Documente Academic
Documente Profesional
Documente Cultură
Ivanti retains the right to make changes to this document or related product specifications and
descriptions, at any time, without notice. Ivanti makes no warranty for the use of this document and
assumes no responsibility for any errors that can appear in the document nor does it make a
commitment to update the information contained herein. For the most current product information,
please visit www.Ivanti.com.
Table of Contents
Table of Contents .............................................................................................................................................. 2
Management Suite 2016.3 Overview ............................................................................................................... 17
Module Objectives ....................................................................................................................................... 17
Introduction to Management Suite 2016 ....................................................................................................... 18
Management Suite 2016 .............................................................................................................................. 18
What Management Suite 2016 enables you to do ........................................................................................ 18
Where to go for more information ................................................................................................................. 19
Management Suite Terms ............................................................................................................................ 20
Ivanti Products ............................................................................................................................................. 20
Management Suite Core Server ...................................................................................................................... 21
Module Objectives ....................................................................................................................................... 21
Designing the Management Suite Domain ................................................................................................... 22
Planning the Organization Model ................................................................................................................. 22
Core Synchronization ................................................................................................................................... 22
Role Based Administration ........................................................................................................................... 23
Selecting components to implement............................................................................................................. 23
Understanding the different functionality available by device OS .............................................................. 23
Understand compatibility with previous versions of Management Suite .................................................... 23
Management Suite Environment .................................................................................................................. 24
Core Server ................................................................................................................................................. 24
Install / Upgrade to Management Suite 2016 ............................................................................................... 25
Other installation documents on the Ivanti Community Website................................................................ 26
Management Suite 2016.3 Installation Steps ............................................................................................... 26
Management Suite 2016.3 Upgrade Steps................................................................................................... 41
Ivanti Products
Ivanti offers a variety of products, solutions, and services, to answer a superabundance of business needs. To
see a complete list of products, solutions offered, and the services rendered, please visit http://www.ivanti.com.
In any case, it is recommended that a test Core Server be implemented to assure settings yield desired results,
and that software distribution, patch, imaging, and other management tasks, first take place on non-production
devices before efficiently implementing changes throughout the enterprise.
Core Synchronization
For organizations which have multiple Core Servers (for geographic, hierarchal, organizational, or other
reasons). Core synchronization provides the ability to take meticulously and methodically created settings and
configurations on a Core Server and propagates them to one or more Core Servers, with minimal effort. In
Change Management implementations (using ITIL or Six Sigma), a test Core Server could synchronize
configurations and settings to the production Core Server.
Core synchronization can be set for the following items:
Agent Configurations
Agent Settings
Alerting
Delivery Methods
Distribution Packages
Power Management Settings
Query/Column Sets
Reports
User Management
Scripts
Tasks and Policies
The document “Best Known Methods for Core Synchronization” can be downloaded at:
http://community.ivanti.com/support/docs/DOC-7402.
If desired, database information from multiple Core Servers can be combined into a Rollup Database. While a
Rollup Database does not facilitate management of Managed Devices, it does provide ease of reporting,
combining data for up to 200,000 Managed Devices in a single location.
Core Server
The Core Server is the centerpiece of the Management Suite environment. This server acts as the host system
for each of the services that provide most of the Management Suite functionality.
To see the “LANDESK® Core Install, Console Install, and Upgrades Landing Page” go to:
http://community.ivanti.com/support/docs/DOC-23850. Here you can find links to:
Core Installation and Configuration
o Prerequisites and Preparations
o Install Guides
o Additional Information
Database Installation and Configuration
o Prerequisites and Preparations
o Best Known Methods
New Installation Clean install on the same or on new New, clean, database instance
server hardware
In-Place Upgrade Upgrade existing server. (Backup server Same database upgraded during
prior to upgrade.) install. (Backup database prior to
upgrade.)
Clean Core Server
Clean install on the same or on new Upgraded database instance
Installation with an server hardware.
Upgraded Database
Test or Lab Core Server Upgrade existing server. (Backup server Same database upgraded during
Becomes Production prior to upgrade.) install. (Backup server prior to
upgrade.)
Multiple options: new database
Side-by-side Migration New server hardware that will be
configured while the current server instance, or upgraded database
hardware is running
Click [Run].
Click the I accept the terms in the License Agreement checkbox, and click [Continue].
If you want to see what prerequisites are required for the installation, click to select the Show all
prerequisites checkbox. (This is optional.) Click [Continue].
Click to select the desired option, and click [Continue]. For our class, we selected to Configure a new 10.0
database.
Select the desired option, and click [Continue]. Select Microsoft SQL Server, presents:
Decide whether the select the Enable Client Certificate-based Security (Recommended) checkbox, and
click [Continue]. (For our class we did select the checkbox.)
Tip/Comment
The Client Certificate-based Security is fully discussed in the Client-side Certificates portion
of the Agents section of this course.
The installation information is displayed. If all is desired options are correct, click [Install]. The installation
occurs. (It usually takes about 30 - 40 minutes to install the Core Server.)
The screen offers hotlinks to log files for various aspects of the installation, and lists the steps it took during
the installation. Click [Reboot] to reboot the Core Server, and complete the installation.
3. Designate the location where you want the upgrade files to expand, and from where the upgrade will run.
Click to run the LANDESKSoftware2016.3.exe file.
Click the I Accept the terms in the License Agreement checkbox, and click the [Continue] button.
To opt in to the program, select the “Participate in the LANDESK Customer Experience Improvement Program”
checkbox on the Activate License window.
Ivanti uses a central licensing server at Ivanti headquarters to manage Core Servers’ product and node
licenses. To use Management Suite, you must obtain a user name and password that activates the Core
Server and downloads an authorized certificate. Activation is required on each Core Server before Ivanti
products can be used. Each Core Server can be activated either automatically by the Internet or manually by
e-mail. A Core Server may need to be reactivated in the event that its hardware configuration is significantly
modified.
On a periodic basis, the activation component on each Core Server will generate data regarding the “node
count data” which includes:
The precise number of nodes being used
The non-personal encrypted hardware configuration
The Ivanti Software programs being used
No other data is collected or generated by Core Server activation. The hardware key code is generated on the
Core Server using non-personal hardware configuration factors, such as the size of the hard drive, the
processing speed of the computer, etc. The hardware key code is sent to Ivanti in an encrypted format, and the
After installing a Core Server, it will be configured to automatically launch the activation at the next login. It also
has a Core Server Activation utility. The Core Server can be activated either with an Ivanti account
associated with the licenses purchased or with a 45-day evaluation license. The 45-day evaluation license is
for 100 nodes.
Rollup Core Servers do not need to be activated.
A 45-day evaluation can be changed to a paid license at any time by running the Core Server Activation utility
and entering the Management Suite username and password.
Ivanti provides an authorized certificate based on the node count data. Periodically the node count data is
generated by the activation software on a Core Server, and is sent to Ivanti, either automatically via the
Internet or manually via e-mail. If node count data is not provided within a 30-day grace period after the initial
node count verification attempt, the Management Suite Console may become inactive until the node count data
is provided.
Once a Core Server has been activated, the Management Suite Console’s Configure > Product Licensing
window can be used to view the products and the number of authorized nodes purchased for the account with
which the Core Server authenticates. The date the Core Server verifies node count data with the central
licensing server can also be viewed on the Product Licensing window.
The Core Server does not limit the number of authorized nodes purchased. License information can be viewed
by visiting the Ivanti licensing site at www.ivanti.com/contactus.
Once the Core Server has been activated, the Console can be started by clicking Start > All Programs>
LANDESK > LANDESK Management Console. The credentials used when the Core Server was installed
can be used on the Management Suite Console Logon window. Once logged in, confirm that the Core Server
has been scanned into the core database (it will be visible in the Console in All Devices).
Remote Console
A Remote Console should be installed on the local machines of all Management Suite administrators who
need full functionality or access to all the Management Suite tools.
For additional management ability of devices with the Management Suite Agent, Remote Consoles can be
installed throughout the network. (Ivanti does not incur additional charges for additional consoles.)
Web Console
The Web Console offers a subset of the Management Suite Console functionality from the convenience of a
Web browser (for example, no access to OS Provisioning). This allows a Console user to immediately access
the Web Console without any installation. The Console user can simply open a Web browser, enter the URL to
the Core Server (http://[Core Server Name or IP Address]/remote) which will then present to them a login
dialog. The login requires a user and password for someone the Management Suite Administrator has setup to
use a Management Suite Console.
What makes this possible is a Web server that was setup during the initial installation of the Management Suite
Core Server. It can be accessed from the General tab in Configure LANDESK Services.
Core Database
Management Suite relies on a Database Management System (DBMS) to store all of the data that is collected
while using Management Suite. This DBMS does not typically reside on the Core Server unless the total node
count is not expected to exceed 2000 nodes. The volume of the data and the performance of the server require
the database to be offloaded onto a dedicated server elsewhere.
The following are supported database management systems:
Microsoft® SQL Server® 2014 Express Edition -- Bundled with Management Suite Installation. Default
Database for less than 500 nodes (Dependent on the size of the scans and the vulnerability information
that is scanned for. The number of clients that will go into the database can increase or decrease but
500 is the typical size for most customer installations.)
Microsoft® SQL Server® 2012 Standard/Enterprise
Microsoft® SQL Server® 2014 Standard/Enterprise
To see the “LANDESK Management Suite 2016 Architecture - Overview” page, go to:
http://community.ivanti.com/support/docs/DOC-40046.)
Each Microsoft SQL Server 2014 Express Edition database has a maximum size limit of 4 gigabytes with a
maximum of eight concurrent SQL processes.
There are also other performance adjustments that can be made on the Database server. The Database and
its log file can be placed on separate drives or arrays, for example. The log can also be set to overwrite data in
the log file when the entire transaction has committed and completed the data write to the database file. (In
Microsoft SQL the setting is “Simple Recovery” mode.) This keeps the log file smaller which can speed up
database performance is reading and writing.
Naturally, workstations, and laptops, likely have more software and history than servers, and especially mobile
devices. So you may want to estimate the storage requirements accordingly.
Relational Database
Management Suite uses a relational database, as opposed to an object-oriented database. Object-oriented
databases generally have fewer tables with more data in each table, while relational databases generally have
more tables with less data in each table. Queries obtain results faster in a relational database compared to an
object-oriented database. The Rollup database is also a relational database.
If Microsoft SQL Express is the database of choice, the default Core Server installation can install it on the
Core Server when the Core Server installation runs. If using a Microsoft SQL database, it can be installed on
the Core Server (if the node count is not expected to exceed 2000) or onto another server (if the node count
will exceed 2000 devices). In this case, the database must be created before the Core Server is installed.
In any case, during the Core Server installation, a dialog window opens, asking for:
the database server name and instance
the database name
the login name and accompanying password
This data appears on the Configure Services > General tab. This information was also written in the registry
of the core server in:
HKEY_LOCAL_MACHINE\SOFTWARE\LANDESK\ManagementSuite\Core\Connections\Local.
Database Utilities
Management Suite is equipped with utilities to for the Management Suite database.
DBMS Maintenance
The DBMS maintenance is setup in the database tools via a wizard and does the following:
Reindexes the tables in the database (DBCC reindex [tablename])
Resets the database consistency checker (DBCC)
Backs up and logs the backup of the database
Clears free space (whitespace) for database use (much like making contiguous space to write)
There are documents on the Community Website to help setup databases and their maintenance.
To go to the “LANDESK Database Landing Page” go to: http://community.ivanti.com/support/docs/DOC-
23798. This page contains links to:
Prerequisites
o Prerequisites for Database Management Systems
o SQL Server Authentication is required for LANDESK® Management Suite
o Four things to know and plan on before you create your database
Tuning and Maintenance
o Management Suite Database tuning for Microsoft 2008 R2 and 2012
o Tuning Management Suite Database utilization and storage usage by component
o Maintenance Plan for SQL Express
o Reindexing LANDESK Databases
o Management Suite Recommended Database Maintenance
Additional Options on Information
Troubleshooting databases
The Management Suite Maintenance and other database events log to the Application Event Log on the Core
Server. The start of maintenance is event 2389 and the stop maintenance is event 2388.
Public-key Infrastructure (PKI) is a key based security. Public-key Infrastructure Security has been
implemented into Management Suite for Secure Socket Layer (SSL) communication. Client systems loaded
with the Management Suite Agent authenticate to authorized Core Servers using this key based method
preventing unauthorized access to Management functions on managed devices. These keys are generated
during install and placed on the file system of the Core Server. There is no need for a separate certificate
authority to create these keys on your behalf since they are self-generated during install and do not need to be
trusted by anything outside of the Management Suite environment. Each Core Server and Rollup server that is
installed in the infrastructure has a unique set of keys to authenticate with managed devices.
<keyname>.crt: The .CRT file is the public key for the Core Server. The .CRT file can be viewed in a standard
text editor for more information about the public key and the Core Server with which it is paired. It is not
necessary to keep the public key secure.
<hash>.0: The .0 file is a trusted certificate file and has content identical to the .CRT file. However, it is named
in a manner that allows the managed device to find it quickly on the file system where numerous other
certificate (.crt) files may exist. The name is a hash (checksum) of the certificate’s subject information, which
can be found in the .CRT file. There is an [LDMS] section in the .CRT file that contains “hash=value”. The
value displayed here indicates the name of the .0 (Hash) file. The <hash>.0 file also exists on the managed
device in the Program Files\LANDesk\LDClient\ folder. The purpose for the .0 file on the managed device is
to enable that machine to authenticate to Core Servers and process commands from servers that have a
corresponding private key.
<keyname>.cer: This certificate information telling purposes, to whom it is issued, by whom it was issued, and
the date range the certificate is valid. This is used to secure HTTPS traffic occurring between the Global
Scheduler Proxy and the Global Scheduler Web Service.
All keys are stored on the Core Server in \Program Files\LANDesk\Shared Files\Keys. The <hash>.0 public
key is also in the LDLOGON folder and needs to be there by default. The <keyname> is the certificate name
provided during Management Suite Setup. During Setup, it is helpful to provide a descriptive key name, such
as the Core Server's name (or even its fully qualified name) as the key name (example: ldcore or
ldcore.org.com). This will make it easier to identify the certificate/private key files in a multi-core environment.
Important Note
You should back up the contents of your core server's Keys folder and keep the medium in a
safe, secure place. If for some reason you need to reinstall or replace your core server, you won't
be able to manage that core server's devices until you add the original core's certificates to the
new core.
There are two main ways of sharing keys among core and rollup core servers:
In our example, if you want the rollup core and Web console to be able to manage devices from all three cores,
you need to distribute the rollup core's trusted certificate (the <hash>.0) file to all devices, in addition to
copying the same file to each core server's ldlogon folder. Alternatively, you can copy the certificate/private key
files from each of the three core servers to the rollup core. This way, each device can find the matching private
key for its core server on the rollup core server.
If you want one core to be able to manage devices from another core, you can follow the same process, either
distributing the trusted certificate to devices or copying the certificate/public key files among cores.
If you are copying certificates between standalone cores (not to a rollup core), there is an additional issue. A
core won't be able to manage another core's devices unless it first has an inventory scan from those devices.
One way of getting inventory scans to another core is to schedule an inventory scan job with a custom
command line that forwards the scan to the new core. In a multiple core scenario, using a rollup core and the
Web console is a simpler way to manage devices across cores. Rollup cores automatically get inventory scan
data from all devices on the cores that get rolled up to it.
When using certificate-based remote control, target Devices must be in the core database. If
you're using certificate-based remote control security with Devices, you can only remote control
Devices that have an inventory record in the core database that you're connected to. Before
contacting a node to launch remote control, the core looks in the database to ensure the
requesting party has the right to view the device. If the device isn't in the database, the core
denies the request.
Clients with previous agent versions will not be able to decrypt the new passwords and will need to be
updated.
To enable the Client certificate model, open the Console and click Configure > Security. The Security settings
window opens and check runs to see if clients support the client certificate model. If clients support the
enhanced security model, you can select the Client certificate model checkbox, and click [Save]. A window
appears which states: “Continuing will change the current encryption model. Previous agent versions will no
longer be able to decrypt encrypted data. Once completed, it is recommended to update your passwords for
Preferred Servers, Package Run-As credentials, Distribution and Patch Agent Settings, and Provisioning
variables and passwords.”
The Security settings showing that not all clients support the client certificate model.
The Key manager page shows the AES-256 keys that have been generated, and which will be used.
As clients appear in the database, the certificates are designated unapproved. The Management Suite
Administrator will need to periodically go in and approve the certificates. If desired, the administrator can check
the “Automatically approve new certificates (not recommended) checkbox and have them automatically
approved when they are created. (The reason this is not recommended is it is less secure.)
How this will work now, is if the client is to receive a software distribution package, or a provisioning template,
or a vulnerability patch, etc. it may need to download the package from a share with a username and
password. If the client has a certificate which is approved, the core will give the client the AES-256 certificate it
will need to decipher the password to access the share. As time passes, a rouge device may obtain the
certificate. So, periodically a new certificate can be made, distributed, and approved as needed, to maintain
security.
ldlogon share: Applications to be run on Managed Devices and agent software are stored in the ldlogon
share. When deploying the Management Suite Agent, the Applications and software and copied out to
managed devices from
\Program Files \LANDesk\ManagementSuite\ldlogon.
o The Administrators group must have Full Control here.
o The Everyone group must have Read Only rights here.
o All software which updates periodically on managed devices is stored and copied out from here.
scripts share: Software distribution scripts, and managed scripts, are stored and launched from the scripts
share, \Program Files\LANDesk\ManagementSuite\Scripts. Here, the LANDESK Management Suite
group should have Full Control rights.
This means Agents deployed prior to enabling FIPS 140-2 will no longer be able to be managed until a new
Management Suite Agent is deployed. All scheduled tasks, remote control sessions, etc. will not be possible
until a new Management Suite Agent (with a new public FIPS 140-2 compliant SSL certificate) is deployed.
When you enable FIPS 140-2, the Core Server rebuilds all Management Suite Agent configurations so that
they include a new FIPS 140-2 compliant SSL public security certificate. These new Agent configurations can
be deployed. (You can copy the backed up LANDESK_<number>.key file back to the KEYS directory to have
communication between the devices use the old key for the Agent deployment task. Then you can remove the
old .KEY file when all Agents have been redeployed.)
The Best Known Method (BKM) if you are going to implement FIPS 140-2, recommends that you enable FIPS
140-2 at the beginning of the deployment process, and then send an agent just once to devices to be
managed.
If you disable FIPS 140-2 after enabling it, and later re-enable FIPS 140-2, the core will reuse the certificate
you created the first time you enabled FIPS 140-2. In this case you wouldn't have to redeploy agent
configurations a second time.
Note
If FIPS 140-2 is enabled on a Core Server, each Cloud Services Appliance for that Core Server
must be configure to us FIPS 140-2 mode.
Core Auditing
Core Auditing provides ability to select, in a methodical and exact manner, what to audit. This capability
enables administrators to audit with precise detail actions taken by console users. Audited events are written to
secure audit logs in the Management Suite database, putting to rest audit compliance concerns regarding data
tampering. Additionally, audited events can also be configured to be written to the Application Event Log on the
Core Server.
To those granted auditing rights, Auditing events can be queried, and auditing logs can be archived and
restored as needed. To view audited events, open the Auditing tool (click Tools or Toolbox > Administration
> Auditing). Default queries allow viewing all audited events for:
Last 24 Hours
Last 7 Days
Last 30 Days
Queries concerning auditing can also be created in the Custom Queries section.
On the Auditing Toolbar are options to archive data as well as to restore from archived files.
The Auditing Configuration role, with edit and view rights, allows a Console User to configure which events get
audited. The user assigns which events to audit by clicking Configure > Services and accessing the Auditing
Configuration tab. (Note: if the Auditing Configuration tab is not visible in SvcCfg, the logged in Console User
does not have the Auditing Configuration role. Add the role to the user and close and login to the Management
Suite Console again.)
a. New Installation
b. In-place Upgrade
c. Side-by-side Migration
2. What checklists are provided in the Management Suite 2016.3 Install Guide that aid in the install/upgrade
of the Core Server? What are the desired outcomes of the checklists and why are they important?
3. What considerations need to be weighed when deciding whether to run the Core Server in a virtual
environment versus a physical environment?
4. How do you install a Remote Console, and what is its purpose? What is the rule of upgrading and applying
service packs concerning the Core Server and the Remote Console(s)?
6. What database software and versions are supported in Management Suite 2016?
7. What are the two types of database maintenance, and what is the focus of each type?
8. What security features are in Management Suite is to protect the Core Server, and Managed Clients?
9. What should a company expect if they select the “Participate in the LANDESK Customer Experience
Improvement Program” checkbox, on the Activation Page?
Consoles
There are three (3) Administrator Consoles available in Management Suite
Remote Console
The Remote Console is installed from the Management Suite Setup DVD onto select Windows PCs, and
allows console users to perform Management Suite tasks from his/her workstation. Depending on the Rights
assigned to users, the Remote Console can allow access to all that is available on the Admin Console except
the Configure > Services tool. (This tool affects services and settings which apply to the Core Server and
therefore ALL console users, so this ability is purposely limited to being run from the Core Server.)
There are a number of Community documents concerning the Remote Console. To read: “LANDESK Desktop
Console Landing Page”, please see: http://community.ivanti.com/support/docs/DOC-23832. There are videos
available on:
Console Installation
Console Overview
Console Role-Based Administration
Console Layout Groups
Console Layout Columns
Web Console
The Web console is a scaled down version of the Remote Console, which includes a subset of the
functionality. It runs from a web browser and does not require the installation of any software, other than a few
components that enable remote control functionality.
Since the Web Console does not install software, you need to click Download tools from the Remote access
tool in the Web Console to install the tools to use Remote Control.
When you click Download tools a window appears presenting you to following options:
LANDESK Application Launcher: to handle remote control links and buttons throughout the web
application. This will load the “LANDESK UrlHelper Utility” application.
Below this are links to install necessary applications for remote control, including:
Remote Control Viewer: to initiate remote control sessions and add the “LANDESK® Software Remote
Control Console for Mozilla” application.
Secure shell (ssh): to initiate secure shell connections and add the “LANDESK® Putty Secure Shell for
Mozilla” application (for use on Mac, Unix, and Linux managed devices).
Secure ftp (sftp): to initiate secure ftp connections and add the “LANDESK® Putty Secure FTP for Mozilla”
application (for use on Mac, Unix, and Linux managed devices).
You can choose to install any combination of tools you require.
The scope and rights setup by a Management Suite Administrator will apply to the user who logs in.
None: This option requires entering User name, Password, and clicking the [Log in] button to log in to the
Console. Single sign-on is not enabled.
This fulfills the federal single sign-on standards. After the user clicks [Yes] the windows credentials
(username and password) are passed through so the user can click [Login] so without entering a
password, the console opens.
Only (no popup): This option passes through to the Console the Windows credentials used to log in to the
device. There is no pop-up presented, nor is there a need to click the [Log in] button.
Mixed: This option also passes through to the Console the Windows credentials used to log in to the
device. However, this option requires you to click to select the [Log in] button.
To select one of the single sign-on options, select Configure > Services in the Console, and go to the
General tab. The Single Sign-on options are presented at the bottom of the page.
Tool Menu
The Tool Menu allows you to choose specific actions in the Console. For example if the administrator clicks the
Tools action, the various tools appear and can selected to open within the Console. The Tool Menu contains
the following items:
File: Allows Console users to select to exit the Console.
Edit: Allows Console users to cut, copy, paste, delete, or rename selected devices. In Edit, selecting
All devices allows access to Insert New Computer, Import Leasing Information, View As Report,
Export as CSV, Import, and Columns.
View: Allows Console users to access the Toolbox, Auto Inspector, Inventory History, or Refresh.
Tools: Allows Console users to access all the tools the user has been given rights to access.
Configure: Allows Console users to access various configuration items in the Console.
Window: Allows Console users to choose which window in the Console they wish to have active.
Help: Allows Console users to access Online Help, Setup Wizards, and Console Information.
Toolbar
The Toolbar contains several frequently used function buttons that are automatically applied to items that are
selected in the various views within the Console. For example, if the administrator selects a managed device in
the inventory list and clicks the Delete toolbar button, the managed device is deleted from the inventory.
The Toolbar contains the following buttons:
Toolbox Menu
The Core Server Menu allows Console users to lock, pin, or close the Toolbox. The Toolbox provides a pallet
of tools frequently used by the Console users. The Toolbox can be viewed in the Console by clicking View >
Toolbox.
Tools
The Tools feature allows Console users to access the tools to which the users are granted rights, in order to
carry out the functions which they need to be completed. Although there are a few exceptions which are
addressed later, clicking a Tool opens a window along the bottom of the Console, containing tool-specific
controls for performing the various tasks as they relate to the Tool.
Tool Groups
The Tools are logically grouped according to relevance to each other as follows:
Network View
The Network View is the main window of the console and is the starting point for most administrative tasks.
The Network View is the only window that is always visible. Network View organizes global information stored
in the database into a hierarchical tree structure divided into:
Devices
Users
Virtual OS Hosts
Queries
Scopes
Configuration
Inspector Results
Directory
My devices: Lists devices for the currently logged-in user, based on the user’s scope. This is helpful to
subdivide into Device Groups what is likely a very large number of devices. A Console user can create
device subgroups only under My devices. Users can add devices to their My devices group, or any of its
subgroups, by copying and pasting them from the Public devices and All devices groups. Users can also
click and drag devices from Public devices and All Devices into their My devices group.
Public devices: Lists devices a Management Suite Administrator has added from the All devices group.
Users with the Management Suite administrator right see all of the devices in this group, while other
Console users see only the devices allowed by their scope. Only a Management Suite Administrator can
create a subgroup under Public devices.
All devices: Lists all Managed Devices that can be seen by the currently logged-in user, based on the
user’s scope, in a flat list (no subgroups). For a Management Suite Administrator, All devices lists all
managed devices that have been scanned into the core database. Devices configured with the Standard
Management Suite Agent automatically appear in the All devices group/folder when they are scanned into
the core database by the inventory scanner.
Computers: Lists all Computers, Servers, and Laptop Computers, which have the Management Suite
Agent installed. The devices which can be seen by the currently logged-in user are based on the user’s
scope, and are displayed in a flat list (no subgroups).
Mobile: Lists all Tablets, and Phones which have the Mobility Manager Agent installed. Devices that can
be seen by the currently logged-in user are based on the user’s scope and are display in a flat list (no
subgroups).
MDM managed: Mobile Device Managed devices, whether iPhone or Android devices.
Agentless: Devices which are inventoried but do not have a Management Suite Agent installed. The
inventory is gathered by a device elected by Self-elected Subnet Services.
Devices with older agents: Lists all Managed Devices that report in to the Core but do not have the
current version of the Management Suite Agent.
Computers: Hardware Password Managed devices: Lists all devices which have ThinkVantage utilities
enabled. Devices in this group can utilize the ThinkVantage tools for management. The group lists
Computers and Hard-disks for password management.
Users
The Users section lists the users who were logged into the managed device at the time of the last inventory
scan.
Virtual OS Hosts
The Virtual OS Hosts section of the tree structure contains managed devices, which are virtual hosts, stored in
the database. The Virtual OS Hosts section is divided into:
My virtual OS hosts: Lists virtual OS hosts for the currently logged-in user, based on the user’s scope. A
user can create device subgroups only under My virtual OS hosts. Users can add devices to their My
virtual OS hosts group, or any of its subgroups, by copying and pasting them from the Public virtual OS
hosts and All virtual OS hosts groups. Users can also click and drag virtual OS hosts from public virtual OS
hosts and All virtual OS hosts into their My virtual OS hosts group.
Public virtual OS hosts: Lists devices an Administrator has added from the All virtual OS hosts group.
Users with the administrator right see all of the devices in this group, while other Console users see only
the devices allowed by their scope. Only an administrator can create a subgroup under Public virtual OS
hosts.
All virtual OS hosts: Lists all virtual OS hosts that can be seen by the currently logged-in user, based on
the user’s scope, in a flat list (no subgroups). For an Administrator, All virtual OS hosts lists all managed
virtual OS hosts that have been scanned into the database. Virtual OS hosts configured with the Standard
Queries
The Queries section of the tree structure contains queries stored in the database. The Queries section is
divided into:
My queries: Lists queries either created by the currently logged-in user, or added to the user’s User
queries group by an Administrator. A user can create, modify, and delete query groups and queries under
their My queries group. Users can also copy queries to this group from the Public queries group.
Public queries: Lists queries that an Administrator, or a Console user with the Public Query Management
(PQM) right, has added. Only users with the Administrator right or the PQM right can add, modify, or delete
query groups or queries in the Public queries group. However, all users can see the queries in this group,
and can copy and paste them to their own My queries group.
All queries: Lists all queries that can be seen by the currently logged-in user, based on the user’s scope,
in a flat list (no subgroups). All queries is a composite of the user’s My queries and Public queries groups.
User queries: (Administrator only) Lists all queries in the core database, organized into subgroups by user.
User subgroups are named with their login IDs (i.e., computername\user account, or domain\user account).
Each user group contains the queries that appear in that user’s My queries group.
Scopes
The Scopes section allows viewing, creating, and editing scopes. Scopes can be used to assign rights.
Reports run for Console Users are scope sensitive.
Configuration
The Configuration section of the tree structure contains the following configuration groups:
PXE Holding Queue: Lists PXE holding queues and the devices that are waiting in the PXE holding
queue.
Bare Metal Devices: Lists bare metal devices that have been created for provisioning tasks.
PXE Provisioning (Windows PE): Lists devices targeted for Microsoft Windows PE provisioning tasks
Multicast Domain Representatives (Pre 9.6 only): Lists devices configured to be multicast domain
representatives that are pre-9.6 versions only. The latest version uses self-organizing technology and is not
listed in this group.
PXE Representatives: Lists devices configured as PXE representatives that can deploy OS images to
devices in their subnet.
Pending unmanaged client deployments: Lists devices that have been discovered by the Unmanaged
Device Discovery (UDD) tool, and are waiting for an agent configuration task to begin.
User added computers: (Administrator only) Lists devices that have been added to inventory by
Management Suite Console users.
Inspector Results
The Inspector Results section of the tree structure allows you to use the Inspector to view data. You can
double-click a chart in the Inspector window and view the corresponding details. Viewing the results this way
makes the data actionable. (For example, in the Scheduled tasks inspector a chart can show how many
devices have failed a task. If you double-click the chart, you’ll see the individual devices listed in the Inspector
results folder. You can then apply an action to those devices – such as restarting the task, or view a report with
that data for later follow up.)
Directory
The Directory section shows the Lightweight Directory Access Protocol (LDAP) structure which the Console
User has set (if any). Active Directory access can provide a very effective way to target scheduled tasks.
