So after a few days of research, this is what I've gathered.
- There are no issues when deploying the light agent and the global settings being pushed to the client.
- When running the full client, one needs to have a dword(32bit) registry key on the client named "GlobalConfigEnabled" set to the value 1. But this only works, as far as I understand, when the full client is run as admin on the machine. Which is far from optimal.
With the following knowledge I decided to make use of the client registry to make it work like I wanted to. This is documented in the R75.20 admin guide, if I remember correctly. It's not mentioned in the newer versions.
So what I ended up doing was to download the latest full client .msi file from supportcenter, and use the IAConfigTool to set it up the way I wanted it. To make the necessary changes to the client I deployed the following registry keys:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\IA]
"DisableSettings"=dword:00000001
"DisableQuit"=dword:00000001
"HideGui"=dword:00000001
"GlobalConfigEnabled"=dword:00000000
"PdpDiscoveryEnabled"=dword:00000001
"DefaultGatewayEnabled"=dword:00000001
Registry path might be different depending on 32/64 bit and if you install for all users or only current user.
The first three are pretty self explanatory, the other three disables the client from getting the global policy pushed from the gateway, enables the client to use Automatic discovery when trying to find the gateway(this must be configured in the distributed config tool installed with the local client, otherwise use the string value "DefaultGateway"="<gateway>") and the last one I'm not sure about, but without it, it asks how to connect on each log on of the client. So I guess that is needed.
With my pre-configured .msi file and a .reg file I was able to deploy this with SCCM. It will restart the NIC:s on install, and you need to log out, and back in if installed as SYSTEM, otherwise the logged on user won't be detected by the client.