Configuring Offline Mode

Manage the offline policies for the Endpoint Security client components that are supported in Offline Mode from each Offline Group in the Users and Computers tab. The policies for users in these groups are not configured in the Policy tab and are not included in policy installation.

  1. Each Offline Group defines the location for its files and the included policies. Computers that install the package do not show in the tree on the Users and Computers tab.

    For each group you configure a root path of the shared location where files for the group are stored, and sub-paths for each type of file. You must manually create each sub-path. Folders for these files are required. The default location is under the root path:

    To create an Offline Group:

    1. In the Users and Computers tab navigation tree, right-click on Offline Groups and select New Offline Group.

      The New Offline Group wizard opens

    2. Enter this information:

      • Offline group name - A name for the group

      • Root Path - The root path of the shared location where files for this group are stored. This must be a valid UNC path or HTTP/HTTPS path. For example, \\server\share\ or http://server/share/. HTTP and HTTPS paths are only supported when the WebDAV extension is enabled on the web server.

      • Description (optional) - Helpful information about the group or policies

    3. Click Sub-paths.

      The Sub-path Settings window opens.

    4. Select a Category. Each category has a default path under the defined root path. Keep the default or click Add, Edit, or Remove to change the path or add a new one.

    5. Click OK.

    6. Select a value for each of the Synchronization Settings:

      • Clients sync with shared location every X minutes

      • After a failed connection, clients retry to sync with shared locations every X minutes

      • Clients stop trying to sync with shared location after X failed attempts - This is only active when selected.

    7. Click Next to configure the Policies for the group.

  2. Configure a Policy for each Endpoint Security client component:

    Authorize Pre-boot Users

    Continue with the New Offline Group wizard or click Authorize Pre-boot Users to configure the users who can log in to computers in the offline group.

    • Click Add to add an authorized user

    • Click Remove to remove a use

      Note - Removing a user from the Authorized Pre-bootClosed Authentication before the Operating System loads. user list will not remove the user from an already installed client. Use the Blocked Users feature to remove users on clients.

    • Click Show all users to show the complete list

    • Enter text in the Search field to search the list of users

    • Click Blocked Users to create a list of users who are blocked from all computers in the offline group

    Note - Smart Card authentication is not supported for Offline Pre-boot users. Select password or dynamic token as the authentication method.

    Full Disk Encryption Policy

    Continue with the New Offline Group wizard or click Full Disk Encryption to configure the Full Disk Encryption policy settings for the group.

    OneCheck User Settings Policy

    Client Settings Policy

    • Continue with the New Offline Group wizard or click Client Settings to configure the Client Settings policy settings for the group. All authorized users on a computer use the same Client Settings policy.

    Completing the Wizard

    • The Wizard shows the version and components in the latest package.

    • Click Finish at the end of the New Offline Group wizard.

      The Offline Group and all of its configurations and policies are saved. If you do not click Finish at the end of the Wizard, the group is not saved.

    Note - From the Group Details view, click Pre-boot Users to open:

    • The Authorized Pre-boot Users list

    • The Blocked Pre-boot Users list.

  3. Export the required packages and put them in the configured shared locations.

    To export packages:

    In the Users and Computers tab, right-click on the Offline Group and select an option.

    Option

    Description

    Notes

    Get Update Policy File

    Exports a file with policy updates.

    This file has CPPOL extension. You must put the CPPOL file in the Updates folder.

    Get Offline Management File (cpomf)

    Exports a CPOMF file that contains definitions that you can use to log in to the Endpoint Offline Management Tool.

    This is for a help desk or contractor environment that needs access to the Tool for Remote HelpClosed Users can be denied access to their Full Disk Encryption-protected computers or Media Encryption & Port Protection-protected devices for many different reasons. Remote Help can help users in these types of situations. The user contacts the Help Desk or specified administrator and follows the recovery procedure. and creation of recovery media without access to an Endpoint Security server.

    Full Disk Encryption > Get Bypass Pre-boot File

    When installed, the computer bypasses Pre-boot based on the policy configured in the Pre-boot Protection > Temporary Pre-boot Bypass settings of the Offline group.

    You must put the CPPOL file in the Updates folder.

    Full Disk Encryption > Get Revert Pre-boot to Policy Configuration File

    Returns the computer to the regular Pre-boot policy.

    You must put the CPPOL file in the Updates folder.

    Deployment > Get Initial Package

    Exports a complete MSI with the Offline Policy. This can be used for new client installation.

     

    Deployment > Get Upgrade Package

    Exports a package to upgrade an existing offline client, and the updated CPPOL file. The details of the package are shown. Make sure the version is higher than the currently installed client version. You can select the Export update offline policy option to export a CPPOL file with the package.

    Put the CPPOL file in the configured Updates folder and put the MSI in the configured Upgrades folder.

    Deployment > Get Offline to Online File

    Exports a file that converts an offline client to an online client. After installation, the client will connect to the server that the file was exported from.

    You must put the CPPOL file in the Updates folder.

    For best practices, see Moving from Offline to Online Mode

    To export all offline administrators:

    1. Right-click on an offline group and select Get Offline Management File (cpomf) or

    2. Select multiple administrators in an Administrator OU under an offline group, right-click, and select Get Offline Management File (cpomf).

    To replace the installation policy file for the offline group:

    This is only necessary if you installed a client with an installation policy that contains shares that the client cannot access. The client remains in the installation state as the recovery file cannot be uploaded to the share.

    1. In the Users and Computers tab, right-click on the Offline Group and select Advanced > Get Install Policy File.

    2. Replace the installation policy located in the local Work folder on the client.

      The Work folder with the policy is located in:

      • On x64 client:

        %PROGRAMFILES(X86)%\CheckPoint\Endpoint Security\Endpoint Common\Work\

      • On x86 client:

        %PROGRAMFILES%\CheckPoint\Endpoint Security\Endpoint Common\Work\

    3. Reboot to continue the installation.

  4. Instruct users to install the packages from the sub-paths. Make sure they have the required access.

    To deploy packages:

    Automatically deploy the offline client on computers or give users instructions to get the packages they require.

    To push a policy update for a specified client:

    Place the policy in the Work folder locally on the client.

    • On x64 client:

      %PROGRAMFILES(X86)%\CheckPoint\Endpoint Security\Endpoint Common\Work\

    • On x86 client:

      %PROGRAMFILES%\CheckPoint\Endpoint Security\Endpoint Common\Work\

    If the client finds an update policy in the Work folder, the client makes sure that the update is new, imports it, and deletes the update from the Work folder.

    The client then continues to use the normal update interval as configured.

    To update policies on specified clients:

    To update a specified computer, you can put an update policy in the client's folder located in the Updates sub-path. When the client connects to the share it will check the Updates sub-path for new updates, but it will also check its own folder, located in the Clients folder. The client automatically creates this folder the first time it connects. The name of the folder is its hostname.

    Client Connections to Network Shares

    Clients use the currently logged-in user to connect to the defined shares and search for update policies and to upload recovery files, logs, and status files. If there is no user logged-in or if multiple users are logged-in, the connection to the share is not available.

    The logged-in user on the client must have these permissions on the share to be able to update and download files:

    Location

    Required Permissions

     

    Read

    Write

    List

    Execute

    Modify

    Delete

    Create

    Update Directory

     

     

     

    Recovery Files Directory

    Client Log Directory