we can see what you're doing and coach you along.
Note: The GPMC machine should be running on Windows 10 or Server 2016 or later.
Remember: PolicyPak doesn’t REQUIRE you to install anything on Domain Controllers, and we don’t need access to a Domain Controller. If you HAPPEN to use a DC for the GPMC, that’s fine. But that’s not REQUIRED.
Tip: Here's how to install the GPMC on your Admin / GPMC machine: https://kb.policypak.com/kb/article/949-what-are-the-two-ways-that-can-i-install-the-gpmc-on-my-admin-station-server-or-windows-10-machine/
Here's how we can remote view your Admin / GPMC machine:
- Option 1 (Ours): We use our Zoom meetings
- Option 2 (Yours): If you want to supply us with a GoToMeeting or something similar, that’s great. Email your PolicyPak Tech Lead with the details!
Part 2: Getting organized, understanding the DC, and creating your endpoint(s)
Please be ORGANIZED for our time together. Here are the steps required and exactly what to do. Before our time together please:
- Use the PolicyPak Customer Portal (http://www.policypak.com/customerportal) then download “Everything”.
Tip: If you cannot remember your password, you can reset it right on that page.
Tip: Note that inside the ZIP download, there is an ISO (the bits) and also a ZIP file (the AppSets).- Create a share on a SERVER and ensure the share is available from the GPMC computer and Client (test endpoint) machine.
- Unpack and take the stuff INSIDE the Bits ISO – and put it on the share, (Use any ISO reading program).
- Unpack and take the stuff INSIDE the AppSets ZIP – and put it on the share, (Use any unzipper).
Final result on a server… Everything nicely extracted and ready to be used:
- For all versions of PolicyPak (Group Policy, MDM, and Cloud), you will need access to a Domain Controller (DC) running Active Directory to create real GPOs. This DC can be a real or “fake” DC.
TIP: If you have a REAL domain and can create real GPOs during our time together… GREAT. No need to do anything.- If you have NO domain at all, you need one FIRST. Download and install Windows Server 2016 or 2019 180-day eval here: https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2016/
- Then be sure to run these steps to make your first domain controller in a new domain: https://kb.policypak.com/kb/article/480-policypak-all-versions-how-to-create-a-dc-for-editing-purposes/
Tip: The domain controller name and domain name DO NOT MATTER.
- Have newly created / CLEAN test endpoint computers available. Please do not take a machine with “everything in your standard image” with 200 pieces of software, and drag it into these first tests.
- Clean Windows 10 preferred, but Windows 11 is okay as well.
- Again, the cleaner, the better. A fresh copy of Windows 10, the latest version is ideal.
- If you can live without a special Antivirus or special security software on this example machine, that will be best. If you MUST use A/V or security software, please perform these steps: https://kb.policypak.com/kb/article/270-howto-how-must-i-configure-my-antivirus-to-work-with-policypak-cse/
- For PolicyPak Group Policy Edition:
- Be sure this computer is JOINED to the domain and in a LICENSED OU.
- If you wish to run UN-licensed, that’s fine. Rename the endpoint to COMPUTER1 or anything with COMPUTER in the name. (More about this method in a bit.)
- For PolicyPak Cloud and PolicyPak MDM:
- You should have ONE machine JOINED to your Active Directory. We call this the “Walk before you run” computer.
- Leave the SECOND MACHINE not domain joined. After we see PolicyPak work with the domain-joined machines, we’ll use those directives with PolicyPak Cloud or PolicyPak MDM.
Part 3: What to install on your Windows 10 or 11 ENDPOINT
First, know that PolicyPak and other security software may not play nicely together right away. As such, please review and follow these guidelines first: https://kb.policypak.com/kb/article/270-how-must-i-configure-my-anti-virus-to-work-with-policypak-cse/
Second, please install ALL of the following software on your example ENDPOINT(s):
- Installing the latest PolicyPak Client Side Extension you downloaded and unpacked in the previous step. Here’s the exact how-to: https://policypak.happyfox.com/kb/article/459-04-admin-console-and-cse-installation/
- Download and have ready Process Monitor (https://docs.microsoft.com/en-us/sysinternals/downloads/procmon) on the endpoint.
- Firefox ESR (must be Firefox ESR not “Regular” Firefox RR https://www.mozilla.org/en-US/firefox/organizations/)
- Chrome (https://www.google.com/chrome/browser/desktop/)
- (Optional, recommended): PolicyPak's engine can be controlled via ADMX settings and having these pre-staged and ready to go can help us workaround issues from time to time. To pre-install the ADMX settings please watch this video https://kb.policypak.com/kb/article/505-troubleshooting-with-admx-files/
- (Optional, recommended): If you want to perform some PolicyPak Least Privilege base hits: Install any software you want to see “magically work” with PolicyPak Least Privilege Manager and overcome UAC prompts. For instance, if you have something that REQUIRES admin rights, but not sure how to “work it out” then have it already installed on your example machine, and we’ll make the rules together so you can see it working.
TIP: If you want to “convert” from another least privilege tool to PolicyPak Least Privilege Manager, see section 9 for additional steps.
Part 4: Remote controlling from YOUR GPMC machine to your example endpoint machine.
Remember that we will be using RingCentral or TeamViewer to remote control YOUR machine, the one with the GPMC.
But then from YOUR machine, we need to remote control the example endpoint.
