Problem:
Unable to execute VB script using OnGuard agent
Diagnostics:
Below is the screenshot of the agent enforcement profile used. As we can see the execution level is set to system
From the onguard logs from client, we see that the OnGuard agent is running in 'Agent' mode:
By default, the OnGuard agent runs in "Agent" mode unless specified.
When OnGuard is run as Agent: Health checks are performed by the OnGuard Agent after the user logs in to the client.
When OnGuard is run as Service: OnGuard Agent performs health checks as soon as the client boots up, that is, even before the user logs in to the client. When a user logs in to the client, the user can view the most recent health check results via the OnGuard Agent user interface. The user can perform health checks again by clicking the Retry button.
When OnGuard is run as Both Agent and Service: When the user is not logged in to the client, the ClearPass OnGuard Agent service performs health checks. As soon as the user logs in to the client, the ClearPass OnGuard Agent service stops health checks and the OnGuard Agent user interface initiates health check.
When the Run OnGuard As parameter is set to Service, the following limitations pertain:
In Service mode, OnGuard always runs in Health Only mode; that is, OnGuard always sends the client's MAC Address as User Name.
If a user is not logged in, some of the health checks and auto-remediation may fail in Service mode. These health checks are user-level checks, such as Registry Keys (HKCU), Processes, and Installed Applications (user applications).
When OnGuard Agent is running in Service mode, the OnGuard user interface is used only to display messages and provide the Retry button (to perform health checks).
The Enable to Hide Quit Option does not have any effect in Service mode as the Quit button is only for exiting the OnGuard user interface.
Solution
In order to execute scripts at system level, onguard agent needs to be run in "Service" mode or "BothServiceAndAgent"
