CA Tuesday Tip: How to secure a CA DLP Client Installation.

Discussion created by devan05 Employee on Sep 6, 2011
CA DLP Tuesday Tip by Andrew Devine, Snr. Support Engineer for 6 September 2011

To prevent unauthorized uninstallations of the CA DLP client, you can deploy the DLP Client via the command line, Group Policy or SMS installations, using the “ClientLockDown.mst“ transform. This will prevent users from uninstalling CA DLP from the control panel using the Add/Remove Programs option as the “ClientLockDown.mst” transform disables the Change and Remove buttons when a user selects CA DLP in the Add/Remove Programs dialog.

To employ the “ClientLockDown.mst” transform firstly create an administrative installation. This enables client machines to install CA DLP directly from the network without generating excessive network traffic or requiring excessive free disk space on the client.

The administrative installation installs a source image of CA DLP onto the network in a target folder specified by you. The source image is called Client.msi. You must put this source image in a shared network folder to which all the target machines have read access.

To perform an administrative installation, use the /a command line option for Msiexec.exe.

The syntax is:

msiexec /a <Path>\client.msi

Once you have an Administrative installation, locate the “ClientLockDown.vbs” script in the \Support folder of your CA DLP distribution media. When you run the script, it creates the transform, “ClientLockDown.mst”. Finally, copy the transform into the folder containing your administrative installation source image.

Further information on installation options and transforms can be located in the CA DLP Documentation which is available to download from the CA Support Portal ( or MyCA.