Layout Menu
The Console allows users to create custom screen layouts with custom columns, based on the task they are
performing, or personal preferences. Different layouts can be configured and saved. The Layout menu is used
to switch between user-configured layouts. The following items are available in Manage Layouts in the Layout
Menu:
Themes
There are 12 themes to choose from that affect the outline colors of the windows in the Consoles. This is a
customization available to each user who can log in to the Console. The theme selections are just below the
toolbar on the Console. Theme choices include:
Silver Pearl Black Pearl Blue Glow Silver Glow Charcoal Grey Retro
Embers Expression Dark Modern Blue Modern Green Modern Orange Steel
Find
The Find feature appears wherever it makes sense for the user to search for a specific item in a corresponding
list. For example, any time a list of items is displayed in either the upper or lower portion of the Console, the
Find field accompanies that view to facilitate locating a specific item in the corresponding list.
An example of when this can be helpful is if an organization has 10,000 nodes listed in the database. A user
calls for assistance, and the helpdesk team member needs to find the PC in the console. The helpdesk
member can ask for the caller’s login name, or machine name, or any other user and device specific
Inventory List
The Inventory List view displays all of the devices that have been added to the Management Suite database.
Items in this list may be sorted by their respective columns by clicking the column header. This view is
displayed by expanding Devices from the Network View and clicking All devices.
Component Window
When a tool is selected from the Toolbox or the Tool menu, a tabbed window appears below the Network View
representing the selected tool. A majority of your work is performed in the Component Window.
Tool Tabs
As additional tools are accessed, tabs are displayed along the bottom of the Console, below the Network View,
providing access to the opened tools. This tabular arrangement makes it easy to have multiple tools open and
navigate among them. This tabular arrangement also supports drag and drop functionality from one tool to
another.
Console Grouping
The majority of the work performed by Management Suite Administrators revolves around Scheduled Tasks
and Distribution Packages. This will be discussed in detail later. For efficient management, scheduled tasks
and distribution packages can be organized into groups.
The following are features for Console groupings for distribution packages and scheduled tasks:
Wizards appear automatically on a new installation and can be accessed at any time from the Help menu. You
can follow the steps in the wizard to learn more about the specific feature or functionality. Or you can check the
Don’t show this wizard again check box to prevent the wizard from being shown automatically.
Scheduler: Set the Login account for the Scheduler to use, as well as the account to use when deploying
the Management Suite Agent to unmanaged devices.
vPro: Configure Intel® vPro™ including General Configuration, ID Generation, Import / Export, System
Defense Remediation, Client Notification Strings, and DVM Configuration.
COM+: Setup Component Services (to configure login credentials for Active Directory).
Discover: Setup Unmanaged Device Discovery (UDD) to discover devices to manage using Management
Suite. UDD actively scans the network with industry standard scanning technologies, such as ICMP and
LDAP, for devices that are unknown to Management Suite. IP address ranges can be specified to scan on
the network. IP scans can be set for:
o General IP ranges
o Devices with Management Suite Agent installed
o Devices in an NT Domain
o Devices in an LDAP Domain
o Virtual Hosts (ESX Servers)
Recurring Discovery: Configure Unmanaged Device Discovery to run on a recurring schedule.
Deploy Agent: After a device is discovered, the next step is to deploy the Management Suite agent to that
device, making it a Managed Device in the Management Suite Console.
1. Click Start > LANDESK > LANDESK Management Console. (The actual program name may be
different depending on the Ivanti product that is installed and the license used to activate your Core
Server.)
2. Enter the user name and password. (Enter the user name in the Domain\Username format.)
3. Select the Core Server to which you want to connect. The user must have proper authentication
credentials to that Core Server.
4. Click OK.
The console opens with the layout (size, position, open tool windows, etc.) that was being used the last time
this user logged out.
For additional consoles, the credentials you use to log into Management Suite must match the credentials used
for any drives you have mapped to the core server. Otherwise, you might see a "Multiple connections" error in
the console login dialog.
Username: Identifies a Management Suite user. This might be an administrator user or some other type of
user with restricted access (see "Role-based administration overview"). The user must be a member
of one of the LANDESK groups on the core server. Follow the normal Windows rules for remote
login (i.e., if the user is local to that core server, just enter the user name; if the user is a domain
user, enter the domain name\user name).
Password: The user's password. (NOTE: If a Management Suite Administrator changes the password of
another user, for example an additional console user, the new password does not take effect until that user
reboots their console. At that point, the user would enter the new password to log into the console.)
Core server: Specifies the Core Server to which you want to connect. This list is the same as the Core
Server list available on the console toolbar.
Use the Column Set Configuration tool (Tools > Administration > Column Set Configuration) to create as many
Column Sets as you like. To apply a column set, drag the desired column set to device groups and query
objects in the network view tree.
A user can copy a column set from the Public Column Sets group into their own My Column Sets group and
then modify the column
o For selected visible items only: Specifies that a device's agent status is updated as the device is
selected in the network view. This sends out ping requests to the device selected.
o For all visible items: Specifies that all visible devices in the network view will have their agent status
updated according to the refresh rate. As new devices become visible, their agent status (and health)
are updated. This option generates the most network traffic.
Use DNS: This setting is for changing the priority of the IP address in the database with the address for the
item in DNS. When remotely controlling a device, for instance, if the DNS entry for the device differs from
the address in the database, the remote control command will be sent to the device IP address listed in the
DNS entry rather than the entry in the Management Suite database.
Refresh every < > minutes: Indicates whether agent status is automatically updated at the interval you
select. To enable this option, select the box beside Refresh. This option is disabled by default, and the
refresh interval only applies if the option's box is checked. If you enable this, consider using the default 5-
minute interval or longer to reduce the amount of network traffic.
Note: The Student Exercise Guide includes how to navigate the Console, and how to add tools to the
Favorites tool group.
Role-based administration is flexible enough to let you create as many custom roles as you need. You can
assign the same limited permissions to different users but restrict their access to a limited set of devices with a
narrow scope. Even a Management Suite Administrator can be restricted by scope, essentially making them an
administrator over a specific geographic region or type of managed device. How you take advantage of role-
based administration depends on your network and staffing resources, as well as your particular needs.
For more information on using Role-Based Administration, see the following sections:
Adding Management Suite console users
Managing authentications
Managing roles
Understanding rights and states
Creating scopes
Using teams
The “User Management” Wizard walks Management Suite Administrators through the necessary steps to fully
implement Role-Based Administration.
Management Suite setup creates two (2) local Windows groups on the core server. These groups control file
system permissions to the Management Suite program folders on the core server. You must manually add
console users to one of these local Windows groups:
LANDESK Administrators: This is the failsafe group for console access. Anyone in this group has full rights
in the console, including script writing. By default, the user account that installed Management Suite is
added to this group. If you don't have many console users or you don't want to limit the console users that
you do have, you can bypass role-based administration entirely and just add users to this group.
LANDESK Management Suite: This group allows basic core access. The Management Suite folders are
read-only. Users in this group can't write to the scripts directory, so they won't be able to manage scripts.
Patching vulnerabilities and OS deployment won't work correctly for users in this group because both those
features use scripts.
When adding full administrators to the console, you can either add them to the core server's local LANDESK
Administrators group or you can add them to a different group that has the LANDESK "Administrator" right.
The only difference is that users in the Windows LANDESK Administrators group can't be deleted from the
console until they are removed from the LANDESK Administrators group.
The Users tool's Users and groups tree shows the list of authorized console users. You can see the last time a
console user logged in, their group, role, scope, remote control time restriction status, and team. You can also
use this tree to see if users are in the local Windows groups. Users won't be able to log in until you've added
them to one of the LANDESK groups described in this section.
Users are stored in the database by unique security IDs (SIDs). If a user's active directory account name
changes, for example changing a name to include a married name, their SID should remain the same and their
Management Suite permissions will still apply.
IMPORTANT: Additional consoles and the core server must be members of the same domain or workgroup.
Console users won't be able to authenticate with a core server that is in a different domain or workgroup.
1. Navigate to the server's Administrative Tools > Computer Management > Local Users and Groups >
Groups utility.
2. Right-click the LANDESK group you want, and then click Add to group.
3. In the group's Properties dialog box, click Add.
4. In the Select the users and groups dialog box, select the desired users (and groups) from the list and click
Add.
5. Click OK.
Delete Users
You can also use the Users and groups tree to delete console users or groups. When you delete Users or
groups, assigned to access console resources, such as queries, scheduled tasks, and so on, the console will
automatically delete any items they own or reassign items they own to another user or group that you select.
Note that deleting a user or group only deletes that user or group from the Management Suite user database.
Manually remove the user or group from local Windows groups they are members of. If you don't do this, the
deleted user will still be able to log into the console.
Summary: Summarizes that user's/group's roles, scopes, teams, group membership, and effective rights.
Effective rights: Shows a more detailed view of the user's/group's effective rights.
Roles: Shows explicit and inherited roles. You can select which explicit roles apply to that user or group.
Scopes: Shows explicit and inherited scopes. You can select which explicit scopes apply to that user or
group.
Teams: Shows explicit and inherited teams. You can select which explicit teams apply to that user or
group.
RC time restrictions: Allows you to apply and modify RC time restrictions. For more information, see "Using
remote control time restrictions".
Group membership: Shows which groups that user is a member of.
If you make changes to the editable pages, you need to click OK to apply them. You can then re-open the
properties dialog box if necessary.
Managing Authentications
The User management tool can be configured to assign Console access via Active Directory groups. To do this
you will need to provide credentials for each Active Directory container having users you want to grant Console
access. The authentications you provide determine which user groups you can select from the User
management tool to assign Console group permissions.
Console authentication is based on Windows local or Active Directory group membership. When a
Management Suite administrator assigns group permissions to a local or Active Directory group, users who are
You should be aware of the following issues when managing Active Directories for use with Management
Suite:
Active Directory is fully integrated with DNS and TCP/IP (DNS) is required. To be fully functional, the DNS
server must support SRV resource records or service records.
In order to log in to the Console, a user must belong to the core server's local groups. For more
information, see "Adding Management Suite console users".
In order for an AD Domain to work properly with Role-Based Administration, you need to configure the
COM+ server credentials on the Core Server. This enables the Core Server to use an account in one of the
core server's local groups that has the necessary permissions to enumerate Windows domain members,
such as the administrator account. Some excellent resources on how to configure COM+ please see:
o “How to Configure the LANDESK COM+ Application to use a Domain Account” at:
https://community.ivanti.com/support/docs/DOC-25497.
If a user account password changes, you will have to log into the console and change the password in the
authentication dialog box to the new password. You can do this by logging in as a local group. Users are
authenticated when they log in, so any existing session will continue to work. Users in the domain that have
had the password changed won't be allowed to log in until the password change has been corrected in the
Users tool.
If a user is a member of an Active Directory group, the user inherits the RBA rights for that group.
If a user is a member of an Active Directory group, which is a member of a higher level group, the user
inherits the RBA rights of the upper level group.
Groups can be nested and inherit the appropriate rights according to the usual Active Directory rules.
To add an authentication
1. In the Network View, right-click Directory, and click Manage Directory. (The Active Directory source
window opens.)
2. Click [Add], and enter the LDAP source, authentication User name and Password credentials that grant
access to the Active Directory.
3. Click [OK].
You can add as many additional roles as you need. New roles aren't automatically assigned to any users or
groups. Once you create a role, you associate it with a user or group in the Group Permissions tree.
Since you can assign multiple roles to users or groups, decide how you want to assign rights. You can either
assign rights based on a job description, such as "help desk," or you can assign rights based on console
feature, like "remote control." Depending on the number and variety of console users your organization may
have, one way may work better than the other.
You can assign multiple roles to a user or Active Directory group. If there are conflicting rights among the
selected roles, the group permission consists of the sum of the combined roles and scopes. For example, if
one included role allows remote control and another included role denies it, the resulting group permission will
allow remote control. You can see the effective rights for a user or group by opening the properties for it and
viewing the Effective rights page.
Generally, you should avoid assigning a role to the default local groups: LANDesk Management Suite, and
LANDesk Administrators. Assigning a role to a group affects everyone in the group. Since all console users
must be a member of one of these three groups, you could unintentionally restrict everyone's access to
console features. The LANDESK Administrators group already has a default role of Administrator, which you
can't restrict further.
Changes to a logged-in user's rights won't take effect until the next time they log in.
1. In the User management tool, right-click Roles and click New role.
2. In the Role properties dialog box, enter a role Name.
3. Enable or disable the rights you want by clicking on the symbol in the appropriate column. Each click
toggles the right's state.
4. In the tree click Users and groups and select the users and groups that will have the new role.
1. In the User management tool, right-click Roles and click Properties. You can also double-click a role to edit
its properties.
2. On the Users and groups page, select the groups you want to have that role.
3. Click OK.
Auditing Configuration
Auditor
Data Analytics Administrators
LANDESK Administrators have full rights to all scopes and rights. They also have full access to the Users tool
and can make any changes they want. Only users with the Administrator right can configure LANDESK
services running on the core. If Auditing is desired, add the rights of Auditing permission to the LANDESK
Administrators group.
Understanding Rights
A checkmark:
An X:
A not applicable symbol:
Clicking on a checkmark or an X will toggle its state.
If users have no rights for a tool, they won't see the tool when they log into the console. The tool won't appear
in the Toolbox or in the Tools menu.
The Scheduled tasks tool is only visible to users who have a "Deploy" right, and in that case, they can only
work with tasks associated with the tool they have deploy rights for. All other tasks are read-only.
Creating Scopes
A scope defines the devices that can be viewed and managed by a Management Suite user.
A scope can be as large or small as you want, encompassing all of the managed devices scanned into a Core
database, or possibly just a single device. This flexibility, combined with modularized tool access, is what
makes role-based administration such a versatile management feature.
Default Scopes
Management Suite's Role-Based Administration includes one default scope: "All machines." This scope
includes all managed devices in the database. You can't edit or remove the default scope.
Custom Scopes
There are three types of custom scopes you can create and assign to users:
LDMS Query: Controls access to only those devices that match a custom query search. You can select an
existing query or create new queries from the Scope properties dialog box to define a scope. Note that you
can also copy queries from the Queries groups in the network view directly into the Scopes group.
LDAP: Controls access to only those devices gathered by the inventory scanner that are located in an
LDAP-compliant directory structure. Select directory locations from the Select visible devices dialog box to
define a scope. This directory-based scope type also supports custom directory locations (if you've entered
custom directory paths as part of an agent configuration). Available custom directory paths appear in the
Select visible devices dialog box. Use custom directories to define a scope if you don't have an LDAP-
compliant structure, or if you want to be able to restrict access to devices by a specific organizational detail
such as geographic location or department.
Device Group: Controls access to only those devices that belong to a specific device group in the network
view.
A Management Suite user can be assigned one or more scopes at a time. Additionally, a scope can be
associated with multiple users.
A user’s rights and scopes can be modified at any time. If you modify a user’s rights or scopes, those changes
take effect the next time that user logs into the Console or when a Console administrator clicks the Refresh
scope toolbar button on the Console (top of window).
Create a Scope
A scope defines the devices that can be viewed and managed by a Management Suite Console user. A scope
can be as large or small as you want, encompassing all of the managed devices scanned into a core database,
or possibly just a single device.
To create a scope
LDAP directory locations are determined by a device's directory service location. Custom directory locations
are determined by a device's computer location attribute in the inventory database. This attribute is defined
during device agent configuration.
7. If you're creating a device group-based scope, select a group from the available device group list, and then
click OK.
8. Click OK again to save the scope and close the dialog box.
Using Teams
A role-based administration team is a group of users that can view and share ownership of tasks and
configurations that belong to the team. For example, if you have multiple departments that want to share
queries or tasks, you can group the departments into a team. A team's tasks and configurations appear in a
special group named after the team in a tool's tree view. For example, if you have a team named "New York"
that you are a member of, you would see a “‘New York’ devices" subgroup under the Devices group in the
Network view. People can belong to multiple teams.
People who aren't in a particular team won't see that team's group anywhere in the console. People with the
administrator right see all teams and team content. While you can use public folders to share console content,
Teams consist of one or more group permissions. You can even create teams with as few as 1 or 2 people.
For example, if a person is out sick, you can add that person's substitute to the same team. Or, if you have two
people that share responsibilities, you can put them in the same team.
Administrators and team members can change the ownership of tree items by right-clicking them and clicking
Info. Information dialog boxes have an Owner drop-down list where you can select the item's owner.
Create a Team
A role-based administration team is a group of users that can view and share ownership of tasks and
configurations that belong to the team. A team can view management items (Device Groups, Queries,
Configurations, etc.) only visible to members of the team and member of the LANDESK Administrators group
on the Core Server.
To create a team
1. In the User management tool, right-click Teams and click New team.
2. Enter a team Name.
3. Select the Users and Groups that you want in the team.
4. Click OK.
Note that the starting time is in UTC (Coordinated Universal Time or Greenwich Mean Time) format. The core
server determines the starting time by checking the UTC time reported by the core server's operating system.
The core server doesn't adjust for the console users' local time zone. When entering the starting time value,
you need to compensate for the difference between UTC time and the console operators' local time zone and
use the resulting adjusted time.
Note that RBA rights are additive. If a user is a member of multiple roles, you could unintentionally allow
remote control when you intended to restrict it. For example, if a user is a member of a remote control role that
includes time restrictions and that user is also a member of a security role that doesn't include time restrictions,
that user won't have any remote control time restrictions.
To ensure remote control time constrictions are applied in the way you intend, you may want to make sure
users with time restrictions have only one role applied to them.
1. In the User management tool (Tools > Administration > User management), right click a user or group
in the Users and groups tree and click Properties.
2. In the left pane click RC time restrictions.
3. Check Use time constraints.
4. Check the days you want enabled.
5. Enter the time range that you want to allow remote control.
6. Click OK when done.
There are exercises for implementing Role-Based Administration in the Student Guide.
Scheduled Tasks
At the very heart of centralized management and managing devices throughout the enterprise is the ability to
Schedule Tasks from a Console. All centralized management begins with seeing the complete list of managed
devices, and acting upon them from the Console. Whether the need is to remotely control a device, distribute
software to a device, apply updates and patches to a device, or other actions which might need to be run on a
managed device, the key to central management is acting upon managed devices in the Console.
To enhance the ability of the Console users, when scheduling tasks, Management Suite has added
functionality to the Scheduled Tasks tool.
When initializing Scheduled Tasks, the task is right-clicked, and Start now is selected. The options presented
are:
Devices that did not try to run the task -- devices in pending
Diagnostics
In version Management Suite 2016, Diagnostics have been significantly enhanced. To pull up the Diagnostics
window, right-click on a managed device in the Console’s device view, and select “Diagnostics”.
The Diagnostics window is divided into two parts. The top portion lists each scheduled task assigned to the
managed device. Above that is the toolbar. The toolbar opens a plentiful array of options.
There are numerous other options in the Diagnostics Tool. A great way to see the options open Diagnostics on
a device and right-click a listed task. This will bring up the options.
Diagnostics is a helpful, useful, wonderful all-around tool to diagnose all tasks pertaining to a managed device.
(We will use Diagnostics in a hands-on way when we have created some tasks in the Software Distribution
section.)
Diagnostics Toolbar
The first option in the Diagnostics toolbar, , Logs, presents options to view logs which might be
contained on either the Client, or the Core. If you select one of the many logs presented, the tool retrieves the
associated log and displays it in the bottom portion of the window. Gone are the days of searching directories
for logs, finding them in droves, and endlessly searching to find the exact log associated with an exact task!
Diagnostics can retrieve the file contents, regardless of whether the log is locally or the client device, or on the
Core Server.
An option available in Logs > Client is the option to “Get all and zip”, which will pull all client and core logs
related to the selected task and store them in a location you select. Another option in the same screen is “Get
SCAP reports” (SCAP means Secure Content Automation Protocol) which is available in Java™ SE
Development Kit 8, Update 60 (JDK 8u60) and above.
The second option in the Diagnostics toolbar, , Real-time discovery, presents a window which populates
with a variety of information about the device, including the fully qualified name, IP address, Subnet mask,
MAC address, Discovery type, Port, Device ID and Discovery response XML information.
The fourth option in the Diagnostics toolbar, , HTML5 Remote control, opens a session of remote control
with the device.
The fifth option in the Diagnostics toolbar, , View task client policy, brings up the task client policies
assigned to the device.
The sixth option in the Diagnostics toolbar, , View Security and Patch information, brings up an
interactive window of all the security and patch information concerning the device.
The seventh option in the Diagnostics toolbar, , Client inventory change history, brings up the inventory
change history of the device. You can show the log file in an external viewer by clicking the [External] button. If
the file is larger than 50K bytes, you can click the [Truncated] button, which will bring up the last 50K bytes in
the results pane of the window.
The eighth option in the Diagnostics toolbar, , Client task history, bring up the contents of the task history
in the device’s TaskHistory.xml file.
The ninth option in the Diagnostics toolbar, , Enable remote file system access, sets the device so that if
you select Remote file system the file system is accessible.
The tenth option in the Diagnostics toolbar, , Remote event viewer, brings up the interactive event viewer
of the device.
The eleventh option in the Diagnostics toolbar, , Remote file system, brings up the interactive file system
of the device.
The twelfth option in the Diagnostics toolbar, , Synchronize policies, launches PolicySync.exe on the
device.
The thirteenth option in the Diagnostics toolbar, , Re-run task on selected device, allows you to select a
task in the top window, then click to select this option, to re-run the task.
The fourteenth option in the Diagnostics toolbar, , Terminate process, brings up a window where you can
enter the Process ID, click the [OK] button, and the corresponding process will terminate.
The fifteenth option in the Diagnostics toolbar, , View local scheduler tasks, brings up the list of items in
the local scheduler of the device. These items populate based on the Management Suite Agent installed on the
device.
The sixteenth option in the Diagnostics toolbar, , View running processes, brings up a list of running
processes on the device. The list contains the process name, process ID and the amount of memory the
process is currently using. The LANDESK processes are highlighted.
The eighteenth option in the Diagnostics toolbar, , Search Ivanti Community web site, brings up a
window where you can enter search criteria to be sought for on the Ivanti Community web site.
The nineteenth option in the Diagnostics toolbar, , Search the web for highlighted log file text or the
current error code (F3), brings up the default browser. In the browser window, the search of the current error
code, or the highlighted text (if you have highlighted text), is searched for using the default search engine
designated in the browser.
The twentieth option in the Diagnostic Toolbar, , Find, allows you to type
what to search for in the columns of the Diagnostics tool. You can designate to search in any column, or you
can select in a specific column.
The Export to csv button, , on the Diagnostics toolbar, allows you to export to a .csv file, the information
pulled up in the diagnostics tool.
The Reset column order button, , on the Diagnostics toolbar, resets the order of columns in the
diagnostics tool to the original order in which they first appeared when the installation occurred.
We will do a hands-on exercise using the Diagnostics tool after we have deployed software, later in the
course.
IPv6 Communication
Ivanti recommends that both IPv4 and IPv6 be enabled on both the Core Server and managed devices. The
managed devices use IPv4 for internal communication. The managed devices use IPv6 (using Proxyhost.exe)
to communicate with web services on the Core Server. The Core Server uses IPv4 to initiate communication
with the managed devices. The Core Server uses IPv4 for name resolution and discovery. The Core Server
supports using IPv6 for web services.
Credant Architecture
There are three types of servers used in the Credant Security solution. There are:
Policy Server: The Credant server which places and enforces security policies.
Gateway Server: The Credant server which direct sending and receiving information between the Credant
servers and managed devices.
Reporting Server: The Credant server housing data for reporting purposes.
These servers are often combined in one for fewer managed nodes, but in larger enterprise scenarios, they
can be separated for utilization reasons.
Management Suite has the ability to gather Credant Shield information from the Credant database, and place
the data in the Management Suite database. This enables additional Inventory, Queries, and Reporting. This
synchronization can be done with one or many Credant databases.
When Credant server(s) are added, the columns to the right of the server show the status and messages of the
synchronization. This greatly reduces the need for troubleshooting, and is an indicator that the data is up to
date.
There is also a new report that is included, which shows the Credant data. In the Reporting tool, you can find
the Data Protection Report. The report can include which Credant products to include in the report, which
managed devices to include, and which Credant servers to include. The report shows the following:
Credant Device Summary – Displays a graph showing the Credant devices.
Credant Protected State – Displays a graph showing the percentage of devices in a Credant protected
state.
Credant Agent Version – Displays a graph showing the Credant Agent version.
Columns in the report include the Device Name, the Data Protection Client Product, the Date Protect Client
Version, and the Protected Date.
5. How can Diagnostics help troubleshoot failed scheduled tasks and policies?
6. What impact does Active Directory Targeting have on a device that connects via the Cloud Services
Appliance?
7. What impact does IPv6 communication for the Core Server, Consoles, and Managed Devices?
The Agent configuration tool enables you to create new agent configurations for:
Windows Workstations
Windows Servers
Windows Embedded devices
Macintosh devices
Linux devices
HPUX devices
Solaris devices
HP ThinPro Linux devices
o Windows Embedded Standard 7 Enterprise (WES7)
o Windows Embedded Standard 09 Enterprise (WES09)
AIX devices
The agent configurations you create can then be pushed to Windows and Macintosh devices using the
console's Scheduled tasks window, logon scripts, or by group policy objects.
The Agent settings tool enables you to create settings that can be deployed as scheduled tasks to managed
devices. This enables scheduling setting changes that are very small in size, when compared to deploying the
entire agent again. This saves time and bandwidth when configuring managed devices to have different
settings.
Client-Side Certificates
In versions previous to Management Suite 2016 security assured was enforced by a certificate if a device
connected via the Cloud Services Appliance (CSA) or by the public and private key set used by Public Key
Infrastructure (PKI) technology. This enforced whether a managed device trusted management from the Core
Server. In Management Suite 2016, additional security is implemented centered on the premise that the Core
Server does not have to trust a device just because it has a Management Suite Agent. Each client now
generates a certificate, and the Core Server has ability to allow whether to manage the device, based on the
certificate.
Architecture
Architecture includes pieces on the Managed Device and the Core Server.
When BrokerConfig.exe makes a request to have a new public certificate signed, it makes a web request to the
core server at the following URL:
http://corename/landesk/managementsuite/core/core.anonymous/ClientCertificateRequest.asmx
By default, new certificates listed are assigned the Unapproved state. This means the Management Suite
Administrator will have to periodically open the Client Access tool and approve certificates, by selecting
certificates in the list and clicking the [Approve selected] button. If you are in the process of performing a
Unapproved/Approved/Blocked/Created by Provisioning: These are filters. If all four are selected, then all
devices in the database are shown. By default, only the unapproved checkbox is selected to show the
Management Suite Administrator the list needing to be approved.
Exclude devices with inventory data: Selecting this checkbox will remove all devices from the list with inventory
in the Management Suite database. The remaining items in the list would be devices that have not been able
to report inventory data because they have not yet been approved.
Approve selected: Select one or more devices in the view and click this button to approve them.
Block selected: Select one or more devices in the view and click this button to block them.
Delete selected: Select one or more devices in the view and click this button to delete them from the database.
These devices will need to request to have a new client-side certificate signed by the core before they can
operate through the CSA.
Items per page: Sets how many certificates listed in the view to include per page.
Automatically approve new client certificates (not recommended): While not recommended, it is believed that
some customers may want to make it as easy as possible to get new devices enrolled for a short time while
enrolling lots of machines such as during a rollout or upgrade. Selecting this checkbox will automatically
approve all new devices when their client-side certificate is generated. This is not recommended because it
allows all new devices to be immediately approved to be managed by the core server.
Warn me when the number of unapproved certificates reaches [number]: When the number of unapproved
certificates reaches the number set in this field, a warning will appear, in the Console, telling the Administrator
there are certificates to approve.
Security model page: Shows the graph of certificate-based authentication success rate.
o Select security model: Shows whether “Client certificate-based security” has been enabled.
Save in inventory for each computer: Selects whether to include Client certificate-based security
information in the inventory for each computer. If selected, the inventory will populate in the Client
certificate-based security section in the LANDESK Management section of the device’s inventory.
Save history in Security and Patch information: Selects whether to update Authentication status in
Client certificate-based security information when vulscan.exe is run on managed devices. This means
when vulscan.exe runs the Authentication required, Authentication succeeded, Certificate validation result,
Certificate validation result code, and Last authentication attempt, fields will be updated.
Key manager page: Has the following options:
o Key management: Lists the current encryption key and the date the key was created.
o Generate key: Button which if selected generates a new encryption key. If you select this key the
following warning will appear:
There is a hands-on exercise for discovering how the Client-side Certificates work.
An issue that non-persistent Virtual Desktops introduce is registry changes being lost when a user terminates
his or her session. When a new session is initialized, all previous registry data is not there, so the software
usage information, which Management Suite stores in the registry, is lost. Management Suite provides the
ability to optionally save registry modifications to a UNC share. When this is enabled, Softmon.exe writes
software usage data to the share, which the Inventory scanner (LDISCN32.EXE) can then report. With this
setting placed on non-persistent Virtual Desktops, software usage is reported. The Agent setting to enable the
Software Monitoring as well as where to store the Softmon information for Virtual Desktops is in Inventory
settings.
For more information on Agent Configuration, see, “LANDESK® Management Suite agent deployment
documentation” at: http://community.ivanti.com/support/docs/DOC-29574.
Scans received from a managed device are added to a Core Database, created during the Management Suite
installation, which in turn makes the device appear in the Network view on the Management Console. (See the
Consoles section.) When the device has an installed Agent, and appears in the Console, it is manageable
through the Console, so the Console User can perform various administrative management tasks on the
managed device.
Discovery
Discovery is the process of finding Unmanaged Devices (PC’s, printers, servers, switches, routers, or any
other device with an IP address, whether wired or wireless) on the network. The Discovery process looks for
devices referred to as Unmanaged Devices. Once identified, certain devices can have a Management Suite
Agent deployed to them, making them manageable from the Console from that point on.
Discovery can use two methods to find Unmanaged Devices, namely, Unmanaged Device Discovery (UDD),
and eXtended Device Discovery (XDD).
UDD lists the Operation System, if known, on devices it discovers. If the device was discovered via NT Domain
discovery, the Operating System is listed in the Active Directory table, so UDD uses what is in the table to
populate the UDD column. For all other UDD discovery, Management Suite uses NMAP Operating System
Fingerprinting to discover the operating system on a Device. This technology sends malformed packets, which
each operating system responds to in different ways. Through the responses, the Operating System is often
discernable.
If you don't designate a subnet address range on a TCP/IP search, discovery is performed only on the network
segment where the console initiating the discovery resides. For example, if you've installed four Consoles on
four different PC workstations, each residing on a different network segment, you would have to initiate four
scans, one from each of the four Consoles.
