02: How must I prepare for my PolicyPak QuickStart / Onboarding?
We’re excited to be working with you on getting PolicyPak working inside your environment.
Remember: We have 60 minutes or 90 minutes to work together. That SOUNDS like a lot of time, but it really isn’t. As such, you NEED TO BE PREPARED before we arrive.
If you are unable to complete these steps we can still meet. But then we’ll just lose all our time getting set up, and have to schedule the ACTUAL GOOD STUFF for some LATER TIME and/or not get to everything YOU want to do and see.
Having these steps below completed ahead of time ENSURE a GUARANTEED WIN instead of spending most of our allotted time getting software downloaded and troubleshooting connectivity issues.
There are MANY PARTS to this letter, please read ALL PARTS… all the way thru to the end. If you have questions about the steps, contact your TECHNICAL LEAD who is assigned to you.
Before our meeting together please have:
- All the items done as per these instructions on VMs or real machines up and ready to go,
- All software installed, and …
- Everyone on the call you need/want in the room and ready to go.
- (Optional if testing PolicyPak Cloud) you’ve verified you can LOG ON to PolicyPak Cloud.
This document is long, the steps are not trivial.. and could take around an hour or more depending on what you already have / don’t have ready-to-go.
PART 1: ENABLING US TO REMOTE CONTROL YOUR GPMC MACHINE
- We need to remote control YOUR ADMIN / GPMC MACHINE.
- We need to remote control the machine with the GPMC on it.
- The GPMC machine should be running on Windows 10 or Server 2016 or later.
- Remember: PolicyPak doesn’t REQUIRE you to install anything on Domain Controllers, and we don’t need access to a Domain Controller. If you HAPPEN to use a DC for the GPMC, that’s fine. But that’s not REQUIRED.
Here are the three options for us to remote control the GPMC machine:
- Option 1 (Ours): We use RingCentral (which is the same as Zoom-meetings) meeting found in the LOCATION field.
- Option 2 (Ours): We use TeamViewer. You must use OUR VERSION and not the “latest” which doesn’t work with our version. Go to http://www.PolicyPak.com/help then install and see it run.
- Option 3 (Yours): If you want to supply us with a GoToMeeting or something similar, that’s great. Email your PolicyPak Tech Lead with the details!
Part 2: Getting organized, understanding the DC, and creating your endpoint(s)
Please be ORGANIZED for our time together. Here are the steps required and exactly what to do. Before our time together please:
- Use the PolicyPak Customer Portal (http://www.policypak.com/customerportal) then download “Everything”.
Tip: If you cannot remember your password, you can reset it right on that page.
Tip: Note that inside the ZIP download, there is an ISO (the bits) and also a ZIP file (the Paks).
- Create a share on a SERVER and ensure the share is available from the GPMC computer and Client (test endpoint) machine.
- Unpack and take the stuff INSIDE the Bits ISO – and put it on the share. (Use any ISO reading program.).
- Unpack and take the stuff INSIDE the Pak ZIP – and put it on the share. (Use any unzipper.)
Final result on a server… Everything nicely extracted and ready to be used:
- For all versions of PolicyPak (Group Policy, MDM and Cloud), you will need access to a Domain Controller (DC) running Active Directory to create real GPOs. This DC can be a real or “fake” DC.
TIP: If you have a REAL domain and can create real GPOs during our time together… GREAT. No need to do anything.
- Have newly created / CLEAN test endpoint computers available. Please do not take a machine with “everything in your standard image” with 200 pieces of software, and drag it into these first tests.
- Clean Windows 10 preferred, but Windows 7 or 8.1 okay as well.
- Again, the cleaner, the better. A fresh copy of Windows 10, latest version is ideal.
- If you can live without special Antivirus or special security software on this example machine, that will be best. If you MUST use A/V or security software, please perform these steps: https://kb.policypak.com/kb/article/270-howto-how-must-i-configure-my-antivirus-to-work-with-policypak-cse/
- For PolicyPak Group Policy Edition:
- Be sure this computer is JOINED to the domain and in a LICENSED OU.
- If you wish to run UN-licensed, that’s fine. Rename the endpoint to COMPUTER1 or anything with COMPUTER in the name. (More about this method in a bit.)
- For PolicyPak Cloud and PolicyPak MDM:
- You should have ONE machine JOINED to your Active Directory. We call this the “Walk before you run” computer.
- Leave the SECOND MACHINE not domain joined. After we see PolicyPak work with the domain joined machines, we’ll use those directives with PolicyPak Cloud or PolicyPak MDM.
Part 3: What to install on your Windows 10 (or Windows 8.1, Win 7) endpoint
Please install ALL of the following software on your example ENDPOINT(s):
- Installing the latest PolicyPak Client Side Extension you downloaded and unpacked in the previous step. Here’s the exact how-to: https://policypak.happyfox.com/kb/article/459-04-admin-console-and-cse-installation/
- WinZip 14.5 (Yes, WinZip14.5! http://www.winzip.com/downarc.html)
- Firefox ESR (must be Firefox ESR not “Regular” Firefox RR https://www.mozilla.org/en-US/firefox/organizations/)
- Chrome (https://www.google.com/chrome/browser/desktop/)
(Optional) If you want to perform some PolicyPak Least Privilege base hits:
- Download and have ready Process Monitor (https://docs.microsoft.com/en-us/sysinternals/downloads/procmon) on the endpoint.