Maybe you’re using some kind of fancy remote control utility, or everything is nicely inside VMware or Hyper-V. That’s great.
But if NOT, then you need to ensure that the EVERYONE group has the ability to REMOTE CONTROL your ENDPOINT using Remote Desktops. The default is that only Admins can remote control. Here is how to adjust that: http://screencast.com/t/arnYvvhXt.
VERIFY AND TEST that from YOUR MACHINE (the one with the GPMC) you can Remote Control (MSTSC.EXE / RDP / some other way) into your endpoint(s) (like COMPUTER1) as an example standard user.
Remember: We can only see *YOUR* machine.. we need YOU to verify that we will be able to see the target example machines.
Part 5: All about licensing !
You can run PolicyPak “licensed” or “unlicensed.”
To run PolicyPak Licensed:
- PolicyPak Group Policy Edition:
- Please pre-install the LICENSE FILES you received. Watch this video for the steps. We generally recommend “Way #2”.
- The computer should be placed in one of your LICENSED OUs ahead of our meeting.
- PolicyPak MDM Edition:
- You should have an MDM license file from your salesperson. Keep your PolicyPak MDM license MSI handy for our tech work together.
- PolicyPak Cloud edition:
- You will “claim” a license when you install the PolicyPak Cloud client.
To run PolicyPak Un-licensed (any version):
- You can run a PolicyPak trial WITHOUT A LICENSE:
- Ensure that the computer is named COMPUTER1 or something similar with COMPUTER in the name.
Tip: When a computer has COMPUTER in the name it pretends to be fully licensed for trial purposes. More details on this topic: https://kb.policypak.com/kb/article/483-pp-all-versions-testing-and-troubleshooting-by-renaming-an-endpoint-computer/
- Ensure that the computer is named COMPUTER1 or something similar with COMPUTER in the name.
Example machine renamed to work UN-licensed:
PART 6: PREPARING FOR POLICYPAK CLOUD
(Continue here If you are ALSO trialing PolicyPak Cloud).
Tip: PolicyPak Cloud is NOT the PolicyPak Portal.
- The PolicyPak Portal is where you downloaded the “Bits” and “AppSets.”
- The PolicyPak Cloud is the service to manage machines over the Internet.
- You should have a WELCOME LETTER to the PolicyPak Cloud. If you cannot find your welcome letter, go to https://cloud.policypak.com/Account/ForgotPassword and request it. Then log on to https://cloud.policypak.com.
- VERIFY that you can log on to the PolicyPak Cloud. That’s it. Just make sure you can log on. You do not need to do anything else at this time.
- Make sure from YOUR MACHINE we can remote control the ENDPOINT which is the machine you’ll be managing using PolicyPak Cloud.
Part 7: Preparing for PolicyPak MDM
(Continue here if you are ALSO trialing PolicyPak MDM)
PolicyPak MDM Licensing can be a little tricky.
- If you RENAME the computer to have COMPUTER in the name, the computer will ACT fully licensed.
- If we SUPPLIED a license file to you, we’d like for you to PRE-TEST that out. Here’s the video to demonstrate exactly how to verify the MDM license file (sent as an MSI file) will work. https://kb.policypak.com/kb/article/481-policypak-and-mdm-walk-before-you-run/
Part 8: Final thoughts for PolicyPak Cloud and PolicyPak MDM
IMPORTANT: Reminder about having a “real” or “not really real” domain:
Even though the PP Cloud service requires no REAL on-prem Active Directory, it DOES require at least one “not really real” domain and domain controller *AND* we have recommended you JOIN one machine to it. Why?
Because you’ll use that DC to create directives, export them, and then upload those directives to PP Cloud. Said another way, you cannot create PolicyPak policies WITHOUT a “real” or “not really real” domain.
Additionally, with ONE machine joined to your “not really real” domain, you’ll be able to do quicker tests and verify your ideas work via Group Policy… before using PolicyPak Cloud or PolicyPak MDM.
If you do not have a “real” or “not real domain” please see and perform these steps:
- https://kb.policypak.com/kb/article/480-policypak-all-versions-how-to-create-a-dc-for-editing-purposes/
- https://kb.policypak.com/kb/article/472-pp-all-versions-testing-and-troubleshooting-by-renaming-an-endpoint-computer/
Part 9: Converting from another least-privilege tool to PolicyPak Least Privilege Manager
If you’ve pre-arranged or asked for this, then we’re ready to help. To best help you convert from another least-privilege tool to PolicyPak Least Privilege Manager here is what we recommend:
- Have two example endpoint PCs with the same version of Windows. I’ll call them COMPUTER1 and COMPUTER2 here.
- On Computer1, install all the software you’re already elevating and working around with your existing least-privilege tool. Be sure ALL the UAC prompts are overcome as expected because your existing (old) least-privilege tool is working as expected.
- On Computer2, ALSO install all the software you’d like to elevate and work around UAC prompts. Install the PolicyPak Client Side Extension on this machine. Because PolicyPak Least Privilege Manager doesn’t have any rules yet, the end-user software won’t work as expected and should present UAC prompts.
Together, our goal during our time will be to examine your existing rules (which work in your old tool) and create PolicyPak Least Privilege Manager rules which will work similarly.
Make sure both computers are joined to the domain and we can create GPOs and affect Computer2 with PolicyPak directives.