On network segments where there are no PC workstations with Consoles installed, you must use a subnet
address range to scan that network segment.
1. On the Management Suite Console click Tools > Configuration > Unmanaged Device Discovery.
2. On the Unmanaged Device Discovery tool click Scan Network (first icon on left on toolbar).
3. Enter the IP address range to scan in the Starting IP, Ending IP, and Subnet mask fields.
4. Click the More button if you desire to set additional scan options, then click Close.
a. Standard network scan
b. LANDESK Common Base Agent
c. NT or LDAP Domain discovery
d. LDAP
e. IPMI-enabled devices
f. Intel vPro-AMT devices
g. Virtual hosts
5. Click Add.
6. Click Scan now, or Schedule task, to scan immediately or schedule the scan for later.
Discover devices using a standard network scan: Searches for computers by doing an NMAP ping
sweep. This is the most thorough search, but also the slowest. You can limit the search to certain IP and
subnet ranges. By default thi,s option uses NetBIOS to try and gather information about the device.
IP OS Fingerprinting: Uses NMAP to try to discover what OS the device has.
Use SNMP: UDD uses Simple Network Management Protocol (SNMP) to discover devices. Click Configure
to enter information about SNMP on your network.
Discover devices with LANDESK PDS2 installed: Searches for the standard Management Suite Agent,
formerly called Ping Discovery Service 2 (PDS2) on computers. This option discovers computers that have
Management Suite products installed.
Discover devices using NT domain: Searches for devices in a domain you specify.
UDD Rights
In order to perform UDD a Console User needs to have Unmanaged Device Discovery right assigned to them
through Role-Based Administration.
The View right grants the Console User the right to see and access the UDD tool. The Edit right grants the
ability to create UDD scanner configurations. The Deploy right grants the ability to schedule and run different
UDD scans.
UDD Limits
UDD (as helpful as it is) is dependent upon receiving reply packets to ping request packets. That presents at
least three limits: First, devices must be powered on. Second, devices must be connected to the network.
Third, devices must not be behind a firewall (whether on the device or network). With these limitations, a more
complete and thorough discovery method can be implemented.
The CSEP implementation can eliminate the need to have multiple agent configurations for devices on
subnets. The self-election process makes it possible for each device to have the same configuration, and be
able to be a service provider, if elected.
1. In the Self-Electing Subnet services tool, the Console Administrator selects which services to enable, by
subnet.
2. The settings are set on the Core Server in the Client Self-Electing Subnet Tables. These call for the
election process by subnet.
3. Managed Clients with the Agent Setting to be elected run the services, offering one or more services if
elected.
Regardless of how the desired state of new networks is set, the Administrator can right-click on any network
listed and either enable or disable each network as desired, overriding the default setting.
Use address resolution protocol (ARP): This checkbox selects whether to discover ARP announced
devices
o Duration ARP entry stats cached (in seconds): The length of time to keep discovered devices in the
cache (default 86400 or 1 day)
o Maximum delay before pinging an unknown device for the Management Suite Agent (in
seconds): (default 3600 or 1 hour)
o Frequency the cached ARP table is refreshed (in seconds): How often discovered devices are
reported to the Core Server (default 300 seconds or 5 minutes)
Standard Management Suite Agent: Enables the Ping Discovery Service (PDS). If the standard
Management Suite Agent is installed on a device, you can schedule software distributions and device
setup configurations.
Remote control: Lets you remotely access and control a device.
Any device that is not in the database, and does not send a response packet to the ping requests will be added
to the UDD list.
There is a column in the UDD list titled “ARP Discovered”. Items found via a UDD scan populate the ARP
Discovered field with “false”, while XDD discovered devices populate the field with “true”.
XDD can be set to listen to Wireless Access Point (WAP) traffic as well. If enabled, the listener will report
wireless routers to the Core, and these routers will appear in the UDD list.
Select whether or not you want PXE service to run on a managed device on the subnet.
Select whether or not you want the agentless scanner service run on a managed device on the subnet.
Simply deploy an Agent Configuration which includes the desired Client Connectivity setting to devices not yet
managed in the Management Suite 2016 environment, or create a Change settings task to deploy the desired
agent setting to devices already managed in the Management Suite 2016 environment.
Self-Election Process
The self-election process designates one client per subnet to act as listener. If the listener is turned off or
leaves the network, another listener is elected to take-over the listener role.
The LDApi web service combines the CSEP_Elections_V with the Network ID’s from the bound adapter table
to produce a list of available subnets. This is what displays in the UI in the Console.
Potential orphaned records: Can happen when a client takes the election from a multi-homed machine but only
for one subnet. Those records will be removed during the Management Suite inventory maintenance.
The Agent Setting tool can be launched from both the Configuration and Security and Compliance menus in
Tools and the Toolbox.
Adaptive Settings:
In some environments, there may be a desire to lock-down a device or set it into a more protective mode
when the device is not located in the work-place. Adaptive Settings solves this business use-case.
An adaptive setting is basically a list of one or more rules ordered by priority. Using an adaptive settings
agent configuration, you can select multiple rules from a list of available rules.
There are various settings which can be included in an adaptive settings rule, including:
Agent health, Client connectivity, Custom variables, Distribution and patch, Endpoint Security,
Inventory Settings, Ivanti Antivirus, Other security settings, Portal Manager, Remote Control, and
Remote control.
Adaptive settings rules can have one-time actions that execute when the rule activates. You can choose
from the following one time actions:
o Apply HP’s recommended locked-down security BIOS settings: This only works on HP devices.
You will need to provide the BIOS password.
o Lock Windows session: Locks the session so the user has to log back in. The can help prevent
unauthorized access when the device leaves a secure area.
o Run security scan: Runs the security scan that you select.
Agent Health:
Settings here select whether to heal or replace the Management Suite Agent if the agent has been
removed, or if the agent settings have been altered.
o General: Sets the name of the Agent health setting, and Global behavior overrides for Autofix, and
Reboot. The Download Updates tool brings the source files for implementation.
o Components: Set which Agent Components to check for having possibly been removed or altered.
o Enforcement: Set how often to check for component having possibly been removed or altered.
o Settings: Set the desired Agent Setting to place on Agent Components which have been removed or
altered.
Client connectivity:
Here you configure connectivity for the Core Server, Cloud Services Appliance, Download settings,
Preferred server, Self-electing subnet services, Extended device discovery, and Local scheduler.
Enable Cloud Services Appliance communication: Selects whether to use a Cloud Services
Appliance. All other selections on this page are then set as active and able to be utilized.
Available CSAs to be used: Select which Cloud Service Appliance(s) to be set as active for this
Core Server.
CSA failover policy: Select whether to User ordered list as shown in the selected items field, or
whether to Use a random order for failover.
CSA connection mode: To select on the possible three options:
- Dynamically determine connection route: This selection is for devices which are
sometimes on the same network as the Core Server, and other times not.
- Connect directly to the Management Suite core: This selection is for devices which are
generally always on the same network as the Core Server.
- Connect using the Cloud Services Appliance: This selection is for devices which are
generally never on the same network as the Core Server.
o Download: Here you configure whether to block peer downloads (in Software Distribution,
Provisioning, etc.) over adapters you specify
o Preferred Server: Configure the following settings concerning the Preferred Server:
Update preferred server list from core every: To set how many Days and Hours to update the
preferred server list. This sets the maximum amount of time before a managed device will delete
the preferred server list to download and set again. (This setting populates to the Local Scheduler
the Management Suite Agent uses on the managed devices.) The preferred server list will also be
deleted if the IP address changes. (The default is once per day.)
o Self-electing subnet services: Select whether to enable the self-electing subnet services. A use case
for this option would be to disable this option for devices that are seldom connected to the corporate
network, and enable this option for devices that are usually connected to the corporate network. For
more information about self-electing subnet services, please reference “LANDESK Self Organizing
Multicast” on the Ivanti Community Website at: https://community.ivanti.com/support/docs/DOC-34266.
o Extended device discovery: Set whether to enable the listening service for eXtended Device
Discovery (XDD) and set its parameters. The suggested use is to have one device per subnet for each
subnet where XDD discovery is desired. (The device should usually be connected to the subnet and
turned on.)
o Use address resolution protocol (ARP): Selects whether to enable XDD discovery.
- Duration ARP entry stats cached (in seconds): Sets how long the listener will keep
discovered devices in its cache. The default is one (1) day.
- Maximum delay before pinging an unknown device for the Management Suite Agent (in
seconds): Sets the maximum time the Core Server will wait to send a ping request to the
Standard Management Suite Agent of the device if it is not found in the Management Suite
database.
- Frequency the cached ARP table is refreshed (in seconds): Sets the frequency the
listener will report newly discovered devices on that subnet to the Core Server. The default is
five (5) minutes. If no new devices are discovered during the time setting, no traffic is sent to
the Core Server.
- Logging Level: Sets the level (1 – Errors only, 2 – Errors and Warnings, 3 – Debug) of
logging for the XDD tool on the listener.
- Force logging level: Sets whether to enable logging.
- Give desktops preference over laptops: Selects whether to have desktops on a subnet
chosen over laptops for being an XDD listener, if multiple listeners exist on a chosen subnet.
o Use wireless access point discovery (WAP): Selects whether to enable wireless access point
discovery.
- Frequency of WAP scan in seconds: Selects the frequency the listener will scan for (and
report to the Core Server) wireless access points.
- Logging Level: Sets the level (1 – Errors only, 2 – Errors and Warnings, 3 – Debug) of
logging for the XDD tool on the listener.
- Force logging level: Sets whether to enable logging.
Frequency at which the agent polls the local registry for tasks: Sets two configuration
settings. Namely:
- General frequency: Sets how often the Local Scheduler (placed when Management Suite
Agent is deployed to the Managed Device) will look to see if it is time to launch a task. The
default is 10 seconds. This is a local check and does NOT produce network traffic.
- Bandwidth detection frequency: Sets how often to check the bandwidth being used to
download software, patch remediations, or images. This is to vary the download speed based
on available bandwidth, so as to not consume so much that other bandwidth consuming tasks
are affected too much.
Bandwidth detection method: Sets the protocol to use to check for bandwidth usage.
- Internet Control Message Protocol (ICMP) can sense slow (Modem), medium (WAN), and fast
(LAN) speeds. (This is why it is the default selection.)
- Ping Discovery Service (PDS) can only sense slow and fast speeds.
Bandwidth detection LAN threshold: Sets the threshold between medium and fast speed (for
the ICMP setting).
Compliance:
Settings here set the Compliance settings within the Scan and Repair settings which Vulscan.exe will use
when scanning the Compliance group.
HP:
Opens ability for three (3) different settings on Hewlett Packard managed devices.
o HP BIOS settings: Set the name, and perform the steps to set the HP BIOS feature.
o HP Remote Secure Erase: HP Remote Secure Erase (RSE) lets you remotely and securely erase
stored data on HP ElitePads. This function erases and overwrites all data on the device. This prevents
recovery utilities from “undeleting” data.
o HP software policies: Here you set HP Power Assistant settings that can be deployed to HP devices.
Set the setting name and options to use for the HP software policies feature. This is similar to the
Power Management feature available in Management Suite 2016 except this is for HP managed
devices only.
Inventory Settings:
Here you configure settings for the Inventory scanner LDINV32.exe.
o General settings: The page offers the following settings:
Name: Set the name of the inventory setting.
o Scanner settings: Here you select the following Inventory scanner settings:
Send All Executed Files: Select whether or not to include all executed files (kept track in the
registry of the managed device) as a part of the inventory scan. (The default is to enable this
setting.)
Send File Usage Data: Select whether or not to include file usage date (kept track in the registry
of the managed device) as a part of the inventory scan. (The default is to enable this setting.)
Force Exhaustive File Scan (NOT Recommended): Select whether or not to include in the
inventory scan all file extensions. This results in lengthy scans and very large inventory files, and
is not recommended. (The default is to not enable this setting.)
Auto-update LDAppl File: Select whether or not to have files run on managed devices added to
the Master Software List on the Core Server, if the files are not currently there. Items added
through enabling this feature can be seen in the Files > To be scanned section of the Manage
Software List tool. The use case of this feature is to find software which has been installed onto
managed devices but not yet executed, when just one device somewhere in the enterprise has
installed and run the software (and reports because of selecting the Send All Executed Files
feature mentioned above. (The default is to enable this setting.)
Do Not Send Logon/Lock Event Dates: Select whether or not to report as a part of the inventory
scan the Operating System logon/lock event data. Some have privacy concerns and do not want
this data stored. (The default is to not enable this setting.)
Post To Web Service: Select whether have managed devices send results of inventory scans to
the new web service running on the Core Server. Selecting this option sends the results of the
scan to the Web Service, whereas NOT selecting the option sends the results of the scan using
TCP port 5007 (the legacy method).
Change History Storage (days): When the inventory scanner runs it creates a file containing
changes since the last scan stored as:
Program Files (x86)\LANDesk\LDClient\Data\ invdelta.dat.
The scanner sends this delta file as a scan to the Core Server. The inventory scanner also uses
the InvDelta.dat file to create a change log on each managed device. The changes log is saved in
XML format on each managed device in the LDClient\Data\changeslog.xml file. The Change
o Software Usage Monitoring: Here you select software monitor settings, including:
Use software monitor: Select whether or not to have the LANDESK(R) Software Monitoring
Service (Softmon.exe) run on the managed device to gather data on executable files run, and the
accompanying usage data, store it in the local registry, and include that information as a part of
the inventory scan.
Record software usage statistics to a network location: Select whether to have Softmon.exe
store executable and usage information to a network share rather than to the registry. This is to
capture usage information on non-persistent Virtual Desktop Infrastructure (VDI) devices, since
starting VDI devices wipes any previous registry data.
UNC path where software monitor data files will be stored: Set the UNC location
Domain and user name: Enter the Domain\User with write rights to the UNC location.
Password: Enter the password for the user in the Domain and user name field above.
Confirm Password: Enter the password again, to confirm, for the user in the Domain and
user name field above.
o Schedule: Set in the Local Scheduler added as a part of the Management Suite Agent when to have
the inventory scan occur on each managed device with this inventory setting.
When user logs in: Select whether to have the inventory scan occur each time a user logs in to
the managed device. The Max random delay field sets the maximum time to wait before sending
the scan, for randomization purposes. (The default does not select this setting.)
When IP address changes: Select whether to have the Inventory Miniscan (Miniscan.exe) run
when the IP Address Filter is tripped. The miniscan will capture IP Address information to update
the Management Suite database. Miniscans go to the front of the line to process immediately so
the database is corrected shortly after the IP Address Filter has been tripped. (The default selects
this setting.)
Use recurring schedule: Select whether to have the Inventory Scan regularly run on the
managed device. This is to periodically get a scan from every managed device in the enterprise, to
keep the Inventory Database accurate. (The default selects this setting of once each day, with up
to a 1 hour delay.)
Mobility – Mobile Compliance: Sets rules concerning mobility compliance and Email configuration.
o Compliance: Sets criteria for Jailbreak/Rooted, Geofence, and OS Version.
o Email Config: Sets The SMTP Server, Account, Port, and Password settings for compliance settings
that are violated to send emails.
Mobility – Exchange/Office 365: Sets synchronization settings mobility devices will use to send and
receive emails via the Exchange Server by locally using Office 365.
o General: Sets the name of the setting and whether or not it is the default setting.
o Exchange/Office 365: Sets how mobile managed devices synchronize to Exchange™ Server using
Office 365™.
Enable Exchange/Office 365 settings: Select whether or not to enable or not.
Account name: Sets the account the mobile users will use.
Server address: Sets the name of the Exchange Server.
Allow user to move messages from this account: Sets whether or not to use this feature.
Portal manager:
Create setting to deploy to managed devices as a Portal manager setting. On the managed device the
Portal Manager lists the available applications, documents, and links available to the managed device.
o General: This page lets you select the following:
Name: Set the name of the Portal Manager setting.
Allow resize: Select whether to allow the end-user to resize the Portal Manager on the managed
device.
Allow close: Select whether to allow the end-user to close the Portal Manager on the managed
device.
Launch maximized: Select whether to launch the Portal Manager on the managed device as a
maximized window.
Set as default: Select whether to have this setting as the default when deploying the
Management Suite Agent.
Default display option View: Select whether the Portal Manager will show available applications,
documents, and links, in List, Small icons, or Large icons form.
Available types: Select whether to list Apps, Docs, and/or Links in the Portal Manager on the
managed devices.
o Applications: Select whether to show the LaunchPad, and/or Task History in to Portal Manager on
the managed devices.
o Branding: Select options here concerning how you want the Portal Manager to look on the managed
devices.
Application title: Type the title as you want it to appear in the Portal Manager.
Choose title color: Select the color you want the text in the title to appear in the Portal Manager.
Taskbar icon: Select the icon you want in the taskbar in the Portal Manager.
Corporate logo: Select the logo you want in the taskbar in the Portal Manager. (The optimum
size is 135 X 52 pixels.)
Power Management – Mac Power management settings: Sets parameters for Macintosh devices with
power management.
o General setting: Set the following options:
Policy name: Set the name of the policy.
Policy description: Set a description of the policy.
Battery tab: Set when on battery power to: have the computer sleep, the display sleep, whether to
put hard disks to sleep when possible, slightly dim the display while on battery power, and whether
to enable the Power Nap setting (for solid state disks).
Power Adapter tab: Set when on power adapter to: have the computer sleep, the display sleep,
whether to put hard disks to sleep when possible, whether to wake for network access, whether to
allow the power button to put the computer to sleep (for OS X pre 10.9), whether to start up
automatically after a power failure, and whether to enable the Power Nap setting (for solid state
disks).
o Schedule: Set whether to schedule Startup or wake, sleep, restart, or shut down.
Power Management – Power management settings: Sets parameters for Windows devices with power
management.
o Power configuration: Set the following options:
Policy name: Set the name of the policy.
Policy description: Set a description of the policy.
Power scheme settings: Add to a power scheme, which can be deployed, settings to: hibernate,
standby, turn on, turn off, and alert.
o Options: Set whether to: disable the screen saver, whether to enable local wakeup, set process-
sensitive triggers (to not have the device use power management settings if certain applications are
running), whether to enable usage monitor, whether to enforce ending a process before going into a
power management mode, how power buttons act (including: when the power button is pressed, when
the sleep button is pressed, and when the lid is closed), whether to enable CPU throttling (including: if
plugged in, or on battery).
Reboot settings:
Here you set reboot settings for when deploying the Management Suite Agent, installing Software
Distribution Packages, and installing Patch Remediations.
o General: Set the following parameters in the General page:
Name: Set the name of Reboot setting.
When deciding whether a reboot is needed: Allows you to select one (1) of next three (3)
settings:
Remote control:
Set configuration settings to apply as a Remote Control setting on managed devices.
o General settings: On this page, you can set and select the following:
Name: Type the desired name of the Remote Control setting.
Allow HTML access: Select whether to install the HTML access remote control on the managed
devices.
Allow legacy remote access: Select whether to install the legacy remote access remote control
on the managed devices.
Allow: Select whether to allow the following:
- Remote control: Select whether to be able to view the screen and interact using keyboard
and mouse on the remote device.
- Draw: Select whether to be able to use the draw feature on the remote device. (This requires
remote control to be selected.)
- View only: View the screen but not have keyboard and mouse functionality on the remote
device. (This requires remote control to be selected.)
- Restart: Select whether to be able to remotely restart the remote device.
- Run programs on remote device: Select whether to be able to run programs (launch
applications) on the remote device.
- Run as administrator: Select whether to run programs launched during the remote session
as administrator.
- File transfer: Select whether to be able to transfer files to or from the remote device during
the remote session.
Set as default: Select whether to have this setting as the default when deploying the
Management Suite Agent.
o Indicator settings: On this page, you can select the following remote control indicators:
Floating desktop icon: Select whether to display an icon on the desktop of the managed device.
- Only visible during remote control: The display icon will appear on the background of the
remote desktop only during the remote control session, giving the end user visible
confirmation when someone is viewing them.
- Always visible: The display icon will appear on the background of the remote desktop when
the LANDESK Remote Control Service is running on the managed device. The end-user
will not know when someone is viewing them, or not.
System tray icon: Select whether to display an icon in the system tray on the managed device.
o Security:
Security opens access to create settings for Endpoint Security (for Application Control, Application
File Lists, Device Control, LANDESK Firewall), Ivanti Antivirus, Ivanti antivirus – Mac, Ivanti
Antivirus Legacy, Other security settings, and Windows Firewall. These will not be addressed in detail
here. To see more on these settings, please refer to the modules dealing with security.
Agent Configurations
Management Suite uses Agent Configurations that you create to deploy agents (and associated preferences
and configurations) to Managed Devices. Once Devices have Management Suite Agents on them, you can
easily update Agent Configurations.
Management Suite version 2016 provides nine Agent Configuration types, including:
New Windows agent configuration – for Windows workstations
New Windows Server agent configuration – for Windows servers
New Windows Embedded Standard agent configuration – for embedded devices
New Mac agent configuration
New Linux agent configuration
New HPUX agent configuration
New Solaris agent configuration
New HP ThinPro Linux agent configuration
New AIX agent configuration
Management Suite supports various operating systems to provide vast cross-platform support. Each operating
system can have one default configuration. The default configuration cannot be deleted, but it can be edited.
(The default configurations have a green checkmark.) It is recommended that a configuration be created for
each different client requirement, while not creating more than are needed, as this makes support and
troubleshooting more complex and time-consuming.
Creating an Agent Configuration (or using the default configuration) involves considerable planning and testing.
It is best to deploy the correct configuration the first time, although the agent can be reconfigured and
redeployed again if necessary. With agent settings, you can deploy small pieces of an agent configuration
rather than deploying a complete agent again.
Security and Patch Scanner - The security and patch scanner agent is installed by default with the
standard Management Suite Agent. You can configure security scans to determine how and when the
security scanner runs on managed devices and whether to show progress and interactive options to the
end user. (The security scanner allows you to check for Ivanti updates on devices and core servers
even if you don't have an Ivanti Security Suite content subscription. With a Security Suite subscription,
you can take full advantage of the security scanner's capability to scan for and remediate known
vulnerabilities, spyware, unauthorized applications, and other potential security risks.)
Inventory Scanner – The inventory scan is scheduled by default with the standard Management Suite
Agent. You can configure the frequency of inventory scans in the Agent Configuration.
The Ivanti Community has a variety of Agent Configuration and Deployment documents and videos. To access
them, go to the “Management Suite Agent Deployment Landing Page” located at:
http://community.ivanti.com/support/docs/DOC-23482.
Videos
o Agent Installation Methods
o Agent Configuration
o Management Suite 9 Fundamentals Agent Configuration
o Agent Deployment via Login Script
o Agent Deployment via WSCFG32.
Documents
o How to Create an Advance Agent
o Documentation for Agent Configuration and Deployment (Best Known Method for LANDESK 9)
o Troubleshooting Agent Installs
o Advance Agent Install process and troubleshooting tips
o Why can’t I install the Advance Agent over itself on a client
o UninstallWinClinet.exe may not run correctly on Windows 7 under UAC
o How to completely remove LANDESK from a remote console or client device
o Customizing the Management Suite Agent using the NTSTACFG.IN# file
o How to uninstall the Management Suite Agent on Windows Platforms
o How to uninstall the Management Suite Agent on Macintosh Platforms
Before deploying agents, be sure to reference “Best Known Methods Agent Config & Deploy.pdf on the Ivanti
User Community Web site at: http://community.ivanti.com/support/docs/DOC-7474.
Important
When creating Agent Configurations in mixed-language environments, make sure the Agent
Configuration name uses only ASCII characters (English character set). An English core server is
compatible with clients using all supported languages.
You can create different configurations for a group’s specific needs. For example, you could create
configurations ideal for servers, as opposed to workstations, (such as when Patch scanning occurs or reboots
after applying patches), or for hierarchical needs (such as if remote control requires permission or not).
To Create an Agent Configuration to push to devices, you have the following options:
Default Agent Configuration: Modify one of the default Agent Configurations for each of the supported
operating systems. Default agents are used as a template for creating, for example, multiple Windows
OS Agents.
Create a New Agent Configuration: Create a new Agent Configuration for your devices.
Client connectivity – The client connectivity page offers options to edit, configure, and select the desired
client connectivity agent setting.
Inventory settings – The inventory settings page offers options to edit, configure, and select the desired
inventory agent setting.
Alerting – The alerting page offers options to add or remove alert rulesets.
Reboot settings – The reboot settings page offers options to edit, configure, and select, the desired reboot
settings. This setting will designate how to handle a reboot after the Install/uninstall of a software
distribution package or install/uninstall of a patch, IF they require a reboot.
Custom data forms – The custom data forms page offers whether to manually or automatically launch the
update of custom forms, and when to display the forms to the end user. The forms sent with agent page is
used to assign the forms to send as a part of the agent configuration.
Distribution and Patch – The distribution and patch page offers options to edit, configure, and select the
desired distribution and patch agent setting.
Portal manager – The portal manager page offers options to edit, configure, and select the desired portal
manager agent setting. It also offers selection boxes for adding portal manager to:
o LANDESK Program Group
o Windows Desktop
o Windows Start menu
o Run Portal Manager when the user logs on
Workspaces – The workspaces page offers a selection box for adding workspaces to the Management
Suite program group when the agent is installed.
Security and compliance – The Security and compliance page gives access to Custom variables, Ivanti
Antivirus, Windows Firewall, Endpoint security, Agent watcher, and Other security pages with their
accompanying selections.
The Agent Settings tool provides a single location to manage (create or modify) configurations to various
components and services. This facilitates scheduling deployment tasks to apply newly created configurations,
as well as modified settings, without redeploying the entire agent to managed devices.
The Agent Setting tool can be launched from both the Configuration and Security and Compliance menus in
Tools and the Toolbox.
For more information on the agent settings tool, please see the Agent Settings Tool section.
Prior to creating and deploying a Management Suite Agent, a decision should be made as to whether
the Remote Control will use the Federal Information Processing Standard 140-2 mode.
This means Agents deployed prior to enabling FIPS 140-2 will no longer be able to be managed until a new
Management Suite Agent is deployed. All scheduled tasks, remote control sessions, etc. will not be possible
until a new Management Suite Agent (with a new public FIPS 140-2 compliant SSL certificate) is deployed.
When you enable FIPS 140-2, the Core Server rebuilds all Management Suite Agent configurations so that
they include a new FIPS 140-2 compliant SSL public security certificate. These new Agent configurations can
be deployed. (You can copy the backed up LANDESK_<number>.key file back to the KEYS directory to have
communication between the devices use the old key for the Agent deployment task. Then you can remove the
old .KEY file when all Agents have been redeployed.)
The Best Known Method (BKM) if you are going to implement FIPS 140-2, recommends that you enable FIPS
140-2 at the beginning of the deployment process, and then send an agent just once to devices to be
managed.
If you disable FIPS 140-2 after enabling it, and later re-enable FIPS 140-2, the core will reuse the certificate
you created the first time you enabled FIPS 140-2. In this case you wouldn't have to redeploy agent
configurations a second time.
NOTE: If FIPS 140-2 is enabled on a Core Server, EACH Cloud Services Appliance for that Core Server must
be configured to use FIPS 140-2 mode.
The Advance Agent uses two files to install the Agent. The first file is a small .MSI package, which launches an
HTTPCopy utility to pull the Agent. When this file runs on a managed device, it downloads and runs the
Advance Agent service on the Device. The HTTPCopy utility uses bandwidth throttling, configured earlier, to
download the Management Suite Agent, (which in this case is the LDClass Windows Server Agent
Configuration application file). The size of the file varies depending on the Management Suite tools included in
the agent configuration. In the Advance Agent Configuration dialog, you can configure what bandwidth-friendly
distribution options the MSI will use for the full agent configuration download.
The advance agent works independently from the core server once it starts downloading the full agent
configuration. If a device disconnects from the network before the agent configuration finishes downloading,
the advance agent will automatically resume the download once the device is back on the network.
When you create an Advance Agent Configuration, it takes a few seconds for the console to create the full
agent configuration package. The console places the advance agent package (<configuration name>.msi) and
the newly-created full agent configuration package (<configuration name>.exe) in the core server's
LDLogon\AdvanceAgent folder. The file names are based on the agent configuration name.
Once you've created an Advance Agent Configuration package, you need to run the MSI portion on devices by
scheduling the Advance Agent Install or invoking the .MSI file via Group Policy Object (GPO).
Once you deploy the advance agent to devices, the advance agent starts downloading the associated agent
configuration. The agent runs silently on the managed device, without showing any dialogs or status updates.
The advance agent uses the bandwidth preferences you specified in the Advance agent configuration dialog,
such as Peer Download and dynamic bandwidth throttling.
2. The Advance agent configurations dialog lists the agent configurations in the LDLogon\AdvanceAgent
folder. Click the configuration you want to distribute and click OK.
3. The Scheduled tasks window opens with the advance agent task you created selected. The task name is
"Advance agent <your configuration name>".
\\<CoreServerName or IP Address>\ldlogon\wscfg32.exe
Running wscfg32.exe will install the default Agent Configuration. If there is a need to install or update a non-
default agent use the /c command line switch (/c[onfig]=Path to the installation script (ini) file). For a list of
command line options available for wscfg32.exe, see the document “WSCFG.EXE (agent installation utility) –
Command Line switches” on the community web site at: http://community.ivanti.com/support/docs/DOC-1102.
1. Open the Agent Deployment tool in the Console (Tools > Configuration > Agent Configuration).
2. Right-click on the Configuration you wish to deploy, and click Schedule agent deployment.
3. Drag devices from UDD, or from the inventory list, or device groups, queries, or LDAP, and drop them
onto the scheduled task.
4. Start the task.
Note: in order for the Agent to deploy to the managed device, the Scheduler must be configured to use an
Administrative account, as directed in the Getting Started wizard.
NOTE: If a self-contained client installation package has been created, and after that, the Agent Configuration
is modified, the self-contained client installation package (<filename>.exe) must be deleted, recreated, and re-
copied to all destinations from which it is run.
Running this program won't remove a device from the Core Database. If you redeploy agents to a device that
ran this program, it will be stored in the database as a new device.
Mobility Management
Management Suite 2016 includes ability to manage iOS™ and Android™ mobile devices. Each purchased
license to manage a non-mobile device in Management Suite includes two licenses to manage mobile devices.
Setup
The Mobility Device Manager (MDM) server was separate from the Core Server in previous versions of
Management Suite. In Management Suite 2016 the MDM is now on the Core Server. The Mobile Device
Management wizard helps you configure the core server as the MDM. To manage the mobile device in
Management Suite 2016, a Cloud Services Appliance (CSA) must be used. The mobile devices send inventory
and receive policy updates via communication to the CSA, which relays information and communication to the
Core Server.