- Install any software you want to see “magically work” with PolicyPak Least Privilege Manager and overcome UAC prompts. For instance, if you have something that REQUIRES admin rights, but not sure how to “work it out” then have it already installed on your example machine, and we’ll make the rules together so you can see it working.
TIP: If you want to “convert” from another least privilege tool to PolicyPak Least Privilege Manager, see section 9 for additional steps.
Part 4: Remote controlling from YOUR GPMC machine to your example endpoint machine.
Remember that we will be using RingCentral or TeamViewer to remote control YOUR machine, the one with the GPMC.
But then from YOUR machine, we need to remote control the example endpoint.
Maybe you’re using some kind of fancy remote control utility, or everything is nicely inside VMware or Hyper-V. That’s great.
But if NOT, then you need to ensure that the EVERYONE group has the ability to REMOTE CONTROL your ENDPOINT using Remote Desktops. The default is that only Admins can remote control. Here is how to adjust that: http://screencast.com/t/arnYvvhXt.
VERIFY AND TEST that from YOUR MACHINE (the one with the GPMC) you can Remote Control (MSTSC.EXE / RDP / some other way) into your endpoint(s) (like COMPUTER1) as an example standard user.
Remember: We can only see *YOUR* machine.. we need YOU to verify that we will be able to see the target example machines.
Part 5: All about licensing !
You can run PolicyPak “licensed” or “unlicensed.”
To run PolicyPak Licensed:
- PolicyPak Group Policy Edition:
- Please pre-install the LICENSE FILES you received. Watch this video for the steps. We generally recommend “Way #2”.
- The computer should be placed in one of your LICENSED OUs ahead of our meeting.
- PolicyPak MDM Edition:
- You should have an MDM license file from your sales person. Keep your PolicyPak MDM license MSI handy for our tech work together.
- PolicyPak Cloud edition:
- You will “claim” a license when you install the PolicyPak Cloud client.
To run PolicyPak Un-licensed (any version):
- You can run a PolicyPak trial WITHOUT A LICENSE:
Example machine renamed to work UN-licensed:
PART 6: PREPARING FOR POLICYPAK CLOUD
(Continue here If you are ALSO trialing PolicyPak Cloud).
Tip: PolicyPak Cloud is NOT the PolicyPak Portal.
- The PolicyPak Portal is where you downloaded the “Bits” and “Paks.”
- The PolicyPak Cloud is the service to manage machines over the Internet.
- You should have a WELCOME LETTER to the PolicyPak Cloud. If you cannot find your welcome letter, go to https://cloud.policypak.com/Account/ForgotPassword and request it. Then log on to https://cloud.policypak.com.
- VERIFY that you can log on to the PolicyPak Cloud. That’s it. Just make sure you can log on. You do not need to do anything else at this time.
- Make sure from YOUR MACHINE we can remote control the ENDPOINT which is the machine you’ll be managing using PolicyPak Cloud.
Part 7: Preparing for PolicyPak MDM
(Continue here if you are ALSO trialing PolicyPak MDM)
PolicyPak MDM Licensing can be a little tricky.
Part 8: Final thoughts for PolicyPak Cloud and PolicyPak MDM
IMPORTANT: Reminder about having a “real” or “not really real” domain:
Even though the PP Cloud service requires no REAL on-prem Active Directory, it DOES require at least one “not really real” domain and domain controller *AND* we have recommended you JOIN one machine to it. Why?
Because you’ll use that DC to create directives, export them, and then upload those directives to PP Cloud. Said another way, you cannot create PolicyPak policies WITHOUT a “real” or “not really real” domain.
Additionally, with ONE machine joined to your “not really real” domain, you’ll be able to do quicker tests and verify your ideas work via Group Policy… before using PolicyPak Cloud or PolicyPak MDM.
If you do not have a “real” or “not real domain” please see and perform these steps:
Part 9: Converting from another least-privilege tool to PolicyPak Least Privilege Manager
If you’ve pre-arranged or asked for this, then we’re ready to help. In order to best help you convert from another least-privilege tool to PolicyPak Least Privilege Manager here is what we recommend:
- Have two example endpoint PCs with the same version of Windows. I’ll call them COMPUTER1 and COMPUTER2 here.
- On Computer1, install all the software you’re already elevating and working around with your existing least-privilege tool. Be sure ALL the UAC prompts are overcome as expected because your existing (old) least-privilege tool is working as expected.
- On Computer2, ALSO install all the software you’d like to elevate and work around UAC prompts. Install the PolicyPak Client Side Extension on this machine. Because PolicyPak Least Privilege Manager doesn’t have any rules yet, the end-user software won’t work as expected and should present UAC prompts.
Together, our goal during our time will be to examine your existing rules (which work in your old tool) and create PolicyPak Least Privilege Manager rules which will work similarly.
Make sure both computers are joined to the domain and we can create GPOs and affect Computer2 with PolicyPak directives.