Managing mobile clients

Applies To: Forefront Client Security

Client Security supports mobile clients, such as portable computers; however, you should be aware of the effects on Client Security behavior when users temporarily remove mobile clients from your organization.

Policy deployment

The primary deployment method of Client Security policies is Group Policy. Client computers must be logged on to the domain they belong to, to receive policy updates by Group Policy. When a mobile computer is unable to log on to its domain, it cannot receive Client Security policy updates.

If you use Group Policy to deploy policies, client computers that aren't logged on to their domain receive policies when they next log on to the domain.

If you use file-based policy deployment, you control the method of distributing the registry-file policy to clients, including whether disconnected clients receive policy updates when they next connect to your organization and whether a mobile client can receive registry-file policies across the Internet.

Definition and engine updates

Client Security supports fallback to Microsoft Update when a client computer cannot contact WSUS in your Client Security deployment.

For example, a user could take a portable computer on a trip to various sites that are outside your organization, so the computer is out of contact with WSUS and cannot receive updates from it. During the trip, a new malware threat propagates over the Internet and Microsoft releases malware definition updates that would protect the portable computer from the malware. If fallback to Microsoft Update is enabled, the computer still attempts to contact the WSUS server in your organization. After that attempt fails, it contacts Microsoft Update, receives the malware definition, and the portable computer is protected from the new malware threat.

You can enable this feature in policies that you deploy to mobile clients. For more information, see Configuring fallback for updates.

Data collection and mobile clients

Client Security depends on the MOM agent to send client data to the collection server. The MOM agent queues data when it cannot contact the collection server. Later, when the connection is reestablished, the agent sends the data to the server.

For more information, see Safeguarding Operational Data (

Reporting and mobile clients

You can use the Connectivity Summary report to determine which computers have been out of contact with your Client Security collection server.

You can use the Deployment Summary report to find computers that are reporting out-of-date SSA or malware definitions or engines, or policies.

For more information, see Viewing and printing reports.