Management Suite 2016 provides a wizard to set up the Core Server as the MDM. It walks you through:
Setting up communication with the Cloud Services Appliance and Mobility.
Configuring the Light-weight Directory Access Protocol (LDAP) server communication so users can enroll
with their domain credentials.
Configuring Google Cloud Messaging (GCM) for communication with Android devices.
Configuring Apple Push Notification Service (APNS) for communication with Apple iOS devices.
For more information on setting up the MDM on the Core Server, see “Getting Started with Mobility LANDESK
Management Suite 2016” go to: https://community.ivanti.com/docs/DOC-39855.)
Mobility settings
Mobility settings are configured in the Agent settings tool. In Agent settings > Mobility > Security, you find
options to enable passcode settings, including setting complexity requirements which set a minimum password
length as well as setting a policy for locking the screen after a set amount of time, and setting the maximum
number of failed password attempts before wiping the device. Configuration settings will vary depending on
whether interfacing with an iOS device or an Android device.
In Agent settings > Mobility > Mobile Connectivity, you can configure enabling certificate settings, as well
as how mobile devices can connect via Wi-Fi. Setting are available to configure authentication, as well and
protocols to use as well as trusted certificates for iOS devices.
In Agent settings > Mobility > Exchange / Office 365, you can configure activity with iOS devices from the
Exchange server. This includes interfacing via an account name to a select server, whether to use the email
address from Active Directory to log in, and the number of past days of mail to synchronize.
There is a hands-on exercise for building a software package for mobile devices.
Agent Health
Agent Health is a method to ensure that the Management Suite agent running properly on installed Windows
client systems. It is designed to put the Management Suite agent back to a working state if it is not in a working
state. It is the answer to questions like:
How do I ensure agents are running properly?
How do I invoke self-healing on damaged agents?
How do I reduce the need to reinstall agents?
1. Core Server downloads LANDESK 10.0 Agent Health vulnerability definitions and remediations using the
Download Updates tool.
2. Create an Agent Health agent setting which can be used by managed devices.
3. Schedule the Agent Health agent setting to be copied to managed devices.
4. Client periodically runs Vulscan.exe to apply the Agent Health setting on managed devices.
Once Agent Health vulnerability definitions are downloaded, they are listed in the Patch and Compliance tool,
in the Predefined groups section.
The vulnerability definitions will only detect and repair the agent if the version matches the core server version.
Previous version definitions cannot restore the Management Suite Agent.
The general page allows you to name the agent health setting. You can set global behavior overrides for
autofix, and reboot. You can also optionally designate the setting to be the default.
The component column identifies the agent component. The install state column designates how to treat the
component. Install state options include:
Do nothing: Leave the component as is, whether it is installed or not.
Install: Make sure the component is installed and stays installed.
Remove: Removes the component if it is installed. This deactivates the component on the managed device
without deleting the files associated with the component. (The remove option is NOT available for the Base
agent component.)
The top section is where you designate the vulnerability definition group to use to apply agent health. You can
click the checkbox to “automatically remediate any issues found after scanning”, which will immediately act
upon the managed device to apply the agent health, if needed, at the time of the scan.
The bottom section is where you set the schedule Vulscan.exe will use to implement agent health.
The Settings page lets you select the agent setting to apply to the specific components.
Items populate on the settings page based upon what is set to install on the components page. (If nothing
appears then nothing is set to install.)
Set the desired agent setting for the desired component. You can edit and configure agent settings from here.
Schedule the Change Setting to apply the Agent Health on the managed device
In order for Agent Health to repair a managed device, Vulscan.exe needs to run and the vulnerability definition
for Agent Health must be included in the scan.
Agent Watcher
Agent watcher is a tool to ensure that the Management Suite agent is installed and running properly on
managed devices. If something goes wrong, agent watcher will act to get the device back to a working state.
Note
Best Known Methods suggest using LANDESK 10.1 Agent Health to restore the Management
Suite Agent on a managed device. Agent Health has proven to be more effective in repairing the
Management Suite Agent.
If a device needs to be made healthy, Vulscan.exe runs a set of LANDESK definitions and remediates the
client so the agent is restored to a working state on the managed device.
Agent Watcher settings determine which files and services are monitored and how often. You can also select
whether the utility will remain resident on the managed device.
To create Agent Watcher settings, click the Agent watcher settings icon on the Agent Configuration tool.
This opens a Setting List, where created Agent Watcher settings are listed. If the desired choice is not there,
or if you want to create a new setting, click New. That opens the Agent watcher settings window.
When configuring Agent Watcher settings, do NOT select services you do not intend to install on target
devices. Otherwise the core server will receive alerts for services purposely not being installed.
When the Scheduler service is used for a push distribution, the C$ share is used by elevating rights via a
running service. If the push fails, try to map a drive from the Core Server to the managed device using the C$
share using the password set in the Alternate credentials portion of the Change Login window of Scheduler
tab in Configure Services.
Management Suite best known methods suggest using LANDESK 10.0 Agent Health to restore the
Management Suite Agent on a managed device. Agent Health has proven more effective in repairing the
Management Suite Agent.
2. What additional steps does the Management Suite Administrator need to complete when Client Certificate-
based Security is enabled in Management Suite 2016? Where does the Administrator complete these
actions?
3. Where are Client-side Certificates stored on the managed device? When and how are they generated?
4. What are Self-Electing Subnet Services, what technologies are supported, and what impact does this have
in the Management Suite enterprise?
5. How are new networks added into the Self-electing subnet services tool, and how do you set the desired
state of self-electing subnet services on newly added networks?
6. Which agent setting configures the settings for managed devices concerning self-electing subnet services?
7. What is Agent Health, and how is it implemented (downloaded, updated, and configured) in Management
Suite 2016?
8. What mobile device operating systems does Management Suite 2016 support with mobility management?
9. Which server is the Mobile Device Management (MDM) server in the Management Suite 2016
environment, and how is it set up?
Factor in the time it takes to resolve an issue where the helpdesk technician leaves his or her desk, goes to the
end-user’s location, physically sits down at the end-user’s device and fixes the issue, and then has to go back
to his or her desk. (Not to mention that while the helpdesk technician attempts to return to his or her desk, the
entire route is a series of detours which begin with the dreaded phrase, “Oh, while you’re here, this has been
happening on my PC . . .”) Such is a common theme in the daily life of a helpdesk technician.
Remote Control is an ideal way to resolve end-user issues in an immediate, direct, timely, and efficient
manner. One such company estimated that they were able to answer nine (9) times the helpdesk calls with the
implementation of Management Suite. (And the tool most often used in that month of data keeping was
Remote Control.)
An additional benefit of Remote Control is it provides the helpdesk technician the ability to teach the end-user
how to resolve the issue, eliminating the need to call the helpdesk again, should that issue recur. (Remember
the saying, “If you hand a man a fish, you feed him for a day; but if you teach him to fish, you feed him for a
lifetime.”)
To allow a user to launch Remote Control, that user needs to be granted Management Suite Console access,
and must be given specific Remote Control rights. The minimum rights that must be granted a user to user the
Remote Control tool are the Remote control View and Edit rights. To allow a user to utilize other Remote
Control features (Chat, Execute programs, Reboot, and Transfer files) corresponding Edit rights must be
In addition to granting a user Remote Control rights is the ability to limit Remote Control access to specific
hours of the day. This can be done in the User Management tool, where access and rights are granted by
selecting RC time restrictions and making settings there.
In addition to the Console and remote device having the software required, the following must be in place:
The person using Remote Control must have Remote Control rights granted to their LANDESK user
account
HTML 5 Remote Control can occur on any HTML5 compatible browser, including:
Windows PC: Chrome, Firefox, Internet Explorer version 9 or later, Safari, and Opera
Macintosh OS X: Safari, Chrome, Firefox
iOS and Android mobile devices
Linux: Default browsers for Gnome and KDE
When compared to classic Remote Control, HTML Remote Control uses more bandwidth, as well as more
CPU. If using HTML Remote Control over a slower link, it is recommended that you implement performance
settings. (See the Performance Settings in the HTML toolbar.)
After updating an agent to include HTML Remote Control, an updated inventory scan must be received in order
to initiate HTML Remote Control. As additional ability of HTML Remote Control is the ability to allow multiple
viewers to view the same managed device.
In order to enable HTML remote control on the managed device, the remote control setting deployed to the
device must be set to allow HTML access. This is selected by checking the Allow HTML access checkbox on
the General settings page of the Remote control settings.
An HTML Browser: Open a browser and enter the URL https://<device names or IP address>:4343
Note: A video on using HTML5 Remote Control in Management Suite can be viewed at:
https://www.youtube.com/watch?v=8hMmg4rUCng
Since there is no console installation, and HTML 5 remote control can be initiated from various devices,
security must be assured. So when HTML 5 remote control is initiated, a screen prompts for security
identification prior to allowing the remote session to connect.
Keyboard: If remote controlling in from a device which does not have a keyboard, such as a tablet or
phone, the keyboard key toggles on a keyboard to bring ability to press keys to pass to the remote device.
The ctrl-alt-del key is in the upper left corner. The Ctrl, Alt, and Shift keys are sticky, and will remain
clicked until clicked again. (When the key is active, it will turn a darker shade of gray.) If the remote
controlling device is a device with its own keyboard, the keyboard key toggles on keys to use at the top,
above the screen. The Windows key and Function keys are made available, amongst other keys.
Screenshot: This hits [Print Screen] and allows you open or save the .png file to device initiating remote
control.
Monitors: This enables the ability to view multiple monitors one at a time, or as a whole (if the remote
device has multiple monitors). The multiple monitors thumbnail views let more easily choose which monitor
to view.
Tools: This brings up tools to Remote Execute, File Transfer, Restart, or Chat.
One way is using the Agent settings tool. To open the Agent settings tool in the Management Suite Console,
click Tools > Configuration > Agent settings > Remote Control.
Another way is to configure the setting in the Agent configuration tool. To open the Agent configuration tool in
the Management Suite Console, click Tools > Configuration > Agent configuration. Once in the tool, open
an Agent configuration, click Remote control, and click [Configure]. The Configure remote control setting
window opens with options to create a new remote control configuration (by clicking [New]) or edit an existing
configuration (by clicking [Edit]).
You are then presented with options for General settings, Indicator settings, Permission settings, Security
settings, and Session settings.
Remote control:
Set configuration settings to apply as a Remote Control setting on managed devices.
o General settings: On this page, you can set and select the following:
- Only visible during remote control: The display icon will appear on the screen of the
remote desktop only during the remote control session, giving the end user visible
confirmation when someone is viewing them. When the session is ended the icon will
disappear.
- Always visible: The listening ear display icon will appear on the background of the
remote desktop when the LANDESK Remote Control Service (ISSUSER.EXE) is running
on the managed device, and the device is NOT being remotely controlled. When the remote
control session is started, the listening ear icon is replaced with a remote control icon.
That icon will remain until the remote control session ends, at which point the icon will change
back to the listening ear icon.
System tray icon: Select whether to display an icon in the system tray on the managed device.
- Only visible during remote control: The display yellow highlighted remote control icon
will appear on the system tray of the remote desktop only during the remote control session,
giving the end user visible confirmation when someone is viewing them.
- Always visible: If selected, the remote control icon with a person appears in the system
tray when the LANDESK Remote Control Service (ISSUSER.EXE) is running on the
managed device, and the device is NOT being remotely controlled. When the remote control
session is started, the remote control icon with a person is replaced with a remote control the
icon surrounded in yellow. That icon will remain until the remote control session ends, at
which point the icon will change back to the remote control icon with a person.
o Permission settings: Select the following permission settings for the Remote Control setting:
o Local template (least secure): Select to grant ability to any person initiating a remote control
viewer to initiate a remote control session. Any of the settings granted on the General settings
page will be able to be utilized during the remote control session. This setting does not verify if the
user is a member of a specific group, has the remote control viewer from a specific Core Server,
or any other verification of security. Hence it is the least secure setting.
o Windows NT security / local template: Select to limit the person initiating a remote control
session to be a member of the Remote Control Operators group, which is installed on the
managed device when the remote control setting is placed on the managed device. Members of
the Remote control operator groups can view and interface using the keyboard and mouse
during the remote control session. Member of the View only group can only view the display
during the remote control session. Use the [Add] and [Remove] buttons to add members to the
two groups.
Smart Card Required: Selects whether to require a hardware SmartCard reader on the
device initiating remote control sessions. When a remote device’s agent requires SmartCard
for remote control, the session will not start unless a SmartCard is inserted and the
SmartCard PIN is provided. The SmartCard user must also be in the Remote Control
Operators or View Only group.
SmartCard security only works on Windows 7 or newer devices. SmartCard authentication
also requires the Windows remote control viewer application. HTML remote control does not
support SmartCard authentication.
1. Remote Control Viewer from the Console contacts the Core Server, and the SSL public key on the
Console device proves a match with the private SSL key on the Core Server, and that the User has
Remote Control Rights, and passes the IP Name (or IP Address) of the device to be Remotely
Controlled.
2. Core Server validates the IP Name and IP Address in the database.
a. If the IP Name passed resolves (via DNS) to the same IP Address listed in the database, the
Remote Control process continues.
b. If the IP Name passed does NOT resolve to the same IP Address listed in the database, a
message is sent to the Console User stating the Name and Address do not resolve the same,
and if the Remote Control process is to continue, to click and continue the process. (In this case,
IP Address in the database is the device contacted by the Core Server to continue the Remote
Control process.)
3. The Core Server proves a match with its private SSL key to the public SSL key on the Managed
Device and passes a token (16-byte code generated at random, with a 30-second life) to the Managed
Device.
4. The Core Server passes the same 16-byte token to the Remote Control Viewer.
5. The Console uses the Remote Control Viewer and generated token to Remote Control the Managed
Device.
The three-legged communication is required because the Core Server is the only device with the
Private SSL key. The Console only has the Public SSL key. If the Core Server happens to be down,
o Session settings: On this page, you can select the following remote control session settings:
o Lock the remote computer when session ends: Select to lock the managed device to a secure
mode once the remote control session ends.
o Terminate remote access if the user logs out or locks the machine: Select to automatically
end the remote control session if the end user logs out or locks the managed device.
o Allow the end user to terminate the session: Select to allow the end user on the managed
device to access end the Remote Control session. The end user can access the remote control
desktop icon or the remote control system tray icon to stop the active remote control session. If
this option is not selected, the end user of the managed device cannot stop and active session
through either icon.
o Close inactive session after: Sets the time period to automatically end the remote control
session of there is no keyboard or mouse activity. Set the time to 0 to disable this feature.
With the Remote Control tool installed, the Remote Control session can now be initiated. In the Add or Remove
Programs view you will then find the “LANDESK® Software Remote Control Console”.
4. If the browser is set to not allow execution or installation of add-ons, the browser will indicate the
“LANDESK® Software Remote Control Console” must be installed.
6. When the Security Warning window asks if you want to install the software, click [Install].
7. The installation occurs and Remote Control initiates. Now that the Management Suite Remote Control
Console is installed, it will be reflected in Add or Remove Programs.
Allow Autoscroll
When the Viewer connects with the remote device, the screen is automatically sized into the Viewer window. In
many cases, this is the desired effect. But, if the remote side screen has multiple monitors, and a setting that
has a much larger aspect ratio than that of the Viewer side, seeing the remote screen on the Viewer side is not
feasible. So in those cases, switch off the autosize feature, and use the Autoscroll feature.
This feature is a toggle, which can be enabled and disabled (By using “CTRL-Alt-K” or by checking the box).
When the remote control session ends control will automatically be granted back to the remote side end-user.
Note that special key combinations in Windows such as “CTRL-ALT-DEL” or the “Windows-Key+L” are not
locked out.
It is recommended that Viewer side user warn the remote side user that the screen is going to blank-out, so the
remote side user does not power off the remote device, or some such action that would be counter-productive.
Always ask to Clear Remote Computer’s Screen when Starting Remote Control
This feature works along with the Hide the remote computer screen. This feature will blank the remote side
screen display when the remote control session is established. If user permission is required prior to
establishing the remote control session, permission will be asked, and when the remote side user clicks [OK],
the screen will then go blank.
Keyboard Mapping
Keyboard mapping is a feature of Remote Control that enables multiple language support. For example, the
Spanish keyboard has the ñ key, which corresponds to the : (colon) key on the English keyboard. If the remote
end user, with a Spanish OS presses the ñ key, the ñ is entered on the device and appears on the screen. If
the Viewer side user, with an English OS presses the : key, the : is entered on the remote device and appears
on the remote screen. (Prior to keyboard mapping feature, the Viewer side user would press : and the ñ would
appear on the remote side device, which made searching the internet difficult . . . httpñ// does not search well
in a browser.)
The technology that enables this feature is built into the Remote Control Viewer and the Remote Control
Agent. The Remote Control Viewer translates the keystrokes to Unicode and transfers the Unicode characters.
The Remote Control Agent translates the Unicode characters back to keystrokes based on the remote device’s
keyboard mapping table (which is based on the local language setting of the operating system).
The benefit of keyboard mapping is that it automates Remote Control for mixed language environments and
requires no interaction from the end user.
Command-line options are launched from the C:\Program Files\LANDesk\ManagementSuite directory. The
command-line options use the following syntax:
To create a shortcut to use the Remote Control Viewer, initiating only Remote Control, on a device that you
choose by entering the hostname or IP Address uses the following syntax:
Example 1: To open a Remote Control window from a Core Server named “LDCore”. This will ask you to enter
the hostname or IP Address of an end-user device of your choice.
Example 2: To open a Remote Control window on an end-user device named “LDWin7”, from a Core Server
named “LDCore”.
Example 3: To open a Remote Control and chat session connecting to a device named “LDWin7” from a Core
Server named “LDCore”. If this fails, an attempt will be made to connect to the IP Address 10.20.30.40:
This means Agents deployed prior to enabling FIPS 140-2 will no longer be able to be managed until a new
Management Suite Agent is deployed. All scheduled tasks, remote control sessions, etc. will not be possible
until a new Management Suite Agent (with a new public FIPS 140-2 compliant SSL certificate) is deployed.
When you enable FIPS 140-2, the Core Server rebuilds all Management Suite Agent configurations so that
they include a new FIPS 140-2 compliant SSL public security certificate. These new Agent configurations can
be deployed. (You can copy the backed up LANDESK_<number>.key file back to the KEYS directory to have
communication between the devices use the old key for the Agent deployment task. Then you can remove the
old .KEY file when all Agents have been redeployed.)
The Best Known Method (BKM) if you are going to implement FIPS 140-2, recommends that you enable FIPS
140-2 at the beginning of the deployment process, and then send an agent just once to devices to be
managed.
If you disable FIPS 140-2 after enabling it, and later re-enable FIPS 140-2, the core will reuse the certificate
you created the first time you enabled FIPS 140-2. In this case you wouldn't have to redeploy agent
configurations a second time.
3. How do you implement Remote Control so that devices initiating a Remote Control session require a
SmartCard and PIN?
4. How would you limit Remote Control so a technician could only use it during business hours on weekdays?
6. What are the security settings available in Remote Control and how do they work?
7. How do I set Remote Control so that an end user must grant permission for anyone with the right to initiate
a Remote Session to do so?
8. What are some differences between HTML and legacy remote control?
9. Which security setting requires the Core Server to be powered on and connected to the network for remote
control to be used, and why?
At the heart of Management Suite is Inventory. The first action taken on a managed device, once the
Management Suite Agent is deployed, is to send an inventory scan of the device to the Core Server for
addition to the Management Suite database, which makes all the inventoried data present, viewable, and
searchable from a Console.
Once managed devices appear in the network view of the console, they are able to be managed and acted
upon from the Console.
Inventory listed in the Console has hardware and software components. The inventory of hardware helps track
ownership and placement of PCs, memory, peripheral hardware, etc. The inventory of software helps assure
software license compliance which is vital piece of cost containment.
Inventory, as it works in Management Suite is versatile and effective. Let’s explore its different facets and help
you be an effective resource for managing IT Assets.
The business use case this resolves is eliminating the need to open TCP port 5007 on the firewall of both the
managed device sending the inventory scan as well as the server receiving the scan. (Port 443 is usually open,
even in the most secure environments.)
To set the inventory scanner to use this new feature, click the Post To Web Service option in the Agent
Inventory Setting on the Scanner settings page.
Two new settings (configured in Advanced Settings, on the Inventory tab of Configure Services) set the
monitoring parameters.
Degradation Sample (minutes): (Default=15) Sets the number of minutes to store data before testing it
against and adding it to the averages in the database.
Degradation Threshold (percent): (Default=20) Percent of processing degradation before logging an
event into the Windows Applications event log.
System Crash Data: The scanner obtains system crash data by counting the number of minidump files in
the folder designated by the registry setting:
HKLM\System\CurrentControlSet\Control\CrashControl\Minidumpdir
If DeviceID Changes BrokerConfig is Automatically launched: If the scanner detects there is a new
DeviceID, the scanner with launch BrokerConfig automatically to get a new certificate for the Cloud
Services Appliance, so it can work whether connected via the Intranet or the Internet. (This requires
LCLXCLNT.DLL to be added to your stand-alone scanner list.)
Command Line to force Mode=All: The command line switch /SWSCANMODEALL will have the scanner
use Mode=All for the software portion of the scan.
Logon/Lock: The scanner obtains logon/lock event dates as a part of the scan. The attribute data is found
in the device’s inventory in OS.
LDAP User: The scanner captures Light-weight Directory Access Protocol (LDAP) information and stores it
in the device’s LDAP User > Primary Owner inventory. It also captures the Email information, if it exists. It
leverages the event log logon event, populating the user information from the logon.
The steps to check synchronization of the inventory with the delta scan file are as follows:
1. The Inventory Scanner (LDISCN32.exe) sends the managed device’s Device ID to the Inventory Server
service (LDINV32.exe).
2. The Inventory Server service examines an entry in the database known as a “Sync List” to see if the
Device ID is listed. If so, a “Sync” scan (including hardware, software, non-delta) will be run on the
managed device.
3. The LANDESK Inventory Server service compares the “Last Hardware Scan Date” in the database with
the “Last Sync Date” from the delta scan. (The “Last Sync Date” contains the previous scan date and
time.) If the two entries coincide, they are not out of sync. If they differ, they are out of sync.
4. If the two entries differ, the scan will not be processed. Instead, it will be sent the ErrorScan folder, and
the Device ID is written to the Sync List so that a Sync scan will be run next time.
Device ID
When the first Inventory Scan is run on a managed device, a Device ID is created. The Device ID is used as a
unique identifier in the Core Database. Each entry in the database has a unique identifier. (The reason the
Device Name, or MAC Address, or other identifier is not used, is there is a possibility of a legitimate change in
these identifiers over the life of the asset.) The Device ID is generated by a command to the operating system
to generate a Global Unique Identifier (GUID). This becomes the Device ID and it is written to the registry in
two places.
On a 32-bit Windows Operating System, the places where the Device ID is stored are:
HKEY_LOCAL_MACHINE\SOFTWARE\LANDesk\Common Api
HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\Common Api
Full scan: The initial scan that is run on a managed device is a full scan. This scan includes a
complete listing of hardware and software (on all local drives). A local copy of this scan is stored in the
INVDELTA.dat file in the C:\Program Files\LANDesk\LDClient\data folder.
Delta scan: After the initial full scan is run on the managed device, the scan runs and writes to memory
and compares the data with the INVDELTA.dat file. The changes (delta) between the two inventories
are written to the DELTASCAN.ldz file and sent to the Core Server. For more information, please refer
to the Delta Scan Features section.
Sync scan: The Sync scan is a full scan of hardware and software (on all local drives). This scan is
NOT sent using the delta scan method. Instead, the complete contents of this scan are sent to the
Core Server and the INVDELTA.dat file is overwritten (in order to have the latest content for
comparison with the next scan).
Mini scan: A device that has been discovered, but that has not yet been configured with the
Management Suite Agent provides a mini scan. The basic information obtained by the discovery
includes the GUID, MAC address, IP Address, and other minimal information. When a managed
device’s IP Address changes, a mini scan is sent ten (10) minutes later, so the Core Database has the
correct IP address of the managed node. Beginning with Service Pack 1, mini scans can be sent
through a device using a Cloud Services Appliance to connect with the Core Server. Also new in
Service Pack 1 is the change in suffix of a mini scan from .IMS to .MINISCN.
Switch Description
/Sync This option runs a scan of software and hardware, and sends the complete scan
to the Core Server.
/V View progress
/Hash The scanner will obtain the MD5 hash, SHA1 hash, and SHA256 hash for the
software files discovered during the scan. The hashes are included with the scan
information sent to the inventory database.
/S This option designates the server where the LANDESK Inventory Server service
(which receives the scan from the managed device) is running. If the service is
not loaded on this server, the scan terminates. (/S=ServerName)
/SwScanModeAll Force exhaustive file scan. (This option has been in the product for some time,
/hash but the switch was added in version 2016.)
/I=[path] This option designates the source for the LDAPPL3 files. (These files provide the
software library and additional settings the inventory scanner will use.) The
default setting is to use the Core Server as the source.
(/I=http://CoreServer/ldlogon/ldappl3.ldz)
/N This option specifies to not search in subdirectories for software (Used with /D).
/Z=# This option sets how many times the scanner tries to resend the scan if the scan
ends prematurely.
When the Agent is installed: The Management Suite Agent installs and the Full scan is launched
immediately, by default. (This is set in the Agent Configuration.)
From the Local Scheduler: This scan is initiated on the managed device. It was set into place when
the Agent was installed. The default is to run an inventory scan once every day. (This can be modified;
it is set in the Agent Configuration.) This is a silent scan; the end-user does not see this scan run.
Mini scan: This scan is launched from the managed device. It is set to trigger 10 minutes after the IP
Address on a managed device changes. (For example, leaving a docking station at a desk to go to
meeting where wireless is available.) This is a silent scan; the end-user does not see this scan run.
From the Manage Scripts tool: This scan is scheduled from the Console. In the Manage Scripts tool
you can see the inventoryscanner script which can be scheduled and started from a Console. (You
can modify or create other scripts to have different options, like /F or /Sync.) All scripts available in this
tool are .ini files in the LDMain\Scripts directory. This option is ideal for scheduling an inventory scan
on a group of PCs at once.
From a Right-Click > Inventory Scan in a Console: This scan is initiated from the Console. Select
the managed device you want to scan, right-click, click Inventory Scan, and choose the type of
inventory scan you would like: Hardware Scan Only, Hardware and Software Scan, or Full Sync Scan.
On the Start page of Agent Configuration: Is the checkbox option to include software in inventory
scan during installation. One of the final steps of the installation of the Management Suite Agent is an
inventory scan. Selecting this option will include software as a part of the initial scan, while not selecting
the option will result in a hardware only initial scan. The purpose of the initial scan is to add the device
to the Management Suite Console, making management of the device possible.
Inventory Settings:
Inventory settings configurations set actions that will take place when the Inventory scanner (LDINV32.exe)
runs. These settings are accessed by either clicking the [Configure] button on the Inventory settings page
of the Agent Configuration, or by creating a new Inventory settings configuration in the Agent settings tool.
The inventory settings configure the following actions:
Enable scheduled task history maintenance: Here you select the checkbox if you want to keep
a scheduled task history in the client database. If enabled, set the number of days to keep the
scheduled task history.
Run inventory scanner automatically after software package installation: Here you select the
checkbox if you want to update inventory data after software packages are installed, rather than
waiting for the next scan interval. You can configure a set number of minutes to delay the scan
(after the software has been installed) as well as add an additional random delay to stagger scans
from other devices.
Set as default: Here you select if this inventory setting will be the default to be placed when new
agents are deployed.
The default data collection interval is four hours. If the device is marked lost (on the device’s inspector
dialog, Hewlett-Packard page, the When lost collection interval activates, providing more frequent
updates.
Send All Executed Files: Select whether or not to include all executed files (kept track in the
registry of the managed device) as a part of the inventory scan. (The default is to enable this
setting.)
Send File Usage Data: Select whether or not to include file usage data (kept track in the registry
of the managed device) as a part of the inventory scan. (The default is to enable this setting.)
Force Exhaustive File Scan (NOT Recommended): Select whether or not to include in the
inventory scan ALL file extensions. This results in lengthy scans, very large inventory files, and a
very large Management Suite database. Therefore it is not recommended. (The default is to not
enable this setting.)
Auto-update LDAppl File: Select whether or not to have files run on managed devices added to
the Master Software List on the Core Server, if the files are not currently there. Items added
through enabling this feature can be seen in the Files > To be scanned section of the Manage
Software List tool. The use case of this feature is to find software which has been installed onto
managed devices but not yet executed, when just one device somewhere in the enterprise has
installed and run the software (and reports because of selecting the Send All Executed Files
feature mentioned above, the software will be able to found on each device it the enterprise. Even
if it has NOT be executed. (The default is to enable this setting.)
Do Not Send Logon/Lock Event Dates: Select whether or not to report as a part of the inventory
scan the Operating System logon/lock event data. Some have privacy concerns and do not want
this data stored. (The default is to not enable this setting.)
Change History Storage (days): When the inventory scanner runs it creates a file containing
changes since the last scan stored as:
The scanner sends this delta file as a scan to the Core Server. The inventory scanner also uses
the InvDelta.dat file to create a change log on each managed device. The changes log is saved in
XML format on each managed device in the LDClient\Data\changeslog.xml file. The Change
History Storage (days) sets how long history is stored in the changeslog.xml file on the managed
device. (The default setting is 90 days.)
Software Scan Fequency (days): Sets how often to send software as a part of the Inventory
Scan. (The default is one day.) So that each day one inventory scan includes hardware and
software, while each subsequent scan will be hardware only, unless software was installed and
the Run inventory scanner automatically after software package installation has been selected.
Data File Extensions: Select whether to have other file extensions other than executable files
and those in the Inherited extensions field included as part of an inventory scan. Include the
period and the file extension to add other file types to the software scan. Separate each file
extension type with a space.
Inherited extensions: Shows the global file extensions set in the Manage Software List tool in
Settings > DataFileExtensions.
Use software monitor: Select whether or not to have the LANDESK(R) Software Monitoring
Service (Softmon.exe) run on the managed device to gather data on executable files run, and the
accompanying usage data, store it in the local registry, and include that information as a part of
the inventory scan.
Record software usage statistics to a network location: Select whether to have Softmon.exe
store executable and usage information to a network share rather than to the registry. This is to
capture usage information on non-persistent Virtual Desktop Infrastructure (VDI) devices, since
starting VDI devices wipes any previous registry data.
UNC path where software monitor data files will be stored: Set the UNC location
Domain and user name: Enter the Domain\User with write rights to the UNC location.
Password: Enter the password for the user in the Domain and user name field above.
Confirm Password: Enter the password again, to confirm, for the user in the Domain and
user name field above.
When user logs in: Select whether to have the inventory scan occur each time a user logs in to
the managed device. The Max random delay field sets the maximum time to wait before sending
the scan, for randomization purposes. (The default does not select this setting.)
When IP address changes: Select whether to have the Inventory Miniscan (Miniscan.exe) run
when the IP Address Filter is tripped. The miniscan will capture IP Address information to update
the Management Suite database. Miniscans are process into the database before other scans so
the database is corrected shortly after the IP Address Filter has been tripped. (The default selects
this setting.)
Use recurring schedule: Select whether to have the Inventory Scan regularly run on the
managed device. This is to periodically get a scan from every managed device in the enterprise, to
keep the Inventory Database accurate. (The default selects this setting of once each day, with up
to a 1 hour delay.)
1. Open a Command Prompt window. (Click Start > Run and type cmd and hit [Enter].)
2. Go to the C:\Program Files\LANDesk\LDClient directory.
a. Type CD\ and hit [Enter].
b. Type CD Program Files (x86)\LANDesk\LDClient and hit [Enter].
3. Type localsch.exe /tasks |more and hit [Enter].
Here is what the two inventory scheduled tasks look like on the managed device.
To view the real-time Inventory and Monitoring data on the managed device do
the following:
1. Open the Console.
2. Right-click the managed device in the Network View > All devices.
3. Click to select Real-time inventory and monitoring.
System Summary
System Summary gathers real-time information on the following:
Health: Indicator as classified by set conditions and parameters; normal, warning, critical.
Type: Type of device
Manufacturer: Equipment manufacturer of the device
Model: Device model
BIOS version: Version of BIOS on the device
Operating System: Device operating system
OS version: Version of operating system on the device
CPU: Processor model, manufacturer, type and speed
Vulnerability scanner: version of tool for scanning for vulnerabilities (vulScan.exe)
Remote control: version of remote control tool (issuser.exe)
Software distribution: version of tool for distributing software (SoftwareInstaller.exe)
Inventory scanner: version of tool for scanning the managed device and reporting inventory to the
core server (LDISCN32.EXE)
Last reboot: date and time of last reboot
CPU usage: Percentage of CPU in use at time of real-time check
Physical memory used: Amount of RAM on the device and percentage of ram in use
Virtual memory used: Size of swap file and percentage of file in use
Drive C: size of the drive and percentage of drive space used
Hardware
Hardware is the configuration of modules and the settings that contribute the health status of the device. The
following modules listed in hardware. They are:
CPU: Includes the volume, type, size, usage and availability (in GB and as a percentage), warning
threshold, critical threshold
o Processors: Includes the ID, description, vendor, load (as a percentage), current speed, and
maximum speed
o Cache: Includes the ID, type, size, write policy, and error correction
Storage: Includes a listing of logical drives, physical drives, and removable media
o Logical drives: Includes volume, type, size, usage and availability (in GB and as a percentage),
warning threshold, and critical threshold
o Physical drives: Includes drive, model, size in GB, and interface
o Removable media: Includes information on media by type
o CD drives: Includes drive, hardware, and media
o Floppy drives: Included drive, heads, cylinders, and sectors
o Storage adapters: Includes channel ID, SCSI ID, device, type, size, RAID, and status
Memory: Includes information of the memory type (e.g.):
o Memory usage: Includes both physical and virtual information on type, total size (in GB and as
a percentage), Used (in MB and as a percentage), Free (in GB and as a percentage), warning
threshold, and critical threshold
Logs
Logs allows access to various logs on the managed remote device in real-time. The logs that are able to be
accessed in this tool are:
Application log
Security log
System log
BIOS log
Alert log
Software
Software allows access to various items, shown in real-time, including:
Processes: Lists each process and information including the program name, process ID, CPU time,
memory usage (in KB), virtual size (in KB), handles, and threads
Services: Lists each service and information including the service name, status type and status
Packages: Lists software and information including package name, version, and vendor
Environment: Lists each of set environment variables including the name and value
Other
Other includes real-time information on the following:
Asset information: includes various pieces of the asset including:
o Contact information: with fields for name, position, phone, location, department, and asset tag
o System information: with information like the service tag, serial number, model, model
number, manufacturer, chassis, order number, manufacture date, system version, and battery
Network information: includes other network information including:
o Devices: including the vendor, description, type, speed, status, and active (yes or no)
o Statistics: including device description, speed, bytes received, bytes sent, packets received,
packets sent, receive errors, and send errors
o Configuration: including TCP/IP address, subnet mask, default gateway, DHCP server, DHCP
lease obtained date, DHCP lease expires date, DNS servers, and WINS servers
Remote session
Remote session allows a remote session (Remote Control – legacy or HTML-based)) to be initiated
Monitoring
Monitoring allows the ability to set up performance counters and can relay real-time data, or, if data is stored,
the ability to recall previously saved counters. This facilitates trending to provide insight to health of a device
over a period of time.
Rulesets
Rulesets displays the alerting ruleset(s) deployed on a device as well as additional information on each specific
attribute contributing to the alert ruleset. Information on the ruleset includes: Alert type, State, Action and if the
alert contributes to health (yes or no).
Power options
Power options allows the ability to reboot, power on, or power off the device.
The database pointers are configured using the General tab, the LANDESK Inventory Server service is
configured using the Inventory tab.
General Tab
The General tab is used to configure the settings for connecting to the database. The settings are reflected in
the registry under: HKLM\SOFTWARE\LANDesk\ManagementSuite\Core\Connections\Local
Advanced settings
Selecting this from the Inventory Tab of Configure Services displays the Advanced settings window. You can
change inventory-related advanced settings here. As you click each item, help text appears at the bottom of
the window explaining each option. The default values should be fine for most installations. To change a
setting, click it, change the Value, then click Set. Restart the inventory service when you’re done.
Settings include:
DB Error Recovery Tries: (Default= 500) This setting determines how many times the inventory
service should restart itself with a 24-hour period if it encounters scan file errors. Once this number is
reached, the inventory service will continue to receive scans, but will stop trying to insert scan files into
the database.
DB Threads: (Default=1) This setting tells the inventory service to start multiple threads that will each
insert scan files into the database. Threads require memory and processing power. Only increase the
number if your core server is underutilized. Valid numbers range from 1 to 8.
Degradation Sample (minutes): (Default=15) The number of minutes to store data before testing it
against and adding it to the averages in the database.
Degradation Threshold (percent): (Default=20) Percent of processing degradation before logging an
event into the Windows Applications event log.
Delete SW Before Process Full Scan: (Default=0) This setting will delete all the software for a given
device before processing its scan file. This setting will only apply to full scans, not delta scans.
Disable Encryption: (Default=0) This settings tells the client-side scanner whether or not it should
compress its scan file before sending it to the inventory service. (Default=1) This setting tells the client-
side scanner whether or not it should generate delta scans to send the inventory service. Valid entries
are 1 (true) and 0 (false).
Discovery Storage: (Default=0) This setting tells the inventory service to put a copy of every scan file it
receives in the ManagementSuite\LDScan\DiscoveryStorage directory. Valid entries are 1 (true) and 0
(false).
Do Core Server Software Scan: (Default=1) Used to set whether the LANDESK Inventory Server
service will scan for hardware and software, or hardware only.
Do DB: (Default=1) This setting determines whether or not the inventory service will insert scan files
into the database. Regardless of this setting, the inventory service will continue to receive scan files.
(Default=1) This setting tells the client-side scanner whether or not it should generate delta scans to
send the inventory service. Valid entries are 1 (true) and 0 (false).
Do Delta: (Default=1) This setting tells the client-side scanner whether or not it should generate delta
scans to send the inventory service. Valid entries are 1 (true) and 0 (false).
Duplicate MACs Threshold: (Default=5) When this number of devices have the same MAC Address,
that address will be added to the Ignored NICs list and the client will no longer send it as an identifying
address.
Unknown Items
This setting on the Inventory Tab of Configure Services limits the data entered into the database to what is
modeled. This blocks items that come in from inventory scans which are not configured into the schema of the
database, protecting the database from data which could create corruption. Any blocked items are listed, so
the schema can be configured to include them if so desired.
Options can be set to:
Allow: This will model the data into the schema, so at next scan the data will be added to the database.
Delete: This will delete the selected item(s) from the list. If another scan tries to add that attribute again, it
will be blocked but will re-appear in the list.
Ignore: This will set that data to NOT be included or ever listed again for inclusion into the database. Items
set to ignore should be kept to a minimum, as a long list would affect database performance.
Software
This setting on the Inventory Tab of Configure Services displays the Software Scan Settings window.
Inventory History
To configure which attributes are to be entered into the inventory history, go to Configure > Inventory
History.
Choices for Inventory History include:
Inventory: Logs each attribute change, set in the Inventory History, and can be viewed by clicking View >
Inventory History.
NT Log: Logs each attribute change to the Application Event log [as Informational (blue), Warning (yellow),
or Critical (red)], as designated in the Log/Alert severity field.
Alert: Logs each attribute change to the Alert log, and can be viewed by clicking Tools [or Toolbox] >
Reporting / Monitoring > Logs.
o Attributes: Allows the user to select attributes to be included in the scan.
LDAPPL3 files
Management Suite seeks to update the numerous managed nodes only as often as required, and always using
the least amount of bandwidth. Because of this, the LdAppl3.ini file (the operative file that has the software
library, and various settings for the inventory scanner) has an advanced update procedure. There are many
files in the LDLogon share which influence, change, and modify the LdAppl3.ini file.
When the Make Available to Clients button in the Manage Software List tool is clicked, the
LdAppl3.template file and LdAppl3.base file, and updates in the LdAppl3.pat file, and any other changes
needed, are merged to update the LdAppl3.ini file and a corresponding LdAppl3.ldz file is created.
Since new applications and versions of software are released continually, the Management Suite Administrator
needs the new applications added to the software library. However the LdAppl3.ini file is not edited directly.
Fortunately, when the SOFTMON.exe discovers new software, it adds it to the registry, and when the Make
Available to Clients button in the Manage Software List tool is clicked, it adds it to the Software list, and
associated LdAppl3 files.
If there is a need to modify behavior settings in the LdAppl3.ini file, this should be done by using the Manage
Software List tool, and then clicking the Make Available to Client button on the Manage Software List
toolbar. This commits the changes to the LdAppl3.ini file.
Through all of this technology managed devices only get updates when changes have occurred, and always
use the least amount of bandwidth to update. The compressed forms of files are sent to update the full
LdAppl3.ini on the managed devices.
To address this, SOFTMON.EXE can be set to write software usage data to a network share. When set to do
this (in the Agent configuration in Software Usage Monitoring) SOFTMON.EXE will load every 10 minutes,
To add WMI items to the inventory scan, select the WMI class, instance, and the namespace which contains
the class. (This is somewhat analogous database usage of an instance, tables, and attributes.) To discover
what these items are for a WMI class, use a tool like Microsoft CIM Studio (or Powershell in Windows 7) to
browse the WMI classes.
4. Type the Filename, to add an entry to find all sizes and versions of the file on managed devices.
OR
Click the [+] to expand to designate the file size and other optional fields to find the files of a specific name
and size on the managed devices.
You can enter a domain name with subdomains (up to 10 levels of subdomains, with no more than 60
characters per level) separated by dots. You cannot include specific paths. Also, the domain name cannot
include invalid characters (which will be met with an error message for correction).
Settings
The settings portion of the Manage Software List displays and allows adding additional settings. To add to
these settings, right-click the attribute and click [Properties], then use the [New], [Edit], and [Delete] buttons,
and click [OK]. Remember to click the Make Available to Clients after adding to these settings. Prior to
version 2016 these settings were a part of the LDAPPL3 files, but now these settings are in the database.
CfgFiles: Lists .cfg files to be saved from managed devices into the database. (This feature was added in
SP1.)
DataFileExtensions: Lists file extension types to be included in the inventory scans from managed
Windows devices (.PST files, for example). This information can be found under the Software.Data Files
database attribute and will include the file name, path, file date, and file size.
Exclude Folders: Lists folders whose software will be excluded from the inventory scan from Windows
devices. The following folders are already excluded by default:
- \recycled and \recycler
- %USERPROFILE%\LOCAL SETTINGS
\TEMP and \TEMPORARY INTERNET FILES
- %USERPROFILE%\Application Data\Thinstall
- %windir%
\$ntservicepackuninstall$, \installer, \lastgood*, \driver cache, \registeredpackages, \temp,
\system32\dllcache, \$NtUninstall*, ServicePackFiles\i386, and \i386
- \$LDCFG$
- \SYSTEM VOLUME INFORMATION
- \SP3
- \SP4
- \Library
- \DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS
\TEMP and \TEMPORARY INTERNET FILES
- %ProgramFiles%
\LANDesk\LDClient
o \bkupcfg, \cache, \data, and \sdmcache
\LANDESK\SHARED FILES, and \COMMON FILES\MICROSOFT SHARED
- \LDClient
Temp, and SDMCACHE
Ignored MACs: Lists MAC addresses (up to 40 can be listed) which the scanner should NOT consider
acceptable when choosing an address to be used for identification. (This is the address assigned to
Network – NIC Addess and is used on the Core Server to identify duplicate device ID’s.) The use case is
the exclude addresses issued for a Virtual Private Network (VPN) environment, where multiple devices
could have the same MAC address depending on when they last connected via the VPN (and ran an
inventory scan during that time).
MacMultimediaExtensions: Lists the file extension types that add to the Multimedia Files section of the
inventory scan, from Macintosh Apple OS X managed devices. Extensions are case-sensitive, so care
The Custom Data Forms tool enables you to create forms with the Form Creator. The created forms are then
copied onto the managed devices (into the C:\Program Files\LANDesk\LDClient directory). Once forms are
present on a managed device, the Form Viewer launches the form, and data is entered, the data is saved into
the LDCustom.dat file in the LDClient directory, and reported in all subsequent inventory scans from then on.
Manual update forms: A scheduled task must be created to deploy new or updated forms to managed
devices. (There will be no automatic update.)
Automatic update: Ensures that each time the managed device starts up, or runs an inventory scan
(whichever setting is chosen in Display forms to end user) if there is a new or updated form, the Form
Viewer will launch.
Display forms to end user: Works in conjunction with Automatic update.
o On startup: When the managed device starts up, it checks to see if there is a new or updated
form, and if so, the Form Viewer will launch.
o When inventory scanner runs: When the inventory scanner runs on the managed device, it
checks to see if there is a new or updated form, and if so, the Form Viewer will launch.
o When launched from the LANDESK program folder: Launches the Form Viewer on the
managed device. (This manual process can be launched any time.)
If a form is newly copied to a managed device, when the Form Viewer is launched the data fields are empty
(because there is no corresponding LDCUSTOM.dat file). If an updated form is launched, the fields that existed
in the previous forms will contain the previous data (populated from the LDCUSTOM.dat file) and the fields can
be overwritten, or left with the existing data. New fields will be empty. When the modifications are completed,
the LDCUSTOM.dat file will contain the new data. The date and time of last modification to the
LDCUSTOM.dat file are included in the data.
When the Custom Data Form data is placed into the database, it can be viewed in the managed device’s
inventory in LANDESK Management > Custom Data Forms > Form Name.
Queries
Queries can be helpful in managing IT assets. Searches for can be created to include any criteria held in the
database (whether it be hardware information, user information, or software information).
Queries can be organized into groups in the Network View. New queries and new query groups can be created
by clicking to expand Queries, right-clicking the My queries or Public queries group, and clicking New query
or New group.
My queries: Lists queries that have been created by the currently logged-in user, and queries that a
Management Suite administrator has added to the user’s group. A user can create, modify, and
delete query groups and queries under their My queries group. They can also copy queries to this
group from the Public queries group.
Public queries: Lists queries that a Management Suite administrator, or users who have been
granted the Public query management (PQM) Edit public right. Users with the Management Suite
administrator right and users with the PQM Edit public right can add, modify, or delete query groups or
Query Operators
The dialog box to create a new query has the following functions:
Figure: Create a Query
Name: Sets the name of the query as it will be listed in the query groups.
Machine Components: Lists inventory components and attributes the query can search.
Relational (Boolean) Operators: Lists the operators which determine values for which the query can
satisfy. They are as follows:
o =: Equals
o <>: Does Not Equal
o <=: Less Than OR Equal to
o >=: Greater Than OR Equal to
o <: Less Than
Symptom Solution
LDISCN32: Failed to resolve The scanner could not contact the Core Server by name. Make sure the
the Host Name command line has the correct Core Server name, resolve Name Resolution
problems on your network, or replace the Core Server name in the
command line with the IP address of the Core Server.
LDISCN32: The inventory Make sure the LANDESK Inventory Server service is running on the Core
server <Core Server name> Server. Make sure the port number (default 5007 decimal for TCPIP) is
did not respond correct on the command line and that the port is open on all routers
between the Management Suite managed device and Core Server. (Check
the values for TCP port and UDP port on the Core Server in Advance
settings on the Inventory tab of Configure > Services).
Complete scans are not Many times this occurs because one or more lines in the scan is wider than
processed into the database, a column of a table allows. Check the Application Event Log (which logs
but are rejected and placed in reasons for all rejected scans) which will list the table and column needing
the ErrorScan folder adjustment.
Inventory scans are building Make sure the DoDB database setting in the Advanced settings on the
up in the LDSCAN folder on Inventory tab of Configure > Services is set to 1. (Setting this value to 0
the Core Server and no scans
Unable to locate the master The scanner could not find the LDAPPL3.ldz file the path specified. Make
software list at sure the path is correct by the /i switch, and that the user has rights to
\\CoreServerName\LDLOGON\ access the file. (If this is the case the scanner will still run without
problems, because it used the local LDAPPL3.ldz. If there is a different
LDAPPL3.ldz. Your local copy LDAPPL3.ldz file in the path specified, it did not get copied locally as it
may not be current should have.
The files that are under the LDSCAN folder, and what goes into those directories are as follows:
Decomp: Files are temporarily placed here until decoded and sent to the LDSCAN directory when
Encrypted Data Transport is enabled on the Inventory tab of Configure > Services.
ErrorBigScan: Scans larger that are 10000000 bytes or larger are sent to this directory and not
processed into the database. To adjust the size change Max Scan File Size in Advanced Settings
accessed on the Inventory tab of Configure > Services.
ErrorScan: Scan files that are rejected are not processed and are sent to this directory. The reason the
scan file is rejected is written to the Application Log in the Event Viewer. (Duplicate ID was found,
attribute column not set high enough to receive the attribute in the scan, delta scan out of sync, etc.)
ErrorTrans: Scan files which fail the Cyclical Redundancy Check (CRC) are placed in this directory.
2. What port does the managed device use to send inventory when posting to the Web Service?
3. Where do you configure the Core Server settings for Inventory Service degradation monitoring
(Degradation Sample, and Degradation Threshold)?
4. Where do you set the inventory on managed devices to “Do Not Send Logon/Lock Event Dates” and how
does this impact the inventory scan on the managed device?
5. What is the default Max Scan File Size in Management Suite 2016, and what does the setting do?
6. What new features are in Inventory in Management Suite 2016 concerning Application Crash Data, and
System Crash Data?
8. What are differences between looking at inventory scans and looking at real-time inventory, and why?
10. What are custom data forms and how are they used?
11. How are queries created and what are different ways they are invoked?
The Inspector shows each of these items and more, in a self-contained window. It can provide a look at that
time, or be set to continually update in 60-second, 5-minute, or 10-minute intervals. When Inspector windows
present graphs, they are actionable.
Utilizing Inspector
The inspector is available for different devices and feature tool sets including:
Managed Devices
Core Server
Queries
Scheduled Tasks
Vulnerabilities
When the Inspector is launched it can dynamically be updating or it can be unlinked. In an unlinked state the
data is shown as it was when the Inspector was launch. It can then be set to update every 60 seconds, every 5
minutes, every 10 minutes, or with auto-refresh off.
When the Inspector is opened to reveal information regarding a managed node it populates with pre-set items
based on .XML files.
The Actions expander allows starting a Remote Control session or a Ping command to the managed node
with one-click.
The General expander brings information about the managed node. In this particular setting the file
C:\Program Files\LANDesk\ManagementSuite\
inspectorWeb\Inspectors\ComputerQuery.xml defines the controls shown.
The Processes tab shows processes running on the managed devices. These processes can be stopped
remotely by right-clicking a processes and clicking Kill process.
The LANDESK processes expander includes the running processes which are the Management Suite
processes as defined by the ldprocs.txt file located in the
The processes expander shows all processes shown in task manager on the managed device. Both
expanders show the Program name, Process ID, CPU time, Memory usage, Virtual size, handles, and threads.
The Services expander shows all services shown in task manager on the managed device. Both expanders
show the Services name, Name (file name), Startup type (Automatic - Auto, Manual – Demand, or Disabled –
Disabled) and Status (Started or Stopped).
The LANDESK services expander includes the running services which are the Management Suite processes
as defined by the ldprocs.txt file located in the
The columns shown in the expander include: File Name (source location), Source (Source, Preferred, or Peer),
File size, Date, and Peer address.
The Devices not scanned in over n days expander shows managed devices which have not sent an
Inventory scan in 7 days, 30 days, 60 days, or 90+ days in a graph.
The Device types added in the last 6 months expander presents in a pie chart the breakdown of device
types including PC, Mobile, MAC, and Server.
The License Information expander, which displays the Number of licenses, the last compliance calculation,
the last usage calculation, unused licenses, and unlicensed products.
The Targeted packages expander, which displays the number of packages modified in the last 24 hours, and
within the last week.
The Tasks expander displays the distribution tasks scheduled to start within the next 24 hours and within the
week.
The LDMS administrators expander shows users who are members of the local LDMS administrators group
on the core server.
The Licensing expander shows the number of nodes requiring a Management Suite license.
The Current licenses expander shows the number of licenses purchased from Ivanti (including the version,
quantity, and expiration date of those licenses).
The Anti-virus expander shows the percentage of managed devices without Antivirus installed.
The Affected devices expander a graph showing all managed devices which have no anti-virus installed,
those with anti-virus installed, and those which have anti-virus installed but do NOT have auto-protection
enabled.
The Performance parameters expander, which shows the Management Suite service pack level, the last time
the core server was rebooted, scan files to be processed, scan files in the Error scan directory, the amount of
memory used by the LANDesk Inventory Server service, and the amount of memory used by the LANDesk
CoreSync service.
The LDMS installed patches expander shows the Management Suite patches installed on the core server,
including the patch name and file version.
The IIS application pools expander shows the Application pools and the Status (started or stopped).
The Job status expander shows a graph with the devices which have failed the task, the number pending,
those which are active and those already successful.
The Vulnerability expander has a graph of the devices detected for the vulnerability, the devices which have
repaired the vulnerability, and the devices where the vulnerability failed to repair.
The Excluded expander shows the number of devices which have not been scanned for vulnerabilities.
The General expander includes the name of the query, its criteria, who last modified the query, when the query
was last modified, and any and all tasks which use the query.
The Generated SQL expander displays the SQL command of the query.
If the LDAP connection is already configured in Management Suite, the import will use the existing connection.
If a new LDAP connection is required it can be added in the console by:
1. Click Tools > Distribution > Directory Manager (The Directory manager tool opens.)
Note
If you use LdPhotoImport you can schedule a task to periodically keep the photos up to date.
Note: Support will assist with questions related to the examples of what is in the document. Support is NOT
scoped to design or troubleshoot any customizations or extensions of the Inspector beyond the customization
document. For custom solution please work with Ivanti Sales and Services.
Assets can be tracked from order placement, to receiving, to provisioning, to placement into the organization
and eventually to their disposal. Hardware warranties and software licenses can be tracked. Management
Suite automates many aspects of reporting. By scheduling reports, information can be delivered to a web
server, file share, or directly to a decision maker’s inbox. Reports can be produced in a variety of formats.
The reporting tool can be used to generate a wide variety of specialized reports that provide critical information
about the devices on your network. The reporting tool takes advantage of the Management Suite inventory
scanning utility, which collects and organizes hardware and software data. This enables the creation of useful,
informative, and up-to-date reports. You can schedule reports so they run at an interval you specify, and these
can be stored in a share or e-mailed directly to users.
Dashboards provide essential “at-a-glance” reporting that is so valued. Viewing a dashboard to almost instantly
gain insight on projects, status, and progress is almost priceless. Management Suite enhances the
administrator’s ability to create and configure dashboards.
Dashboards
Dashboards give management and IT personnel ability to see both trends over time as well as a way to easily
identify items which may require immediate attention. Before dashboards, exhaustive searching of voluminous
logs and chatty notification alerts were the standard mode of operation. Dashboards give the ability to
configure what graphs the dashboards contain, as well as making it easy for IT personnel to quickly see what
requires immediate attention.
Design your own dashboard to report on various aspects under your prevue of management. You can build
dashboards for different categories such as: Windows upgrade, Software Distribution, Security, Remote
Control, Power Management, Rollout Projects, Patching, Software, Operating Systems, etc.
Configure dashboards in the Console by selecting Tools or Toolbox > Reporting / Monitoring > Dashboard
editor. This opens the Dashboard Editor tool. Create new dashboards available to groups by membership as
with other tools in the Console. When you select to create a new dashboard the following tools help you to
accomplish the task:
Charts
A number of tools accessible in the Management Suite Console provide charts to give quick overview of status
and activity. Graphs can be added to the chart views and colors can be modified just like for dashboards.
Workspaces
The addition of workspaces gives users access to information which takes into account the rights that are
granted to each specific user. For each user, pertinent information, based on their role, is presented in the
workspace.
The Task Summary workspace view populates with the following graphs:
My Tasks – Last 24 hours: Status of tasks created by the login user in the last 24 hours
All Other Tasks – Last 24 hours: Status of tasks created by all other users in the last 24 hours
My Task List – Last 24 hours: Names of tasks created by the login user in the last 24 hours
All Other Task List – Last 24 hours: Names of tasks created by all other users in the last 24 hours
The graphs populate real-time and can be clicked to drill-down to see the items populating the data.
The graphs populate real-time and can be clicked to drill-down to see the items populating the data.
The Hardware workspace view populates with a graph showing Devices ready to be refreshed, based upon the
warranty data listed for the items listed.
The listed items can be clicked to drill-down to see more in-depth data.
The Software Licenses workspace view populates with a graph showing devices monitored in Software
License Monitoring.
The listed items can be clicked to drill-down to see more in-depth data.
The Security Dashboard workspace view populates with the following graphs:
The graphs populate real-time and can be clicked to drill-down to see the items populating the data.
The Software Catalog workspace view shows software scheduled and is complete with a search feature.
The Launchpad workspace view shows items scheduled to the Launchpad and is complete with a search
feature.
The Document workspace view shows documents scheduled and is complete with a search feature.
The Manage Users workspace view shows users on the managed device, has an add user feature, a delete
user feature, and is complete with a search feature.
The Dashboard Designer workspace view shows Analyst Workspace, Asset Manager Workspace, Security
Manager Workspace, Self Service Workspace, and has ability to add items each Workspace view.
The Connectors workspace view shows items with which the connector can link. It lists the Applications,
Status, Last Sync Date, and Vendor.
The Theming workspace view allow you to choose choose the theme for all Workspaces. (Choices include the
ability to select the Default, Dark Blue, Dark Orange, or create a Custom theme. It also includes the ability to
select the Corporate Graphic logo to use in the Workspace, the Main Application Background Image, and the
Login Screen Background Image.
Saved reports can be made available through a web share, a UNC share, or e-mailed directly to a user.
To launch the reporting tool from the Core Server Console or the Remote Console:
When you use the Web Console, the reports created in the Direct and Remote Consoles are available to you,
but you cannot edit or create a custom report in the Web console, nor can you move reports between folders.
What you can do is execute, view, and export reports.
One-click Reports
One-click reports are available for most items in the Console. Any group or container (such as query, or
devices) has an option for simple report creations. The report displays the data in the current view, organized
using the data columns displayed in the Console. You can also run a report for many of the tools, showing the
items in a particular view (such as a list of alert rulesets in the alerting tool, or devices in the scheduled tasks
tool). There are three (3) types of one-click reports:
Agent watcher: Presents reports of devices where Management Suite required services are not running,
or where monitored files are not found.
Report groups
The Reports tool is where the main body of reports is accessed.
Reports are organized with a tree structure, grouped in the following folders:
My reports: Contains reports that the current user has created or copied from another folder. These are
typically reports that you run on a regular basis and have organized for your own use. You can organize
reports in folders that you create. Management Suite administrators have access to each user’s reports
groups and can add and remove reports as desired.
Standard reports: Contains predefined reports that are installed with Management Suite. The reports are
preformatted, have query properties, and chart types assigned, and are ready to be used.
Public reports: Contains custom reports that are made available to all users who are granted access to
the Management Suite console and have been granted the Reports – View right.
All reports: Contains all reports that can be used by the current user. This view includes a Find box that
filters the list of reports when you type a search string and select a column. (For example, type “license”
and select the “Description” column to view reports related to software licenses.)
Dashboard Sub-Reports
Dashboard sub-reports are detailed reports available from graphic charts of a dashboard widget. Under
Security, Antivirus provides access to the Antivirus dashboard. If you select Antivirus dashboard there are
dashboard charts of Real-time scanner status, Virus definition status, and Recently scanned. If you
double-click any of these three charts, the detailed sub-report of supporting data will appear.
Report Properties
When you create or edit a report, you first specify the report properties.
If you have copied a standard report, you might simply change items in the Properties dialog box and save the
new report, or conversely you may want to open the report designer and make more substantial changes.
The report viewer includes a toolbar and a sidebar. The toolbar consists of the following buttons:
The Reports tool accesses the database with the user credentials that were specified during product setup.
These credentials can be managed in the Configure LANDESK Software Services dialog box. If you prefer
to set up different credentials for the users who have reports rights, you can create a second set of credentials
for reporting database access. (For example, if you want report users to have read-only access to the
database, you can create a user in the database using the Database’s Management Tool, and enter the user
information in the User name and Password fields in the Reporting database user section on the General
tab of the Configure LANDESK Software Services dialog box.)
The steps to specify a database user credentials for reporting are as follows:
1. Create a user account for the Core Server’s database, assigning it the rights you want that user to
have. (This is done with the Database Management Tool used for the Management System chosen.)
2. In the Management Suite Console, click Configure > Services.
3. Click to select the General tab.
4. Under Reporting database user, enter the User name and Password for that account.
In the Report Designer you integrate page layout elements linked to data objects to display selected data. The
Report Designer provides customization of the report appearance, the underlying SQL query statement, and
the parameters available to users.
Toolbox: Drag a tool onto the page layout to place the object.
Data sources: Specify the data sources you want to use when running the report. Define the source of the
data and then add data sets (queries) and parameters that you will use in the report.
Report - Parameters: Define parameters that determine report results.
DataSet: To view properties of a DataSet.
o General: Modify general properties
o Query: Set records query and options
o Options: Set query command data options
o Fields: Modify dataset field aliases and modifiers
o Parameters: Modify query parameters
o Filters: Modify dataset record filter conditions
A data source and defined data sets from which the report is populated
A page layout to visually display the data
Data regions and other report items that format the data
Parameters pass information between data sets. In the report viewer, parameters can be displayed to let the
user narrow down the selection of data displayed.
On the Query page, for example, you can edit the SQL query.
Report items
Items in the toolbox are used to format the page layout and place data on the page.
These elements are fully customizable and can be combined in many ways to group and display data.
For ideas on how you can define your own reports, view the properties for any standard report and click
Report designer to see how the report has been defined.
To quickly open the Ivanti User Community reporting portal, you can also click Tools > Reporting/Monitoring
> Community reports.
Information is also available on the Data Dynamics Reports Web site at http://www.datadynamics.com.
2. How do you create your own dashboard and add charts of your own selection in Management Suite 2016?
4. What types of information do workspaces make available, and how is this helpful in a business
environment?
Additionally, with Software as a Service (Saas), some software which was purchased is not stored locally or on
the network, but rather is accessed via the internet. The CIO wants a report detailing which users and devices
access the internet site where software is available as a service.
IT Administrators often find it challenging to track product licenses installed on numerous managed devices
throughout the network. They run the risk of not only over deploying product licenses (having more copies
installed than licenses purchased), but also of purchasing too many licenses for product that is not installed
and therefore not necessary. Either is a money-risk to a company. Compound that by the fact that some users
use software for a time, then they don’t need that software anymore. Reclaiming software from a user who no
longer needs it, and giving it to a user who does, saves software costs.
Walking the fine line of having enough but not too many licenses is always a concern. With the need to
forecast and be accountable for a budget, licensing costs, as well as upgrade costs must be taken into
account. Having this knowledge of software can greatly affect budget management and save money over all.
Passive, low-bandwidth monitoring: The Software Monitoring agent passively monitors product usage on
managed devices, using minimal network bandwidth. The agent continues to monitor usage for mobile devices
that are disconnected from the network.
Automatic discovery of applications present in the environment: Users are not required to manually
define software products or import pre-defined content. Automatically discovered products are a reflection of
what is found in the environment – no inapplicable content to deal with. The date a product was discovered is
tracked, as well as when it was last used. Updates or patches to a software product are automatically handled.
Software accessed via the Internet: With some software being stored on a website outside of a company
(Software as a Service, or SaaS), Software License Monitoring can track devices and users that access such
pay-for services.
Reporting: The power of compliance monitoring rests in its data-gathering capabilities. Use the gathered data
to track and report on overall license compliance, to monitor product usage, and report access to software.
Reclamation: Software License Monitoring has the ability to uninstall software from devices no longer using
that software, in order to free up licenses for audit compliance, and lower cost true-up.
Allocations: Software License Monitoring includes the ability to provide a way to track license and support
costs to groups across an organization.
This software usage data is stored on the managed device and is not delivered to the Core Server until a
software inventory scan completes. Application usage is tracked even if the device is not communicating with
the Core Server or even connected to the network. So in a passive way, the managed node tracks software
activity locally, and reports it to the Core Server, in a low bandwidth consuming way with each software
inventory scan.
The agent component central to Software License Monitoring is the softmon.exe file. The softmon.exe file
registers and installs as the LANDESK® Software Monitoring Service on the managed device and monitors
all processes that are launched. It writes the usage information to the registry, in
HKLM\Software\WOW6432Node\LANDesk
\ManagementSuite\WinClient\SoftwareMonitoring\MonitorLog. GatherProducts.exe then runs on the
managed device, to gather software usage. It stores the resulting file in
C:\Program Files (x86)\LANDesk\LDClient\Data\GatherProducts.txt. The scans looks at the Windows
registry uninstall keys, .MSI files, shortcuts, and GUIDs to identify software. It can be configured to also gather
usage via Web Sites offering SaaS. Any new application is recorded and any repeating application is updated
with its usage information.
As an extension of inventory, Software License Monitoring relies on the LdAppl3.ini file to deliver software
information on the managed device. The settings instruct the managed device to send data on specific
applications. It is not telling the managed device which applications to monitor. The agent monitors all
executed software. The agent sends only the data on the software requested by the Core Server.
To provide maximum flexibility, Software License Monitoring includes a container object to monitor
applications. This is referred to as a Monitored Product (often referred to as Product). The Product refers to
an application that has been setup to be monitored for licensing and usage information.
Vendor names often vary, even within a single company. Many times in the Software License Monitoring tool,
the same manufacturer is listed with different variations. Microsoft Corporation, for example, is listed more than
a dozen multiple ways. In addition, as companies are acquired by a larger company, software of the acquired
company can be reported with the parent company (e.g. FRx Software Corporation, and Great Plains Software
Inc., who were both acquired by Microsoft). Creating a normalized group which includes all variations of a
vendor name provides the ability to track associated products by software vendor. The benefit of this feature is
to have a larger pool of products under one manufacturer to reduce the size of the overall manufacturers list.
View: Allows the user to see and access the software license monitoring tool from the Console
Edit: Allows the user to create or change software license monitoring settings and configurations
The Software Licensing Tool has four principal areas represented by their respective tabs:
Dashboard: Grants access to three groups of reports with graphs which can be printed or exported to CSV
o Audits: Top total installations
o Compliance:
Top out of compliance by installation
Top out of compliance by true-up costs
Top out of compliance by manufacturer
o License Optimization:
Estimated savings from never used installations
Top 5 software harvest opportunities.
Products: Lists four different software product groups:
o Monitored: Lists all monitored products which can be searched by Manufacturer, Product, or
Computer Group (query or device group)
o Discovered: Lists all discovered products in the database minus those ignored
o Ignored: Lists all products deemed to not be important to you, removing them from discovered
o All installed products: Lists all products in all three previous groups.
o Licenses: Lists all the licenses input or imported. These can be searched by Product, Computer
Group, or Vendor, to compare licenses with usage.
o Reclamation: Lists all products set up for reclamation.
o Allocations: Show all products allocated to groups, by group.
Delivery method: Specifies the delivery method which will be used to uninstall the software which
is reclaimed. Click Browse to view the available delivery methods.
Distribution and patch setting: Specifies the distribution and patch settings which will be used to
uninstall the software which is reclaimed. Click Browse to view the available settings. Specific
configurations used as set with the selected settings include:
- Network settings to determine the Preferred server / Peer download options to access the
application to be used for the uninstallation.
- Policy sync schedule to determine when to uninstall the application.
- Notification to determine whether the uninstallation is silent or verbose.
- Distribution-only settings to determine feedback and deferral options.
- Offline to determine whether to uninstall when offline.
- Logged off user options to determine whether to uninstall when logged off.
Reboot settings: Specifies the reboot settings which will be used to uninstall the software which is
reclaimed. Click Browse to view the available reboot methods.
1. Normalize the Vendor – Combine into a normalized group any vendors which were left out of the
normalized group, but need to be added to the combined group.
2. Set Products to Monitor – Set Discovered products into Monitored to compare with licenses.
3. Add Licenses – Add licenses for Monitored products.
4. Set up Allocation (optional) – Track licensing usage by device group or query.
5. Set up Reclamation (optional) – Set options to reclaim software licenses not in use or no longer needed,
by removing software from managed devices.
6. Run Reports – To see Audits, Compliance, and License Optimization reports.
The vendor list will grow as additional software is found by inventory, so it is a good idea to periodically check
the vendors not in a normalized name.
The goal of the Administrator then, is to be sure to monitor all software which is in the domain and requires
purchase of a license. A good place to start is with Accounts Payable. Any software purchased should be
monitored. Additionally, software in use, which requires but does not have a license, should be monitored.
Ivanti facilitates searching these out, with the excellent discovery mechanism built into the Inventory tool.
Normalized Product
When setting products to monitor, you can create a normalized product. The two key components used when
searching for this product are the product name, and the version. Either field or both fields can use wildcards.
An additional way to search is to add contained products. This allows a search using either of two criteria,
namely: product name contains, or product name does not contain. The search brings all products into a
list which satisfy the criterion used, and the desired products and associated versions can be selected from the
list. The list has an additional checkbox, show only monitored products. If the box is unchecked, all
discovered software products that match the criteria are listed, but if checked, only the monitored software
products that match the criteria are listed. This allows a thorough way to normalize a product
Custom Product
When creating a custom product, there are four items to complete:
Definition: Here you set designations for the custom product you are adding. Fields in the Product name,
the Version, the Manufacturer, and the Status (Monitored, Discovered, or Ignored).
Installation detection: Here you define the way software license monitoring determines if the product is
installed. There are three ways to define whether the product is installed.
o Searchable by Query: Create a Management Suite query to match software criteria
o File detection match any: Determines the product is installed if ANY of the defined files are present
on a managed device.
Add Licenses
When you add licenses, they can be measured against all managed devices, or against a computer group
(query or device group). This facilitates tracking licenses by geography, business group, business hierarchy, or
as an entire company.
Reclamation Defaults
The first step to setting up reclamation is to set the Reclamation Defaults in the Software License Monitoring
tool, under Adminstration > Reclamation Defaults.
Create, or point to an existing uninstall Distribution Package in Software Distribution. This is referred to in
the Reclamation Defaults.
Computer Groups
Set up Devices or Queries to be included or excluded from reclamation.
The Computer Groups are set up in the Software License Monitoring tool, under Adminstration >
Computer Groups.
Product
Product is configured in the Software License Monitoring tool under Products > Monitored (it is likely you
would be monitoring the product).
Reports
The reports available to software license monitoring are classified into three groups:
Audits: Reports for the following:
o Audit flags for:
Licenses
Products
o Licenses without:
Manufacturer invoice
Purchase date
Purchase order number
Unit price
o Monitored products without licenses
o New products discovered
Compliance: Reports for the following:
o Compliance details: Details of software compliance for all licenses and associated products
o Compliance overview: License consumption for all monitored products
o Compliance total costs: Estimated cost of compliance for all monitored products with unlicensed
installations
License optimization: Reports for the following:
o Computer group software cost: Cost of software licenses for specific computer groups
o License report: Details of all licenses
o Licenses with expiration data renewal cost: Cost of renewing licenses expiring before a specified
date
o Licenses without expiration date: All licenses that do not have an expiration date
o Never used installations: Products that have been installed, but never used
o Products not used in n days: Monitored products that have been installed but not used in a
specified number of days
o Products used less than n times: Devices with specified monitored products that have been used
less than n times
o Software product usage: Usage of monitored products for specific devices
o Unused software licenses: Estimate of potential savings from unused licenses
o Unused software licenses by computer group: Estimate of potential savings from unused
software licenses listed by computer group
Add to that the complexity of downgrading licenses. Some manufacturers support downgrading, while others
do not. If I have a License for version 10 of an application, but I have version 9 installed. Can I cover version 9
software applications with version 10 licenses until I upgrade? That all depends on whether the manufacturer
supports downgrading!
As you can see, how you apply a license to software purchased is more complex that just having a license.
The process begins with the Management Suite Inventory Agent which gathers software from the Add or
Remove programs section of the registry, the MSI database also from the registry, and the information from the
software headers. The Data Analytics engine then can standardize and normalize the software data for
manufacturer names and software titles.
The process continues when the raw software data is analyzed against the End-User License Agreements
(EULA) of top software manufacturers. A new Licensed Software attribute is then created for each device to
list the effective software licenses needed for each computer.
Exception Handling
Ivanti Data Analytics provides a way to connect to Microsoft Volume Licensing for the purpose of downloading
a list of licenses purchased. In this download, each license ID is placed line-by-line for comparing licenses
against software usage. New to this feature is the ability to Run Now with Exception Handling which
provides an interactive processing mode for all exceptions to properly deal with each line the rule does not
understand. Sometimes a license may be a 50 count, or there is line item for the DVD medium for install, which
is not a license. The Run Now with Exception Handling enables the administrator to properly apply each
exception line interactively.
Software License Import provides a way to import and populate license data, in bulk, into Software License
Monitoring, for usage reporting. There are a couple of key factors to understand that will help us understand
the rules which add the licenses.
As you can see in this Acrobat 3D (v.8) license, Ivanti Data Analytics applies as required to Acrobat
Professional version 8, then 7, then 6, then to Acrobat Standard, 8, then 7, then 6, then Acrobat version 5, then
4. This takes into account the downgrading ability, and the Product family licensing, and all iterations which
need to be considered. While the license has 0 copies, the structure is configured so as licenses are added,
they will be applied correctly.
Those unfortunate users without Ivanti Data Analytics need to research to find the correct order and hierarchy,
then create each Software Product and version, one-by-one, and finally, build the license, placing all products
by version and family in the proper order. (Let’s hope they found that process fun.) They get to do this for every
product. Another downfall for those without Ivanti Data Analytics, each vendor may have different rules, and
some of those rules can change from time to time.
Import Key
The Import Key is a unique column (or more than one unique column) that Ivanti Data Analytics uses, along
with the product key, to uniquely identify a record. That way, if an import is run multiple times, it will NOT create
a duplicate record. It is important that the Import Key be unique so the multiple records in the import file do not
get merged into one. For this reason, each imported rule must include the Import Key to import into software
license fields, assuring that an entry exists, but only once, in the database.
Description Key
The Description Key is used only during exception handling. With the new feature to Run Now with Exception
Handling, if lines that are imported don’t match a product in the database, a dialog is presented which will allow
you to map the SKU (product key) to a Licensed Software product, if it is not already defined (or place a
number of 0 or skip if the exception line is informational or some other non-license data). The Description Key
field is where the line is placed for you to view the line to make the designation.
2. The Software License Monitoring tool and reports show no software usage at all, but inventory scans are
occurring regularly and are correctly populating the database. What needs to be done to capture software
usage and populate it in the Software License Monitoring tool?
3. What step should always be done immediately before running Software License Monitoring reports to
assure current and correct data?
5. What are the steps to implement Software Reclamation in Software License Monitoring?
Software Distribution provides the vital ability to centrally deliver software to managed devices across the
enterprise. The software can be stored centrally, and distributed from there, or delivered from shares local to
remote sites. Software Distribution includes options to install the software from a server initiated process
(push-based) or pulling the software from a managed device initiated process (policy-based). Software
Distribution supports multiple package types, and always minimizes the bandwidth required to deliver the
software. Installation of software can be automatic, or can be controlled by the end user.
Now that we can see the business solution provided by the software distribution tool, let’s discover how it
works, and how to set up and utilize it.
The third piece is the Agent Settings set on each managed device. These include:
Distribution and Patch: Options set in the Distribution and Patch agent settings are:
o Network setting: Select preferred server/peer download options and download speed settings.
o Policy sync schedule: Select when and how often PolicySync.exe runs.
o Feedback: Select whether to show full package interface, and whether to show successful or failed
status to the end user.
o User defer: Select whether installations are deferred until the next logon, and if software installs can
be deferred, how long snooze times will be.
o LDAP group targeting: Select whether LDAP group targeting is enabled or not.
o Offline: Select whether to install a package when the Core Server is unreachable.
o Logged off: Select whether to install software when users are logged off.
o MSI Information: Set where to find source .MSI files, if required for installation.
Reboot settings: Options set in the Reboot settings are:
o General: Select whether the reboot is Always needed, Detect if it is needed, or act as if it is Never
needed.
o Prompt: Select whether to prompt the user before rebooting, allow the user to defer (snooze) the
reboot, and show an icon in the system tray when a reboot is needed.
o Automatic: Select whether to reboot if:
Logged out
Locked
No response to reboot prompt
Reboot deadline
Limit automatic reboot to a time window
Scheduled Task
The scheduled task, set in the Management Suite console, matches the Distribution Package to be installed
with the managed devices which are to install them.
The person scheduling the task Schedules a Distribution Package and begins the task. The package installs
with Local System rights regardless of user rights. The person scheduling the task does not need access to
shares containing packages, since the authentication access is set in the Preferred Server entry in the Content
Replication tool.
Software Source
The original software source is where the package is first placed to be able to be distributed. Management
Suite makes possible various staging locations on what is called a Preferred Server. These distribution
sources minimize the amount of bandwidth it takes to deploy software to various devices in geographically
diverse locations. The source and preferred servers locations store the packages on either a Uniform Naming
Convention (UNC) share or a Web share.
Core Server: The Core Server uses four main executables to manage Software Distribution (and Patch).
o SchedSvc.exe: The LANDESK Scheduler Service (often referred to as the Scheduler) launches
tasks using task handlers. It was re-written in version 9.6. It has new settings for self-monitoring and
Accelerated push enables speeding up the distribution of tasks. Prior to this, push distributions built up
a target list of up to 64 devices. These would be processed, and after each was completed, the task
would then move to the next 64 devices in the target list. Accelerated push makes this process
asynchronous. As the core discovers and communicates with target devices, it tells them what to do
and then moves on to the next targeted device without waiting for the job to complete. This discovery
and communication process uses multiple processor cores and threads. Each device, after receiving
the task from the core, processes the job and sends its status to the core when complete.
This accelerated push option of not having core wait until devices complete the tasks before sending
the task to additional devices makes the accelerated push setting to process up to 64 computers per
task simultaneously sufficient for most enterprise environments. In testing at Ivanti headquarters, a
distribution task to 20,000 devices completed in less than 10 minutes using the accelerated push
technology. Prior to using the accelerated push, the same task took more than 8 hours.
All delivery methods contain a configurable way to manage download to devices, so that minimal bandwidth is
consumed. Delivery follows a specific order to find, download, and install, the software distribution package.
NOTE: If the device has a Distribution and Patch Agent Setting with Use multicast enabled, it will wait for
a short, configurable, wait time and then receive the distribution package as a broadcast from a local
device, which broadcasts to all devices on the same subnet. Each device on the subnet will receive the
package, at the same time, from the broadcast. (For more information please see the Self-Organizing
Multicast section.)
Third, if a peer does not have the package, the agent seeks to see if it exists on the closest Preferred
Server.
Fourth, if none of the above sources have the package, the agent reads the Software Distribution Package
to determine the path to the package and downloads from there.
If you want to change or omit any of these download options, you can set the option in the Distribution and
Patch Agent setting. Simply deselect any Preferred server / Peer download options you wish to omit.
1. The LANDESK Scheduler Service (SchedSvc.exe), on the Core Server, reads the scheduled tasks
that are stored in the database. When the task is created the .xml file (CP.#.RunNow.xml) is created on
the core server (# is the task number) in the Program
Files\LANDesk\ManagmentSuite\landesk\files\ClientPolicies directory.
The task is launched and the scheduler finds a task is due and launches the Task Handler Proxy.
2. The Task Handler Proxy (TaskHandlerProxy.exe), on the Core Server, gathers information about the
specific task from the database and sends the information to the Policy Task Handler.
3. The Policy Task Handler (PolicyTaskHandler.exe), on the Core Server, sorts target devices in each
task by IP Address. It matches DeviceID and MAC Address of target devices, and discovers DNS
information (if configured to do so), and sends the command to launch PolicySync on each target
device using the TaskID as a parameter.
4. On the targeted devices, the Software Distribution Client (SDClient.exe) receives the .XML file and
starts the action to download and install the software.
Preferred Servers are shares where software applications are stored for delivery to managed devices from a
local source. As was pointed out previously, in the Software Distribution Download Hierarchy, the Preferred
Server is sought out, prior to going to the central source for obtaining software for installation.
Preferred Servers can receive updated Distribution Packages from multiple mediums, but Management Suite
customers have asked Ivanti to leverage the bandwidth throttling ability built into Management Suite to update
the Preferred Server. Ivanti has answered with Content Replication.
Content Replication
To use Content Replication Management Suite implements the following three roles. Namely:
Preferred servers (targets) – local shares in various geographies that offer to managed devices its
resources (Distribution Packages, Patches, OS Images)
Sources – shares containing original resources (Distribution Packages, Patches, OS Images)
Self-Organizing Multicast™
Deploying software packages, some of which are very large, can easily overwhelm the network. To effectively
address this issue Management Suite offers its patented Self-Organizing Multicast™ solution to address LAN
and WAN bandwidth consumption, and speed of deployment. To see an animation describing the process, go
to: https://community.ivanti.com/support/docs/DOC-34266.
Self-Organizing Multicast technology enables faster software distribution without expensive and time
consuming router reconfigurations. Multicast does NOT need to be enabled on the routers. Its revolutionary
self-organizing feature relieves the administrative burden from network setup and centralized overhead.
Self-Organizing Multicast greatly speeds up imaging over LANs, WANs, and especially over slow WAN links,
by transferring the software files only ONCE to each subnet across a LAN or WAN and allowing a self-aware
process to assign a device on each subnet to broadcast the files to other recipient devices.
After each file is sent, a response to resend requests is executed. This gives to managed devices missing data
(if the missed data is less than 10% of the file or image). If a managed device misses more that 10% of the file,
it receives the missing data using peer recovery. In peer recovery an address to a local machine with the
needed data is provided. Using this information the device requesting the data can contact the local peer and
receive the missing data.
Beginning with Management Suite version 2016 additional security has been added. All clients who participate
in self-election provide their public keys to all devices which will receive its broadcasts. Each device assures
the public key matches its public key before receiving the broadcast packets.
(If the Use multicast to deploy files option is chosen the Preferred server / Peer download options do not
apply, and therefore become unavailable for selection.)
Maximum number of multicast domain representatives working simultaneously: Sets how many
Multicast Domain Representatives can download simultaneously. For larger software packages you want a
smaller number, whereas for smaller software packages you want a higher number.
Maximum number of device that failed multicast to process simultaneously: Sets how many target
devices can fail the multicast task before the Multicast Domain Representative will stop broadcasting and
report failure.
Number of days files stay in the device’s cache: Sets how long the non-Multicast Domain
Representative target devices will keep the software packages in their sdmcache directory before deleting
them. (Availability in this directory is to provide peer-to-peer download in the future.)
Number of days files stay in cache on multicast domain representatives: Sets how long the Multicast
Domain Representatives will keep the software packages in their sdmcache directory before deleting them.
(Availability in this directory is to provide peer-to-peer download in the future.)
You can also customize Targeted Multicast options in the Multicast tab of Configure > Services > Multicast.
There is an optional command line switch, /replace, to overwrite any existing Software Distribution packages
with the same name.
Both of these utilities will export only the PUBLIC Distribution Packages and Delivery Methods from the
Console.
UNC Shares
For UNC distributions to work correctly, configure a Preferred Server.
You can download “How to Configure a Preferred Package Server” at:
http://community.ivanti.com/support/docs/DOC-1385.
You can download “How to debug why my preferred server config isn’t being used (Preferred server doesn’t
work)” at:
http://community.ivanti.com/support/docs/DOC-27151.
The Preferred Server configuration includes entering credentials of a service account, which provides read
rights to the software repository. When sdclient.exe downloads the software Distribution Package, it uses the
rights configured in the Preferred Server, without the end-user knowing the account or password granting
access rights. The installation of the software uses settings configured in the Distribution Package on the
Accounts page. The LocalSystem account setting uses a locally running service for administration rights.
The Current user’s account setting uses the currently logged on user’s rights and location for the installation.
To create a software distribution package, the files that it references must be copied to the distribution server.
For tips, tricks, and settings, visit http://itninja.com for application specific help.
Package bundles add the ability to deploy any number of software distribution packages, as a group, in
succession. Simply create the bundle and schedule it to deploy.
It is possible to create bundles within bundles, but you can only adjust the installation order for items at the
selected bundle's root level. Each bundle and sub-bundle has its own installation order.
In the bundle properties you can specify that the bundle cannot be scheduled. This is useful for bundle
organization and helps prevent accidental deployments of those organizational bundles. For example, you
could have a "Microsoft" bundle that contains all of the Microsoft applications you support.
Inter-package actions add control options to each distribution package within a bundle.
o Continue on install failure: If this action is included, the distribution packages following this package
within the bundle will continue to be deployed if the distribution package fails to successfully install. If this
action is NOT included, the distribution packages following this package within the bundle will NOT be
deployed if this distribution package fails to successfully install.
o Reboot: Add this action to reboot the managed devices installing the distribution package. There will be a
30 second delay on the managed device before the reboot occurs. When the reboot is complete, the next
distribution package in the bundle will install.
Note
.BAT files often launch the next package without completing. It is advised that you
do not include .bat files in a package bundle unless it is the last package. Using
provisioning templates to install software has no such limitation with .bat files.
To create a bundle
1. Click Tools or Toolbox > Distribution > Distribution packages.
2. In the Distribution packages tree, right-click a category or a bundle in a category, and click New
package bundle.
3. Edit the bundle name and click enter.
4. Drag packages and other bundles onto the bundle you created to add them.
Linux (.rpm):
Linux packages are in Linux Red Hat Package Manager (RPM) format. Linux packages must be accessed
from a web share. (Assure that directory browsing is enabled on the Web share.) To distribute software to
a Linux device, you must have Administrator rights. Linux packages can detect dependencies and warn the
user about missing libraries.
Macintosh:
Macintosh supports numerous software package formats such as, .dmg, .pkg, .mpkg, .sit, .sitx, .zip, .tar,
.gz, .sea, .app, .sh, .hqx or Automator/workflow packages. These install packages will need to
decompress before installation. The Management Suite Agent will initiate the decompression and install the
package. (All OS X versions include a decompression utility as a part of the OS.)
Mobile:
Mobile applications are available for both Android and iOS (version 7.0 and later). These applications can
be made available via the App store or via a Manifest URL. The packages must be a free version only.
o Android: Packages for Android managed devices.
o iOS: Packages for iPhone managed devices.
Transform files are answer files that customize how MSI packages are installed. They also
facilitate a silent install where otherwise the installation would not be silent as it would require
user input to complete. The syntax on the command line to utilize an .mst file is:
TRANSFORMS=[FILENAME].MST (all in UPPER CASE).
The command line also uses option parameters (called switches) and property reference parameters.
All switches, property references, and transforms, can be entered in the Command Line field of an MSI
Distribution Package’s Install/Uninstall option. To see a list of MSIExec switches go to a command
prompt and use the msiexec.exe /? option, or get additional information from the document
o PowerShell:
Microsoft describes PowerShell as “a task-based command-line shell and scripting language designed
especially for system administration. Built on the .NET Framework, Windows PowerShell helps IT
professionals and power users control and automate the administration of the Windows operating
system and applications that run on Windows.” (http://technet.microsoft.com/en-
us/library/bb978526.aspx.)
One of the features PowerShell adds is ability to use built-in commands called cmdlets. These let you
utilize the command line to manage enterprise computers. PowerShell providers add ability to access
data stores, like registry and certificate stores for easy file system access. It also has a parser as well
as a full scripting language.
o Script Host:
Microsoft offers an alternative to batch files. Windows Script Host (WSH) Packages often automate
tasks traditionally done in batch files (i.e. copying files, mapping drives, or modifying registry keys).
WSH files are most commonly used with Jscript (.JS) and VBScript (.VBS). One major advantage of
the WSH packages over a .bat package is they allow the user to combine multiple languages into a
single file by using the language independent file extension (WSF). These packages are often created
in notepad, HTML editor, Microsoft Visual C++ or Visual InterDev.
o Store Application:
Store Application packages start package installation on the device. Packages can be downloaded
from either a web path or a file share path.
o SWD:
Software Distribution (SWD) packages are those which were built with the legacy Management Suite
Enhanced Package Builder. Although the Enhanced Package Builder is no longer shipped with
Management Suite, Ivanti continues to support the distribution of files created with it. Files that have
been created with the legacy builder will have a .exe extension, but will be uniquely identified as SWD
packages.
The Distribution and Patch Agent setting sets the default path to install the virtualized application.
o Item: Type the name of the category you wish to assign to distribution packages.
o List of items: List of categories added for selection for distribution packages.
Tags: Options in Metadata > Tags are used for filter options in the LANDESK Portal Manager. In order to
select a tag, it must first be created. To create a tag, go to the Distribution packages toolbar, click
Configure settings (The Default package settings windows appears, then click to select the Tags page.)
Tags created in the default package settings are available for selection when creating distribution
packages.
Install/Uninstall options: Offers the ability to install MSI packages, SWD packages, Linux packages, and
Virtualized Application packages. For MSI packages there are additional MSI options.
The Enter command line option give ability to add command line options applicable to the installation of the
distribution package.
Architecture options: The selected architecture field lets you select from
o Not applicable: Packages will run in 32-bit mode, regardless of the OS architecture.
o 32-bit: Only run the package on 32-bit operating systems.
o 64-bit: Only run the package on 64-bit operating systems.
o System architecture: Automatically detect and execute the package based on the OS architecture
(e.g. executes the package in 64-bit mode on 64-bit operating systems.)
If you select System architecture, 32-bit applications will direct to the appropriate locations listed above.
However, 64-bit applications will:
o Access registry in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node.
o Run programs found in C:\Windows\SysWOW64. This includes cmd.exe, cscript.exe, wscript.exe and
others.
For more information from Microsoft about running 32-bit applications in a 64-bit environment, see this
MSDN page:
http://msdn.microsoft.com/en-us/library/aa384249(VS.85).aspx
Client queue options: By default, client queuing is enabled. If another install process is running, the
software distribution task will wait until the install completes, and then run the software distribution task.
To disable client queuing select the Disable client queuing for this package checkbox. In that case if
another install process is running, the task will fail and report status that another installation is occurring.
Additional files: Add all additional files required for installation. If there is an .MST or .MSP file to
accompany an MSI install, these files should be included here. All files which a .BAT file might call or
include should be added here.
For .MSI packages an [Auto detect] button is made available. This button will parse the .MSI file and
include files referenced by the .MSI file. (If the person who packaged the .MSI file has not correctly
referenced the additional files, the auto detect will fail to add additional files.)
Dependent packages: Dependent packages are packages that must already be installed on the device in
order for the package you are configuring to be installed. If the dependent package is not on the device,
dependent packages are first installed prior to installing the scheduled package.
MSI and SWD package types are detected automatically through appropriate registry keys on the device.
For other package types, the package detection method must be defined.
Prerequisites: Offers ability to specify a prerequisite query or file/program return code to allow a software
distribution package to be deployed.
The query option offers the ability to create and apply a query, so targeted devices which do NOT satisfy
the query will NOT receive the package. The failed scheduled task will reflect the prerequisites were not
met. (Two popular uses are to query for a specific Operating System or a specified amount of available
hard disk space.)
The additional file or program return code option is to run a file or program on a device and return an error-
level code. A non-zero code prevents the package from installing. The details will be in the distribution
task’s log file.
Detection: The detection option is available to have you define what files and/or registry entries to locate to
determine if this software distribution package has been installed. This option is to be used in conjunction
with dependent packages.
This option is only available for Executable packages, Batch File packages, Virtualized Application
packages, Windows Script Host packages, and PowerShell packages. (The other package types do not
require this option for they are already able to be detected as installed.)
There are multiple options for defining how to detect files and/or registry entries.
Accounts: This option places one of three accounts to use to distribute the software package.
o LocalSystem account: Will install as the LocalSystem device account, effectively granting installation
with Administrative rights.
o Current user’s account: Will install as the User logged in at the time the distribution occurs. If a User
is not logged in, the distribution will fail.
o Run as specified user: Will install as the user specified. Selecting this option requires the input of the
domain\user name and password.
Timeout Settings: Selecting this option places a time limit (in hours) for allowing how long a package has
to install. If the package has not completed installation within the set time, SDCLIENT.EXE will exit, and the
package will be reported as failed. By default, this option is NOT selected.
Uninstall Association: This option is ONLY available with a Policy distribution. Selecting this will
automatically uninstall the selected software package from the device when the machine or user is
removed from the target list or query in the scheduled task. To select an uninstall package, click the
desired uninstall package in the available distribution packages field, and click [Set].
This gives the ability to add a return code and corresponding message and designate a success or failed
status. If a distribution package succeeds, but the task reports as failed, adding a return code gives the
ability to report as successful.
SWD package options: This option is available for SWD packages ONLY. It gives control to how install a
package if the package has already been installed. It also offers a package feature that allows a
background screen to be displayed during package installation.
o Heal (repair) the package: This option will have the package check file checksums on the target
device, and overwrite only those files whose checksum is different than the files in the SWD package.
o Perform a full reinstall of the package: This option will fully install the package over what already
exists on the target device.
o When feedback is enabled, override the above setting and allow the user to decide: This option
places the decision to fully install, or repair the package, on the end-user IF the delivery method
selected makes provision for this option.
o When feedback is enabled, display the background screen: This option enables the feature to
show a background screen during the installation, giving the end-user feedback that the installation is
in process.
The icons available in the toolbar in the Distribution packages tool include:
Agent Settings
Agent settings put into place how managed devices perform tasks. The Distribution and Patch agent settings
set how Software Distribution and Patch Management tasks are performed. These agent settings can be
initially deployed, or updated and assigned via a scheduled task. The portions of the Distribution and Patch
agent setting which affects Software Distribution are:
If you select Notify user before installing/removing the following window appears:
Offline: Set how to manage the install/removal if the managed device cannot contact the core server.
These options address the business issue of choosing how to proceed if laptops are remote and not
connected at the normal place of business. Options include:
o Wait until the device can contact the managed core server
o Install package(s) offline
Logged off user options: Select one of three options as to how to proceed with the distribution package
when the user is logged off. Options include:
o Continue installation
o Fail installation
Download options: Select one of two options as to download the distribution package. Options include:
o Run from source (execute on share): This is bandwidth intensive as the package will run from the
share and will not download using a bandwidth effective method. This option should only be chosen if
the software requires this setting.
o Download and execute: This is bandwidth effective as the package will obtain the software from the
closest source, copy to its local sdmcache directory, and then execute the install/removal.
Overview: Shows the package Name, Owner, Scope by user, Distribution package, Delivery method,
Currently selected targets, and Scheduled time.
Distribution Package: Shows the order in which packages in the scheduled task will be deployed.
Targets: Grants access to view, add, and delete, items to the scheduled task.
Agent settings: Provides ability to set the task to use a specific Agent Setting for both Distribution and patch
and Reboot settings for the task. You can Keep agent’s current settings, choose an agent setting from a
dropdown list, edit and select an agent setting, or use configure to create a new agent setting and select that
setting.
Legacy (pre-9.60) settings: These settings are for Mac, Linux, Unix, and pre- Management Suite 9.60
Windows managed devices.
o Delivery types: Select from the options: policy-supported push, policy, push, or multicast (cache
only).
o Delivery method: Select from one of the configurations of the corresponding delivery type.
The third setting for Software Distribution in Agent Configuration is to select the agent setting for Portal
manager. Here you can configure, edit, and select the agent setting for Portal manager. Portal manager
becomes of use to the end user for software packages scheduled as Recommended (display in portal), or
Optional (display in portal).
Portal Manager Settings: Here you select the portal manager setting you want to be installed on the
The LANDESK portal manager has options to view the Launchpad and Task History.
The Launchpad is a tool that provides centralized application control for distribution packages, executables,
and URL links. With this tool, the administrator can easily control the presentation, installation, and run options
for end-user applications. The Launchpad tool offers end-users a single point to locate applications or short
cuts.
When using the Launchpad to link distribution packages, Just In Time (JIT) technology can be used. JIT
means the software application will not be installed, and consequently will not cost a license, UNTIL the end-
user clicks the icon the first time. The first icon launch will initiate installation of the software application and
then run it. Subsequent launches then launch the installed software application.
The Launchpad gives end-user the ability to filter what items they see. For items to appear, they must be
scheduled to the end-user OR
scheduled to the device used by the end-user
Since either the device or the logged in user are under consideration the LANDESK portal manager shows the
logged in user in the upper-right corner.
The delivery method employed by the Launchpad is a Launchpad Policy Delivery which is a Policy. It
appears in the Public delivery methods when the first Launchpad link is scheduled.
Launchpad Toolbar
Launch: When the end-user selects an item on the Launchpad, the [Launch] button becomes active, and
if clicked, will run the selected item.
Task History
Task history lists the software tasks that have run on the managed device. It includes a search tool.
Launchpad Architecture
The Launchpad has files that run from the Core Server as well as files required on the managed device.
In the benefit analysis section of standard reports is the Software distribution benefit report. It can
generate reports by device or all distribution packages sent between dates configured by the person running
the report.
In the distribution status section of standard reports there are three (5) reports including: Delegated tasks,
Software distribution delivery status by device, Software distribution delivery status by device (multicast
enable), Software distribution delivery status by task, and Software distribution delivery status by task
(multicast enable). Each of these reports include options to select by Delivery Type, Location (LDAP), and
Device.
In the Dashboard editor tool, there are 16 charts available, in the Software Distribution section, to be added to
dashboards. These charts can assist in “at-a-glance” reporting.
While this can be helpful (especially in very large and diverse enterprises) some businesses do not find such a
use-case necessary. They can deploy software first on a small scale, testing and assuring the software being
distributed does not break something else. Then when they are ready to pull the trigger, and deploy the
software enterprise-wide, they use the self-elected multicast method of deployment, as it completely assures a
bare-minimum impact to both local and wide-area network traffic.
To perform a staged rollout for new software, you can set up a rollout project to deliver the software to a small
group first, and then after it has been installed on 80% or more of those devices, wait for a week to make sure
things are working as designed. If the software fails to install on a significant percentage of devices within 2
Step One
o Action: A scheduled task that distributes the software package to a small group.
o Exit criteria: An 80% success rate, meaning that the package cannot move to step two until the
success rate has been matched or exceeded.
o Email: You get an email if the package is still in Step One after 2 weeks.
Step Two
o Action: A scheduled task that distributes the software package to a larger group.
Implementation
Configuring Rollout Projects includes creating steps to carry out the process. Rather than using if . . . then
logic, each step performs actions on all content in that step. Steps have three possible outcomes, including:
Continue on to the next step
Stop because the exit criteria have not been met
Approval is required for content to continue to the next step
Actions
Schedule distribution task template: Set which delivery template to use to distribute the software packages
(such as Accelerated Push, Optional Policy, Policy Supported Push, Required Policy, etc.)
To add a template to be selected, open the scheduled tasks tool, right-click task template and click New. An
option will be presented to select software distribution template, or patch template.
Exit criteria
Specifies the exit criteria that must be met before content in this step can advance to the next step of the
workflow (or exit the workflow). The exit criteria page offers the two following options:
Keep content together: Select whether the keep all content together before advancing to the next step.
Expected step duration (for charting purposes only): Designates the timeframe length the Gantt chart
will use when displaying the action history.
Email
The Email section is dependent on the Email defaults settings of step duration exceeded, exit criteria met,
approval, and recipients all configured on the Rollout project properties page.
Email – Approval
The Approval page lets you select whether to send email when approval is required, and lets you set to use
project defaults (don’t send email), don’t send email, or send email. It also allows you to only send on email
during a configurable timeframe to avoid an email blast.
1. In Rollout projects tool, right-click a project or step and select Process now.
NOTE: If you try to process an item and the Process now option isn't available, make sure that the step and
the project are both set to Play and are not paused.
2. A prompt asks if you want to Re-apply actions even if they are already applied. When you re-apply
actions, the project processor runs just for that step and applies the actions to all content currently in the
step, even if they have already met the success criteria for the step. Whether or not you choose re-apply
actions, click OK to run the project processor.
If actions are re-applied, the Applied actions timestamp is changed, the minimum duration and post
duration timers are reset, and if there are scheduled tasks in the project or step, they are created again.
If actions are not re-applied, content is evaluated to see if exit criteria have been met or if emails need to
be sent. Only content that is new to a step has actions applied.
Note
Emails associated with a project step are not considered an action and may be sent regardless
of whether or not actions are re-applied.
Tip/Comment
You must pause a rollout project or step before you can edit it.
When a project is paused: The project processor excludes the project. No actions for the project are
applied, no notifications are sent, and no content moves from step to step.
Application Builder
Ivanti has partnered with Acresso to bring our customers AdminStudio Lite. AdminStudio™ is an MSI
packaging tool that Ivanti is providing at no additional cost.
For more information about AdminStudio please see this press release from Acresso:
http://www.flexerasoftware.com/company/newscenter/pressreleases/press-releases_10117.htm
For a feature matrix on AdminStudio LANDESK Limited Edition and AdminStudio Enterprise Edition go to:
http://community.ivanti.com/support/docs/DOC-6685
For a Quick Start Guide for Creating an MSI using AdminStudio LANDESK Edition go to:
http://community.ivanti.com/support/docs/DOC-7562
Here are some helpful tips that will assist you in your packaging (mostly taken from the Dao of the Windows
Installer). The following would be the most relevant Best Practices to users of AdminStudio LANDESK edition:
Error: Failed, Result 0:3010 when deploying a .MSI file, when the installation actually succeeded.
Cause: The return code 0:3010 is not understood by the delivery method.
Resolution: Assign a return code 3010 in the Assign Return Code section of the Delivery Method.
Error: Client has initiated asynchronous policy execution the task stays in an active state.
Cause: There are multiple possible points of failure.
Resolution: Troubleshoot as outlined in the steps of DOC-33467 available at:
https://community.ivanti.com/support/docs/DOC-33467.
1. In the Console, locate a managed device from which you want to locate and download the log files. (This
can be in either the Network View or in the Scheduled tasks tool.)
2. Right-click on the device, and click Diagnostics. (The Diagnostics – Client Name window appears.)
3. Click to select Logs on the toolbar.
4. Click to select either Client or Core, depending on which log file source you want.
5. Choose the specific log file you want. It will download the file and bring it up for you.
3. What actions can be inserted between packages installed in a bundle, and how is this helpful?
5. When a windows actions distribution package contains a custom action, what windows application carries
out the action configured?
6. What is the bulk package credentials update tool, what solution does it solve, and how do you use it?
A company goal has been made to update the Operating System on each computer and desktop in the
enterprise from an older version of Windows to a newer version of Windows. It is important for all software a
user utilizes to be brought onto the updated system. (In some cases the software needs to be updated to a
new version.) Management Suite Operating System Provisioning makes this possible.
An employee calls the helpdesk reporting that there is a message on the computer screen saying there is a
hard drive failure. A technician goes to the desk with a new hard drive and installs it. Without Operating System
Provisioning it would take hours to get that computer up and running. With OS provisioning, the workstation
can be up and running in just minutes.
OS Provisioning works equally well on managed devices and new, bare-metal devices. OS Provisioning can be
launched from a managed boot, PXE (Pre-eXecution Environment), and external media boot (CD, DVD, USB
drive).
Feature Benefit
WinPE
In order to capture an image, or deploy an image, the Operating System cannot be in use (similar to trying to
copy a file which is in use, or overwrite a file which is in use). To have a Windows based computer in an
alternate Operating System, OS Provisioning uses Microsoft’s WinPE 4.0 (the Windows 8 version). WinPE is
available for free from the Microsoft Windows Automated Installation Kit (WAIK) and coincidently; ImageX is
available from the same source. Because of OS Provisioning’s use of WinPE, the first time a Management
Suite Administrator opens the OS Provisioning tool, a Microsoft Software License Agreement for WAIK is
presented. This is for an agreement between the administrator’s company and Microsoft. (Only after
acceptance of the Microsoft agreement will OS Provisioning allow creation of scripts which implement using
WinPE.)
Sysprep
When deploying an image to a device, if the device were to receive the source’s name, and secure identifier
(SID), error would be introduced to the network. In essence the network would be dealing with multiple
machines (and a network does not deal well with multiple personality disorder very well). To keep this from
happening, Microsoft introduces Sysprep.exe. Sysprep allows removing the name, SID, and domain
information, making the machine blank, or generic. When a device has run Sysprep, on its next boot up it will
run Windows mini-setup which creates a SID, names the device, and joins it to a domain. Alternatively, if
preferred, a SYSPREP.INF can provide all such data, and more, automatically to the managed device. OS
Provisioning facilitates creating a SYSPREP.INF or UNATTEND.XML file and stores in:
Program Files\LANDesk\ManagementSuite\landesk\files directory.
For more information regarding Sysprep, see the article Sysprep Technical Reference at:
http://technet.microsoft.com/en-us/library/dd744263%28WS.10%29.aspx
PXE Representatives
In order to PXE boot, each subnet, on which PXE Booting needs to occur, must have a PXE Representative.
Self-electing subnet services facilitates electing a PXE Representative for each subnet. Individual service
settings can be placed on each subnet.
In version 2016.3 Self-electing subnet services elects the device to fill the PXE Representative role for each
subnet with PXE Services enabled. This ensures that each enabled subnet has one, and only one, PXE
Representative. If the PXE Representative goes off line, or disconnects from the network for any reason,
another PXE Representative will automatically take its place within an hour, ensuring PXE Services remain
enabled for the subnet.
If the PXE Representative was deployed using a distribution package from a previous Management Suite
version, the installation of the updated agent will take care of the PXE services. The device will only become
the PXE Representative in the 2016.3 version if it is elected to perform the role.
HKLM\SOFTWARE\Wow6432Node\landesk\managementsuite\CSEP
Create a DWORD key called PXE_SVC_SCORE and assign the decimal value of 35.
The assignment of 35 or higher is a number greater than other scores that would naturally occur in the election
process. With this assignment the device will be the PXE Representative if it is on and connected to the
network. If the ‘designated device’ goes off or disconnects from the network, self-electing subnet services will
assign another device to be the PXE Representative. When the device with the assigned higher score rejoins
the subnet, it will become the PXE Representative at the next election cycle.
Polling frequency: Sets how often the elected PXE representative will check for updated settings and
imaging files. (The default is 15 minutes.) If you change a setting or update a .WIM file the change will not
take effect on a subnet until the next polling interval check.
TFTP block size: The default is 16384 for ia32 and for x64. This greatly speeds the PXE boot transfer.
Smaller sizes may be required in certain environments, though a smaller setting slows down transfers
(often substantially). VMWare in particular requires a block size of 1456.
Allowed and Denied: Allowed MAC addresses are the only devices on the subnet allowed to PXE boot.
Denied means all devices listed will NOT PXE boot, while all others will. Use either allowed or denied, but
not both.
WIM downloader settings: Allows selecting how to allow WIM files to download. Options include:
o Attempt Peer: Selected is on, unselected is off.
o Attempt Preferred Server: Selected is on, unselected is off.
Timeout: Set the number of seconds the PXE boot will allow a user to press F8 to view the PXE options.
Message: Set the message that will appear during the wait time of the PXE boot.
Always PXE Boot UEFI Devices: Select whether to Always PXE boot UEFI devices.
Allow anonymous login for public templates: Select whether to Allow anonymous login for public
templates and ability to designate the user to assign the created scheduled task.
The device elected to be the PXE Representative uses two services to perform its role. The services are:
LANDESK PXE Service: Startup Type set to Automatic
LANDESK PXE MTFTP Service: Startup Type set to Manual (but spawned by the LANDESK PXE
Service).
1. Assure the device has an approved certificate. We can elect devices without the device’s certificate being
approved, but the services will be blocked from running. (Starting with Service Update 2 you will be able to
see a status indicating the elected device does not have an approved certificate.)
2. Assure the device does not have dual NICs (both Wifi and Ethernet). (Wifi does NOT mix well with PXE so
we avoid it.)
Logs
PXE Representative log files can be found in the C:\ProgramData\LANDesk\Log directory.
Preferred Servers
The size of images ranges all the way from 6 GB up to 20 GB and more. OS Provisioning provides a central
resource for deploying images, but with slow WAN links crossing geographic regions, it is built to leverage local
copies of images stored on Preferred Servers.
Preferred Servers are shares where images are stored for delivery to managed devices from a local source. If
the deployment script is configured so, the Preferred Server is sought out, prior to going to the central source
(classical download) for obtaining the image.
Preferred Servers can receive updated images from multiple mediums, but Management Suite customers have
asked Ivanti to leverage the bandwidth throttling ability built into Management Suite to update the Preferred
Server. Ivanti has answered with Content Replication.
Content Replication
To use Content Replication MANAGEMENT SUITE implements the following three roles. Namely:
Preferred servers (targets) – local shares in various geographies that offer to managed devices its
resources (Distribution Packages, Patches, OS Images)
Sources – shares containing original resources (Distribution Packages, Patches, OS Images)
Replicators – Windows Devices with the Management Suite Agent, including Software Distribution, which
downloads resources from sources to the local sdmcache directory, and then copies those resources to
targets.
(Note: Multiple Sources can serve as resource to one or multiple Replicators. Also, Replicators can deliver
resources to one or multiple targets. Both Sources and Replicators can be set as a one-to-one or a one-to-
many resource.)
The steps are as follows:
1. Configure a Source (UNC share or Web share) to be replicated to Preferred Server (targets).
2. Configure a Preferred Server (target) for each subnet where a local source is desired.
For the most complete information on Management Suite content replication, please the article, How to use
LANDESK Content Replication, at: http://community.ivanti.com/support/docs/DOC-20779. This page
explains the entire content replication process, as well as providing links to other documents such as:
LANDESK Content Replication – Console Options and Tools
LANDESK Content Replication – Preferred Server (Target) Configuration
How to Configure a Preferred Package Server
How to set up a HTTP share for a Preferred Package Share
Using Preferred Server in Patch Manager
LANDESK Content Replication – Replicator Configuration
LANDESK Content Replication Process
LANDESK Content Replication Scenarios
Mac Provisioning
Operating System Provision includes ability to provision Macintosh devices. (For more information please refer
to the Mac Provisioning section.)
At the center of the Provisioning process is the agent, ldProvision.exe. It is located in the ldlogon
/provisioning folder. The agent calls plugins to launch each needed action. The agent is placed on the device
through a scheduled task, a PXE server, or a physical boot medium (e.g., a USB drive, or .ISO file on a CD or
The agent requests a template’s configuration settings from a web service on the Core Server
The agent checks the preboot type tag to ensure it is running in the correct preboot environment
The agent performs the actions in the order designated in the configuration template
The agent reboots the device (if necessary)
The agent injects a version of itself into the target OS so it can continue working when the base OS loads
after the reboot
The agent sends feedback to the web service on the Core Server.
The plug-in libraries called by ldProvision help accomplish the steps of the template. To perform each action of
the template, ldProvision strips the root element off the XML file. For each action, it launches the required plug-
in and sends it to the XML snippet for that action. The combination of ldProvision remaining resident while
making calls to plug-ins provides flexibility and efficiency needed to handle all operations of the template while
enabling ldProvision to span reboots.
The plug-in libraries are found on the Core Server in the Program Files
LANDesk\ManagementSuite\ldlogon\provisioning\windows directory.
The steps to create an identifier in the database for a single device are:
1. From the Network View on the Console, click to expand the Configuration group.
2. Right-click Bare Metal Server and click Add devices.(The Add a bare metal server window appears.)
3. Click an Identifier type from the drop-down menu, (choices include MAC address, Serial number, and
Intel vPro GUID, and click [Add]. (The Bare Metal Server window appears.)
4. Enter a name in the Name field. Select the Identifier type, enter the corresponding information in the
Identifier field, and click [Add].
5. Click [OK]. (The Bare Metal Server window closes.)
6. Click [OK]. (The Add a bare metal server window closes. The added item is listed in the Bare Metal
Server pane.
Once the bare metal server is in the database it can be targeted for a scheduled task. Connect the device to
the network and boot it from an ldProvision boot CD, or a USB drive, or PXE boot the device. (At this point the
ldProvision agent contacts the Core Server and runs the appropriate provisioning template.)
The steps to create an identifier in the database for multiple devices from a .CSV file are:
1. Create a bare metal device (server or other device) by adding a device in Network View >
Configuration > Bare Metal Server > Add devices.
(The Add a bare metal server window appears.)
2. Click [Browse] to the right of the Import File field, and browse to the .CSV file, or type the path and
filename of the .CSV file.
3. Click [OK].
Provisioning Workflow
There are two scenarios to start provisioning templates on devices.
Virtual boot (Vboot): For devices that boot, load the OS, and load the Management Suite agent. The
agent receives the provisioning command and executes the defined actions.
Preboot eXecution Environment (PXE boot): For ‘bare metal’ devices that do not boot from the hard
disk. The device boots using DHCP, receives the PXE boot task, which invokes the provisioning template.
Vboot Workflow
The Vboot workflow is as follows:
1. Core Server
a. The Core Server has an OS Provisioning template.
b. The template is scheduled to a device, and the task is started.
c. The Core Server sends a command (prod) to the device to be provisioned.
2. Managed Device
a. The managed device receives the prod from the Core Server.
b. The client launches LDProvision.exe which sends a GetTaskXML call, asking the core for an .XML file
which contains the provisioning instructions.
3. Core Server: The Core Server sends the requested XML file, containing the provisioning instructions for
the device.
4. Managed Device
PXE Workflow
The PXE workflow is as follows:
1. Managed Device
a. DHCP boots, and during the process boots into WinPE and receives the provisioning command.
Tip/Comment
The DHCP boot and loading of WinPE can be from a network boot (from a PXE
Representative) or from an .iso file (via CD/DVD or portable USB thumbdrive).
b. The device connects to the Core Server and the available provisioning templates are made available in
a list.
c. The person at the device selects the desired template. This causes the device to launch
LDProvision.exe which sends a GetTaskXML call, asking the core for an .XML file which contains the
provisioning instructions.
2. Core Server: The Core Server sends the requested XML file, containing the provisioning instructions for
the device.
3. Managed Device
a. LDProvision.exe launches all subtask files in order to execute each of the actions in the provisioning
.XML file. In the case of Vboot, it will download, from a Preferred Server, the files it will need to reboot
into WinPE. The Vboot files are put in a local location, and the device does a one-time Vboot into
WinPE from there.
b. SetActionStatus is sent from the device to the Core Server, informing the Core Server of results of
running provisioning actions, as well as final status (success or failure) for the entire provisioning .XML
file, as well as result codes for the entire process; from WinPE boot, through deploying the OS and
loading drivers, to rebooting into the new OS and installing patches and software packages.
c. Logs of the process are made and kept on the client device throughout the process.
Provisioning in Detail
To start provisioning a device using Pre-execution Environment (PXE), two queues are provided, namely PXE
Provisioning (Windows PE) and PXE Provisioning (Linux PE). These queues can be seen in the
Configuration section under Network View. Devices can enter the queues in two ways; a bare metal device
can be placed via drag and drop from Bare Metal Server to a queue, or a provisioning template can be
scheduled, and a device can be placed via drag and drop to the task in Scheduled tasks. If a device is
targeted, it shows up in the PXE Provisioning folder/queue once the scheduled provisioning task runs. A PXE
Representative on the network finds the device in the queue and directs the device to boot into the
appropriate PE environment.
When a device has been in the PXE Provisioning folder/queue it is removed whether the provisioning task
completed successfully or failed. To re-enter the PXE Provisioning folder the device would need to be targeted
by a provisioning task or manually placed in the folder.
When a device is booted either by PXE, a boot CD/DVD, or USB, the LDProvision agent contacts the Core
Server. If the device has been pre-targeted by a provisioning task, it attempts to run the task. If the device has
not been targeted, the LDProvision agent presents the user with the Provision boot menu containing any
public provisioning templates.
Windows 10 Boot.wim
Enhancements to the Boot.wim files (boot.wim and boot_x64.wim) used for PXE booting include:
Windows 10: They are Windows 10 based (so they need Windows 10 based drivers)
PowerShell: They include PowerShell so PowerShell commands can be passed to PXE booted devices
.NET: They include .NET so the client graphical user interface can display .NET applications
Scheduled Task
The scheduling step matches an OS Provisioning task with one or more devices. (The devices can be added
singly, by device group, by query, or by LDAP container or query.) When a provisioning task begins, the job is
associated with the device’s record in the database, so the history remains associated with the device.
The Scheduled tasks window displays the scheduled task status while the task is running and when
completed. The scheduler service has two ways of communicating with devices: Through the standard
management agent (must already be installed on devices) and through a domain-level system account. The
chosen account must have the login as a service privilege and the specified credentials in the Configure
Services utility. Tasks fall under the following folders:
My tasks: Tasks that the user has scheduled. Only the originating user and administrative users can see
these tasks.
Public task templates: Tasks marked as publically available by users with appropriate rights. Anyone who
edits or schedules a task from this group will become the owner of that task. The task remains in the Public
task templates group and will also be visible to the User tasks group for that user.
All tasks: Shows tasks created by the user and tasks marked as public.
The Use case for this scenario is the first template was to use to test. If that template completes all actions as
planned, schedule the read-only locked template to run those actions on any other devices. The locked, read-
only, template is proven. Scheduling templates which have a locked copy already (whether scheduling the
original or locked copy) will NOT create another locked template.
The View right grants the ability to see and launch the OS Provisioning tool.
The Edit right grants the ability to create a template in the My templates section of Provisioning templates.
The Deploy right grants the ability to schedule templates the user has been granted the rights to see.
o If the user is granted the View right, in addition to the deploy right, he or she can schedule Public
templates for deployment.
o If the user is granted the View and Edit rights, in addition to the deploy right, he or she can schedule
Public templates and My templates for deployment.
Creating Templates
To create an OS Provisioning Template, click the New Template icon on the Operating system provisioning
toolbar.
Template Sections
OS Provisioning allows for building separate templates of scripted actions, testing and finalizing them, and
then linking these finalized templates with other finalized templates.
Templates are grouped in five sections. The sections serve to help contain actions to a logical order. The five
pre-defined sections are:
System migration: This section contains all tasks to perform PRIOR to booting the device into WinPE.
Examples might include: capturing a profile, or loading a specific driver. The last command of this section
will likely be to reboot the device and load WinPE.
Pre-OS installation: These next three sections contain commands which should be done while WinPE is
loaded. In this section you might partitioning a drive.
OS installation: While still in a WinPE pre-installation environment, you might deploy a desired Operating
System.
Post-OS installation: While in this section you might perform final commands while in WinPE, and then
reboot to the deployed Operating System.
System configuration: This section contains all tasks to perform AFTER rebooting from WinPE into the
base Operating System, such as Installing software, patches, etc.
The Action list page gives access to set Provisioning actions to perform on the target device.
Select user migration command XML file in UNC or HTTP format: To enter the location of the XML file
(usually in the ldlogon\uma\commandxml folder) on the Core Server. The .XML file contains parameters
This action can only be completed as part of a template that includes either the Scripted install or Deploy
image actions, or if the device has already been configured with an agent. The options available for this action
include:
Use self-contained client installation package: If selected, options are presented to type or browse to an
Agent Executable Path. Options are also presented as to whether to Attempt Peer, Attempt Preferred
Server, and Allow Source to copy and run the file.
Configuration name: Select which Agent Configuration to deploy in the action.
Reboot if required: Will set a reboot to occur after the agent is installed.
Access to the share where the agent files are stored is provided by preferred servers. This is set in the
Content Replication / Preferred Servers tool. The Core Server has to be set as a Preferred Server. The User
name and Password fields in the Core Server’s Preferred server properties are used to access the shares.
The Timeout (seconds) field sets how long the window will be open for the person invoking the template to
select which mapped software packages will be installed. Set the Customize Mapped Software action early in
the template so the person invoking the template can choose which software will be installed and can then
move on to other tasks without waiting. The software will be installed in the order selected when the template
invokes the Install Mapped Software action (which should be after the Install of the Management Suite Agent).
The Customize Mapped Software action must be called before the Install Mapped Software action, or ALL
software that is found in inventory, and assigned a distribution package in the Product to Package mappings
tool will be installed.
This option can use Machine mapping. If a machine is defined in machine mapping a profile captured from one
device can deploy to another device assigned in machine mapping. (For more information, see the Machine
Mapping section.)
If instead, you want to allow someone to input the name, inject the Device Name Prompter action as the first
step in the Pre-OS installation section. This will allow the user to start the OS Provisioning template, get the
prompt right-away in the process, then leave to do something else. The name will be in memory, and will be
used rather than what is in the variable “ldHostname” inserted into the “ComputerName” of the unattend script.
Timeout (seconds): This sets the amount of time to allow the user at the device to input a name for the
device. If the name and typed and the “Enter” key is pressed, the timeout continues without further waiting.
If the name is not input before the time elapses, the action defers to either:
o LDHostname Variable in the “ComputerName” field of the unattend script (or the name typed in the
Device Name Prompter action if it is used).
o Mapped HostName as set in the “Source” machine column in the Machine Mapping tool.
o Name Template set in Edit Naming Template, accessible from Device Naming, accessible from the
Tools icon in the Operating system provisioning toolbar. This allows a Template to be created and
used when naming devices. (See more in the Edit Naming Template section.)
Available distribution packages: This option presents all created packages in a drop-down menu.
o Type filter: This presents options to choose from All packages or limit those presented by Package
Type.
o Search: This presents options to search for packages by name. You can search in My packages or
Public packages. It includes a [Next] button if you type a package name.
This is only available in the Post-OS installation section for templates based on the Windows preboot
environment. After the OS is installed, but before the device reboots, the HII tool detects the device model and
retrieves the drivers for that model. The drivers are installed onto the device and their information is included in
the registry. After a reboot, when the OS starts, it configures the drivers.
Using UNC to download driver files: Select this checkbox to specify that only UNC is used to access the
HII repository.
Injecting a script copies the file to the target device and replaces any variables within the file. This action is
useful when to want to replace variables in any text file, such as a Windows answer files (like sysprep.inf or
unattend.xml).
If the Inject script action is used, it can only be done after the Operating System install action and before the
first reboot that follows the Operating System install. The options available for this action include:
Script name: Select the script to install. (A script can be created by clicking the Install scripts icon, on the
Operating system provisioning toolbar.)
Target file name: The location of the script you want to inject.
In the Product to Package Mappings tool, you can assign SLM Products to Distribution Packages. This
assignment sets which software will be installed on the newly provisioned device. The ability to make these
SLM Products: Populates with all software applications in the Monitored section in the Software License
Monitoring tool.
SWD Packages: Shows all Distribution packages that are created and available to be installed.
Remove Assignment: Allows removing the assignment so the software will NOT be deployed as part of
the Install Mapped Software action.
Critical: Selecting this checkmark is analogous to selecting the Stop processing the template if this
action fails checkbox for a template action. When selected, if the particular software fails to install, the
action fails and will NOT continue to install other software associated as a part of the Install Mapped
Software action. When unchecked, even if the particular software package fails to install, the task will
continue to install other SWD Packages assigned to SLM Products. (All software which is attempted to be
installed by the action is logged in the OS Provisioning Template History.)
Customizable: Selecting this checkmark makes the SWD Package able to be selected in the Customize
Mapped Software action.
Disable: Selecting this checkbox means that although a product may be assigned, it will NOT be installed
as a part of the Install Mapped Software action. The use case scenario for selecting this is for testing
purposes. While testing, do not install the software which has the Disable box selected, while you test other
software as a part of this action, then, after all testing is complete, you can deselect the Disable box, and
have the action install all assigned software.
This option can use Machine mapping. If a machine is defined in machine mapping, software that was installed
on one device, can be installed to another device assigned in machine mapping. (For more information, see
the Machine Mapping section.)
Display name: The name you want to display to represent the service.
Service name: The name of the service.
Service Description: A description of the service.
Target path and file name: The location and file name of the service you want to install.
Command-line parameters: Enter any command-line parameters that will customize the way the service
is installed.
Service startup type: Specifies the startup setting. This can be Manual, Automatic, or Disabled.
Tip/Comment
If you have a new device for a user, associate the old device with the new device
in the Machine Mapping tool. Then launch a template to deploy the new Operating
System, the Mapped Software, and patches. Then, using the Launch Template
action, launch another template to capture the profile. After that, use the Launch
Template action to deploy the captured profile onto the new device.
In the above example, the template is conditioned upon a variable set by the attribute
Computer.System.ChasisType = Laptop. If the statement is true, it will deploy the “Laptop Image”, while if not
true, it will deploy the “Desktop Image”. You can compare a variable to a value, based on inventory.
Conditional branching is only able to be used on one level. Branch nesting (a condition within a condition) is
not allowed.
Machine Mapping
This tool allows for mapping one device to another. This is used with three actions: Deploy Profile, Install
mapped software, and Launch template.
To launch the Machine Mappings tool, click Tools > Distribution > Machine Mapping.
To manage drivers in the Windows PE Image user for network boot, download the Windows 8 driver (to match
the WinPE 4.0 version OS Provisioning uses) and add it to the Windows PE image.
To add the new driver to the WinPE image, click Manage Drivers in WinPE Image from the Preboot option in
the Operating system provisioning toolbar.
Management Suite helps facility an easy download of Dell drivers in the Download updates tool. In the tool, is
a checkbox to select Dell drivers for winpe. Selections can be made to download drivers for many Dell makes
and models of Latitude, Optiplex, Precision, and Tablet devices. Once downloaded, the drivers can be added
to the WinPE image.
To access the article, About Windows PE Versions used in LANDESK Management Suite, please go to:
http://community.ivanti.com/support/docs/DOC-27542.
To access the Default Provisioning Branding open the Operating system provisioning tool, select Tools on the
toolbar, and select Branding.
Place the customize mapped software action early in the provisioning process, before booting into WinPE.
When the customize mapped software action runs, someone can select which of the mapped software
packages will be installed by the install mapped software action, which is typically placed as a final step in the
provisioning template.
Core Server: Provides the source WinPE.iso file for use during the boot from the CD, DVD, or USB drive.
Bootable ISO: Select this option to create the WinPE.iso file to the location specified in the Destination
Path field.
o Destination Path: Type the path and filename to create the WinPE.iso file for the Boot process.
Bootable USB Drive: If a USB Drive is mounted, this option becomes available. Select the desired USB
Drive location from the dropdown.
NOTE: The use case for a Bootable USB thumb drive, is to use OS Provisioning Template on devices which
are not connected to a network that can see the Core Server, or that have slow WAN links and no local
Preferred Server.
If you create boot media on a USB thumb drive, all data will first be deleted from the drive, and the drive is
made bootable. The necessary files, such as WinPE, drivers, and the OS image you want to deploy, are then
copied onto the drive. You can copy the OS Provsioning Template onto the drive using the Create
disconnected template option. (To see more about refer to the Create disconnected template options
section.)
The key to effectively using HII is to have a repository of drivers for each piece of hardware supported, and
each operating system supported. OS Provisioning provides an easy way to add drivers to the library, and
uses a database (drivers.db3) to match drivers with the corresponding hardware and OS.
The HII Driver Management tool has auto assignment functions. With Auto Detection you can see device-by-
device, and driver-by-driver, what is detected. You can elect to keep and use what was detected, or you can
remove what was detected and assign another driver. This method and view of drivers and assignments grants
insight to see in an overall way, and in a granular way, drivers installed after OS deployment.
You can either disable drivers which are incorrectly chosen and installed (hoping that AutoDetect will assign
the correct driver with its next selection) OR you can bypass AutoDetect and assign drivers to a make, model,
OS, and architecture. The tool includes an Auto Detection feature. When you get a new make and model
computer, install the Management Suite agent. Then, HandwareInfoUtility.exe runs 15 minutes after the agent
is installed, plus a randomized time, and reports up the new computer’s installed devices and their associated
drivers. At this point, they could be assigned taking away the risks associated with AutoDetect.
Management Suite helps facilitate an easy download of Dell drivers in the Download updates tool. Selections
for download include drivers for many Dell makes and models of Latitude, Optiplex, Precision, and Tablet
devices. The Download updates copies the drivers to the Program
Files\LANDesk\ManagementSuite\landesk\files\drivers directory. After the download of additional drivers,
the Build Library must be updated, so the database includes the newly added drivers.
1. Click Tools > Distribution > HII Driver Management. (The HII Driver Management tool opens in the
bottom window of the Management Suite Console.)
2. Click the Build Library icon on the HII Driver Management toolbar.
3. Click [Save]. (This updates the repository (drivers.db3) with the drivers.
Assigning drivers
When Plug-n-Play chooses a driver that does not work for a device, a different driver which works for the
device can be assigned. To assign a driver, perform the following steps:
1. Launch the HII Driver Management tool by clicking Tools > Distribution > HII Driver Management.
2. Click the Assign icon on the HII Driver Management toolbar. (The Assign window appears.)
a. Select the Make.
b. Select the Model.
Disabling drivers
When a driver being implemented does not work for a device, it can be disabled. To disable a driver, use the
following steps:
1. Launch the HII Driver Management tool by clicking Tools > Distribution > HII Driver Management.
2. Click the Disable Drivers icon on the HII Management toolbar. (The Disable Drivers windows appears.)
3. Click [Search] to populate the Search Driver Library field with the path to the drivers. (The Driver Library
pane populates with the drivers.)
4. In the Driver Library pane, browse to and click on the driver to be disabled. (The Devices pane populates
with the various devices the driver and load to.)
5. Select the checkbox corresponding to the device on which you want to driver to be disabled.
6. Click the [Update and close] button.
Provisioning Settings
When provisioning templates are run on devices, a history is kept. If you want to delete the older history, select
Tools from the Operating system provisioning toolbar, and then select Provisioning Settings.
Once in Provisioning Settings, enable automatic history cleanup by selecting the automatically cleanup
provisioning history checkbox. You can set the number of days you want to keep the history.
Branding
When provisioning templates run, a window showing the provisioning activity displays for the end-user.
Provisioning includes the ability to custom brand the provisioning display page. Company specific branding
removes doubts and concerns regarding actions taking place from the stand-point of the end-users. To
create a custom brand page, select Tools from the Operating system provisioning toolbar, then select
Branding.
When you click Branding the Default Provisioning Branding window appears. Here you can select and set
the following:
Self-Organizing Multicast™
Deploying very large image files can easily overwhelm the network. To effectively address this issue
Management Suite used Self-Organizing Multicast solution to address LAN and WAN bandwidth consumption,
and speed of deployment.
Targeted Multicast technology enables faster image distribution without expensive and time consuming router
reconfigurations. Multicast does NOT need to be enabled on the routers.
Targeted Multicast greatly speeds up imaging over LANs and WANs, even over slow WAN links, by
transferring the image file only ONCE to each subnet across a LAN or WAN and allowing a self-aware process
assign a device on each subnet to broadcast the files to other recipient devices.
5. The OS Provisioning Template is configured to use the Deploy image action with the Use Multicast
checkbox selected.
6. The OS Provisioning Template is scheduled to run on multiple devices and the task is started, OR, the
devices on subnets are PXE booted and set to receive the image via the OS Provisioning Template.
7. Each device that is to receive the image files sends a broadcast packet, asking if any other node on that
subnet has started downloading the image file.
a. The first device which is to receive the image, and is also running the LANDESK Targeted Multicast
service (tmcsvc.exe), (which is installed on each device by default as part of the Management Suite
Agent), is designated as the Multicast Domain Representative (MDR). It starts downloading the Image
file which it and other devices are to receive.
b. The other devices broadcast asking if there is an MDR, and get a response that there is. They go into
a waiting a listening mode, ready for the MDR to start broadcasting.
8. After the time designated in the Use Multicast option passes (60 seconds by default), the MDR, which has
been downloading the file begins to broadcast the file to all recipients on port 0, the Multicast port. (Hence
the name Self-Organizing Multicast.)
9. The MDR continues to download and broadcast until the entire file has been downloaded and broadcast.
After the image file is sent, a response to resend requests is executed. This gives to managed devices missing
data (if the missed data is less than 10% of the file or image). If a managed device misses more that 10% of
the file or image, it receives the missing data using peer recovery. In peer recovery an address to a local
To access the article, How to Migrate to Windows 7 Using OS Provisioning – Quick Start Guide, please
go to: http://community.ivanti.com/support/docs/DOC-7443. It includes a .PDF document showing steps to
Migrate to Windows 7.
OS Provisioning Variables
To watch a video which explains use of Variables in OS Provisioning, please go to:
https://community.ivanti.com/support/docs/DOC-33777.
OS Provisioning variables allow various levels of customization. The major rule with variables is that they are
Case Sensitive. Users report that the vast majority of troubleshooting is finally narrowed down to the fact that
the variable they typed in a action did not match the case of the variable. (Please make note and save yourself
time and frustration.)
Public variables use “%” to bracket the variable name (e.g. %coreIP%). Local variables use “%%” to bracket
the variable name (e.g. %%WINDIR%%).
There are four types of variables. They are (in order of how they are applied):
Device: Variables assigned to a specific device.
Public: Variables which are available to all templates.
Template: Variables that apply only to the assigned template.
Action: Variables that apply only to a specific action.
Device Variables
To create a device variable, do the following:
1. In the All devices list, right-click a device and select Manage variables.
Public Variables
To create a Public variable do the following:
1. On the Operating system provisioning toolbar, click Tools, then click to select Public Variables.
2. Click [Add].
3. In the Search value field, type the [Value] you desire.
4. In the Type field, select the type.
a. String: Enter a string value
b. Database value: Enter a database ID string, such as:
Computer.Network.TCPIP.”Bound Adapter”.”Physical Address”
NOTE: Whenever there is a space, you must bracket the value with quotes.
c. Sensitive data: Enter the value to be encrypted in the database.
5. In the Replacement value field, type the [Value] you desire.
6. Click [OK].
Template Variables
To create a template variable, go to the template variables page within an OS Provisioning Template.
1. Click [Add]. (The User-defined variable window appears.)
2. In the Search value field, type the [Value] you desire.
Action Variables
To add a specific action variable, place it directly in the Action list of the OS Provisioning Template.
1. Click Tools > Distribution > OS Provisioning. (The Operating system provisioning tool opens in the
bottom pane of the Management Suite Console.)
2. Right-click a template and click [Edit].
3. Click Action list (left pane) and select a section and select an Action in which you want to place a
variable, and click [Add]. (The Add action window appears.)
4. Click [Add]. (The User-defined variable window appears.)
a. In the Search value field, type the [Value] you desire.
b. In the Type field, select the type.
i. String: Enter a string value
ii. Database value: Enter a database ID string
iii. Sensitive data: Enter the value to be encrypted in the database.
Device Naming
To name a device during the provisioning process there are various options available:
ldHostname variable: Include the “ldHostname” variable in the “ComputerName” field of the
SYSPREP.INF or UNATTEND.XML file called by the Inject unattend file action.
Device Name Prompter: Use the Device Name Prompter action in the provisioning template. The
template calls the action, and the technician types the desired name which writes to a buffer, and that is
injected into the “ComputerName” field of the script, instead of the “ldHostname” variable.
Timeout: The timeout setting brings up a prompt for the amount of time specified in the field. In this
prompt, a technician can type the name to be assigned to the device. If a name is entered, the name is
stored in a buffer that will be used (overriding the %ldHostname% variable referenced in the
Unattend.xml file invoked in the inject unattend file action of the deploy template). If no name is
entered the selected item, from the list of three in the default section, will determine the name that will
be assigned.
Unattend.xml
The unattend file which comes with the product is the script LD_Default_Unattend.xml and
references the file of the same name, found in the directory:
C:\Program Files\LANDesk\ManagementSuite\landesk\files\.
You can use the default, or create your own unattend.xml file and reference it in a template after you
use the install scripts function to enable it to be referenced in a template.
LDHostName Variable: When you select the LDHostName Variable option, the program will use
either:
Once in the tool you can set the name by typing characters, using a variable (including truncating to
use only beginning or only ending numbers), and adding numbers which increase incrementally.
The includes page within a Provisioning template shows templates chained to the existing template. The
actions included from the chained template are greyed to show they cannot be edited from the existing
template. To edit the action one must change the source template being included.
Included by
The included by page within a Provisioning template shows templates that include the existing template. If
template “A” includes template “B”, template A shows template B in includes, while template B shows
template A in Included by.
The properties page within a Provisioning template shows the Template name, Description, Owner Name,
Boot environment, and Target OS.
History
The history page within a Provisioning template shows the history, by managed devices, which have launched
that template. The columns displayed include: Task name, Device name, Start date, Last action date, State,
Attempt number, and Template name. When a system is provisioned, all actions (and status of each action)
are recorded in the provisioning history.
The XML page within a Provisioning template shows the actual xml code of the template. (In essence,
Provisioning is a graphical interface to code in xml format.) You can manually edit the file here.
The XML selection also provides the ability to export a template, whether for later import, for implementation
on another Core Server, or for sharing with others. The exported file is saved as a XTP (XML template page)
file.
The Options page within a Provisioning template lets you set template behavior while performing provisioning
actions. This page includes the following settings:
Client UI Options: Settings to show on the target device while the Provisioning template runs.
o Show client UI: Select this checkbox to show the Provisioning progress window while the template
performs its actions.
Automatically close client UI: Select this checkbox to set how long to leave the Provisioning
progress window open after the template completes its actions. (If unselected, the window will
remain open until the window is closed by someone on the target device.)
Timeout (seconds): Type the number of seconds to leave the Provisioning progress window
open after the template completes its actions.
Remove client provisioning folder: Select this checkbox to delete the files in the folder the Provisioning
template used to perform all of its actions once the template completes. (Examples include: files the
template copies, Software Distribution packages the template copies and installs, etc.)
Branding: Select the branding to be shown on the devices being provisioned. Company specific branding
removes doubts and concerns regarding actions taking place from the stand-point of the end-users.
o Default title: Shows the name of the brand which is set as default.
o Default banner: Displays what the brand looks like.
o Background Color: Shows the background color
Delete
The first icon on the Operating system provision toolbar is the Delete icon. Select an OS Provisioning
template, and click the delete icon to remove the template from the list.
Refresh
The second icon on the Operating system provisioning toolbar is the Refresh icon. Click on the icon to refresh
the view of the Operating system provisioning tool.
The sixth icon on the Operating system provision toolbar is the Create a template group icon. Click the
Create a template group to create a group in any folder under the Provisioning templates level. This can be
done in the My templates area, or in the Public area, if the user has rights. Creating groups for storing
templates provides ability to organize or group templates as desired.
Schedule Template
The seventh icon on the Operating system provisioning toolbar is the Schedule template icon. Use this icon to
schedule an OS Template. (For more on this, go to the Scheduled Task section.)
The eighth icon on the Operating system provisioning toolbar is the Import templates icon. Click the Import
templates icon to import saved XTP file templates. The tool allows browsing to find templates to import. Once
located you click [import] and the .XML file results, containing the actions of the imported file.
Help
The final icon on the Operating system provisioning toolbar is the Help icon. Clicking this icon bring up the
Management Suite documentation from the help website. The help is centralized so when you click on it, the
latest version is available to you.
Edit
The Edit option lets you modify the OS Provisioning Template. Since it is the option that is in bold text, it is the
default option. So if you double-click an OS Provisioning Template, the edit option will launch.
Clone
The Clone option creates a copy of the OS Provisioning Template. The cloned copy will have the same name
as its source, with the date and time appended to the end of the name. (Cloned copies of Locked templates
will NOT be locked as read-only.)
Condense
The Condense option creates a cloned copy of the provisioning template, but in a completely self-contained
format. If a source template includes one or more other templates, the actions introduced by included
templates are not able to be edited in the source template. But, when the template is condensed, the new,
cloned, template has all actions from included template(s), self-contained, and all actions can be edited. There
are no longer dependencies.
The use case is to have a proven template that has no other dependencies, even though the test template
included other templates. Condensing a template does not make it read-only, just self-contained.
The use case is to first make the USB thumb drive bootable into WinPE using the Create Provisiong Boot
Media tool. (See the Create Provisioning Boot Media section for more information.) After that, copy the desired
template(s) to the USB thumb drive using the Create disconnected template option.
Make public
The Make public option (available if the OS Provisioning Template is in the My templates section of the
Operating system provisioning tool) copies the OS Provisioning Template to the Public section and then
deletes it from the My templates section.
Import
The Import option allows you to import .XTP (eXported TemPlate) files.
Columns
The Columns option allows you to change which columns appear, and their order of appearance, in the
Operating system provisioning right-pane. Options to include as columns are: Name, Locked, Target OS, Boot
environment, and Description.
When LDProvision is deployed to a device, it sends back various alerts from the device to the Core Server.
The Core Server matches the alerting event with those found in this ruleset and triggers the appropriate action
for each event.
Access the alerting window by clicking Tools > Configuration > Alerting.
Mac Provisioning
To access the article, Best Known Methods for Mac Provisioning in 9.6 SP2, go to:
https://community.ivanti.com/support/docs/DOC-33695.
Here you enter the path to NetBoot image (.nbi) files. You can also select which NetBoot image you want to be
the default.
The settings can be configured, edited, and set, for all agent settings within this action.
The capture profile action uses preferred servers to authenticate to the shares. This is set in the Content
Replication / Preferred Servers tool. The Core Server has to be set as a Preferred Server. The User name
Available distribution packages: This option presents all created packages in a drop-down menu.
o Type filter: This presents options to choose from All packages or limit those presented by Package
Type.
o Search: This presents options to search for packages by name. You can search in My packages or
Public packages. It includes a [Next] button if you type a package name.
Note: Windows has a Distribute software action which is NOT available as a Mac action. The Execute file
action can be used to run a shell script to install applications.
WinPE log files are found in the X:\ldprovision folder. Since the X: drive is a RAMDisk, it self-cleans when the
reboot occurs.
Windows log files are found is the C:\ldprovisioning and System Temp (C:\Windows\Temp) directories. There
is a setting in the provisioning template “Remove client provisioning folder” which will delete
C:\ldprovisioning after the template runs.
From here, you can expand tasks and find what succeeded and what failed. Information can be seen in the
Results, Action properties, and Parameters tabs.
6. In the Console, locate a managed device from which you want to locate and download the log files. (This
can be in either the Network View or in the Scheduled tasks tool.)
7. Right-click on the device, and click Diagnostics. (The Diagnostics – Client Name window appears.)
8. Click to select Logs on the toolbar.
9. Click to select either Client or Core, depending on which log file source you want.
10. Choose the specific log file you want. It will download the file and bring it up for you.
2. How does the additional feature of PXE Services being managed in Self-Electing Subnet Services help in
the Management Suite environment, and do you configure the feature?
3. In hardware independent imaging what new feature is introduced in Management Suite 2016, how does
this feature help, and how do you configure the feature?
4. What is conditional branching in a provisioning template, and how is this feature helpful?
5. What client-side branding changes are introduced in Management Suite 2016, and how is this helpful?
6. How is customization feature in the product mapping action of a provisioning template helpful, and how do
you use it?
7. How is the device naming feature used in provisioning, and what is hierarchy defined in the algorithm?
8. How is the change agent setting action in provisioning helpful, and how do you use it?
For a document on How to start using Patch Manager in LANDESK® Management Suite 9.5 please go to:
http://community.ivanti.com/support/docs/DOC-7516.
Custom Definition: Provides ability to search for custom definitions you define yourself. The definitions
can be defined by:
Affected Platforms
Affected Products
Query
File existence of non-existence
Registry key, value, or data (limited to HKLM)
Custom Script
The patch scanner, vulscan.exe, runs on the managed devices and reports devices vulnerable, as defined.
These can be acted upon by a script, or command while being scanned, or via scheduled task or scheduled
policy.
Driver: Provides ability to search for driver update definitions. If managed devices are found to be lacking
driver updates, they can be downloaded and run on the devices, updating them. Updates can be applied via
patch scan, scheduled task, or scheduled policy.
LANDESK Update: Provides ability to search for updates of files used by Management Suite. If managed
devices need LANDESK updates, the updates can be downloaded and run on devices via scan, scheduled
task, or scheduled policy.
There is ability to download Ivanti Data Analytics Updates, and LANDESK File Reputation Updates (used by
Application Control.
Security Threat: Provides ability to search for defined security threats on managed devices. Generally,
these usually do not require downloads for remediation, but instead require configuration changes to be made.
Software Update: Provides ability to update software on Macintosh and Windows. Windows software
updates includes searching for devices utilizing ThinkVantage™ Technologies (TVTs) defined by Lenovo. The
specific updates sought for include: Access Connections, Client Security Solutions, and Rescue and Recovery.
Vulnerability: Includes seeking for vulnerabilities as defined, and downloading repaired versions of
applications on managed devices. These remediations can be run during scan, scheduled task, or scheduled
policy.
Architecture
The patch scanner, VULSCAN.EXE, runs on the managed device. The Distribution and Patch Agent
settings, which the scanner uses, are configured in the Management Suite Console and assigned to managed
devices. Throughout the scanning process, there is communication between the scanner and Core Server.
This communication gives the scanner instructions, on the managed device side, and updates the detected
vulnerabilities on the Core Server side.
Under the Tools > Security and Compliance menu is the Patch and Compliance tool. The first selection in
the menu is [Download Updates].
The Download updates tool provides ability to choose numerous download settings, including: what types of
definitions to download, when and where to download the remediation patches, and how to group patch
definitions.
Updates tab
The Updates tab grants access to set the following options:
Select update source site: Allows selecting one of three source sites Ivanti provides world-wide. There are
two servers which feed the three world-wide servers. One updates and the top and bottom of each hour, which
the other updates at quarter past and quarter to each hour.
Definition types: Choose from various items for Linux, Macintosh, and Windows.
Content tab
Provides ability to select a checkbox to Verify definition signatures/hashes before downloading. When
selected, any definitions that do not have valid SHA256 hash will not be downloaded. Also, any lists of
definitions that do not have a valid signature will not be processed. The download process form will show any
download failures due to invalid or missing signatures or hashes.
Import/export tab
Allows ability to do the following:
Import settings from file: Lets you select and import a file to apply settings for Download updates.
Export setting to file: Lets you create and save a file with Download updates settings, for someone else
to import.
Copy settings to another core: Lets you copy custom content from a core server to a selected destination
core server. Content can include configurations, scheduled tasks, software packages, and patch content.
To accomplish this step we can implement the disable replaced rules feature. On the Patch and Compliance
toolbar is the Disable replaced rules icon.
When run, the rules that have been completely replaced by a new rule (superceded) will be disabled. Only
rules that are replaced by an enabled definition will be disabled.
For more information, please see the Ivanti community article, “How To: Use the Disable Replaced Rules
Tool in Security and Compliance Manager - Video” which can be found at:
https://community.ivanti.com/support/docs/DOC-32513.
When this is utilized, the rules that have been replaced are disabled. One of the columns in the details of the
Patch and Compliance tool is Rules disabled. This column indicates those rules which have been disabled.
Designations in this field include:
All: Each of the rules in the vulnerability has been disabled.
Part: Some, but not all, of the rules in the vulnerability have been disabled.
None: None of the rules in the vulnerability have been disabled.
When a rule has been disabled, the icon on the rule changes to have a red x.
To have newly downloaded definitions placed in the Scan group, simply leave the selection Put new
definitions in “Unassigned” group unchecked.
To configure a subset of newly downloaded definitions to be placed in the scan group, click the [Definition
group settings] box and create a configuration. Again, there is a [help] button which brings detailed
explanations to make the desired settings.
To manually drag and drop the definitions in the scan group, open the Patch and Compliance tool, assure the
appropriate Type selection is chosen, and drag definitions into the Scan group.
To build an Agent setting in the Agent settings tool, you also go to the Distribution and Patch tab.
To build an Agent setting in Agent settings > Create a task > Change settings, select the Change settings tab,
and select [Configure].
In the General settings tab the Name of the setting is designated. There is also an option to make the setting
the default.
Schedule tab
Schedule when a Patch Scan will routinely run (set for each Distribution and Patch setting.
Continuation tab
Set whether to automatically continue install or remove actions after prerequisites are met. Possible
prerequisites include: completing a required reboot, installing prerequisite patches, or entering the next
maintenance window.
Branding
Specify whether to use a customized window caption when Patch scanning occurs, if the scanning is not run
silently.
Setting the Patch Scan in the Distribution and Patch Agent setting
To set a periodic and automatic patch scan in the Distribution and Patch Agent setting, Access the Distribution
and Patch Agent setting, and go to the Policy sync schedule tab. From here the configuration opens and you
can set how often to launch the policy sync schedule which will launch the patch scan.
4. Click Security scan. (The Patch and Compliance – scan task window appears.)
5. Name the task in the Name field
6. Click to select Agent settings.
7. Click the Settings cell to the right of Distribution and patch, then select the Distribution and Patch setting
you want to be run on the managed device(s).
(Note: You can edit the configuration setting, or create a new setting by selecting the [Edit] or [Configure]
box.)
8. Click [Save]. The task or policy will appear in the Scheduled tasks tool.
9. Drag and Drop the devices, and/or device group, and/or query, and/or LDAP object, to scan, and start the
task.
When each device which is vulnerable is remediated, this specific vulnerability no will no longer appear in the
Detected section. If the specific vulnerability is removed from the Scan group, it is automatically removed from
the Detected section as well.
Self-Organizing Multicast
Deploying patches, some of which are very large, can easily overwhelm the network. To effectively address
this issue Management Suite used its patented Self-Organizing Multicast solution to address LAN and WAN
bandwidth consumption, and speed of deployment.
Targeted Multicast technology enables faster image distribution without expensive and time consuming router
reconfigurations. Multicast does NOT need to be enabled on the routers.
Targeted Multicast greatly speeds up imaging over LANs and WANs, even over slow WAN links, by
transferring the image file only ONCE to each subnet across a LAN or WAN and allowing a self-aware process
assign a device on each subnet to broadcast the files to other recipient devices.
After the image file is sent, a response to resend requests is executed. This gives to managed devices missing
data (if the missed data is less than 10% of the file or image). If a managed device misses more that 10% of
the file or image, it receives the missing data using peer recovery. In peer recovery an address to a local
machine with the needed data is provided. Using this information the device requesting the data can contact
the local peer and receive the missing data.
(NOTE: The Distribution and Patch Agent settings has options to download the patch(es) from local peers,
and/or Preferred Servers, to reduce bandwidth on WAN links.)
To use AUTOFIX to repair, there are three settings that need to be in place.
1. The Global settings in the Standard LANDESK agent tab of the Agent Configuration.
2. The Scan options in the Distribution and Patch Agent setting.
3. The Autofix option setting on the vulnerability.
Each of the three items must be in place. If any of these is not set, Autofix will not occur.
This allows a setting (such as for Servers) where devices with a setting Never Autofix checked can avoid any
automatic repairs, while at the same time, managed devices without the setting can automatically repair when
scanning.
Some patches do not have an uninstall, and some have only a Manual install and uninstall.
For those which can be uninstalled or rolled back, the steps to uninstall are:
If a patch installation failed, you must first clear the install status information before attempting to install the
patch again. You can clear the install (repair) status for the selected device by clicking Clear on the Security
and Patch Information dialog box. You can also clear the patch install status by vulnerability.
To remove patch files permanently, you must delete them from the patch repository, which is set on the Patch
location tab of the Download updates tool.
Select a scope
The select a scope option allows you to see a scopes autofix as well as its scan counts.
This can be useful when trying to see and decide which vulnerabilities to be scanned.
The filter is created, and the Patch and Compliance tool window reflects the view based upon the selected
filter.
Download updates
The download updates option launches the download updates tool.
Create a task
The create a task option brings ability to create various tasks related to Patch Management.
Change settings – Create a task to change the Distribution and Patch (or any other Agent setting) on
managed devices.
Reboot – Create a scheduled task to reboot managed devices.
Repair – Create a scheduled task to remediate vulnerabilities on managed devices. This was described
earlier in the Deploy Remediations section.
Gather historical information – Create a scheduled task to periodically gather historical information for
graphs and reporting in Patch and Compliance.
Configure settings
The configure settings option provides the access to create a setting for Patch and Compliance to utilize.
Strategically, this allows ability to have Patch Scans scan for different types, as well as have different settings
for different groups of managed devices.
The options for Configure settings are the abilities to create configuration setting for:
Agent settings – Create or edit agent settings to be used by managed devices while scanning. This was
explained in the Distribution and Patch Agent settings above.
Definition group settings – Create or edit settings to set scan status, group membership, and autofix
state for newly downloaded definitions by type, severity and comparison. Settings in this option are applied
the first time a definition is downloaded.
Alert Settings – Configure which new definitions, or antivirus actions will automatically be added to the
Alert group when they are downloaded. The Alerting tool configures an alert to be sent when definitions are
added to the Alert group.
Core settings – Set the following settings here:
o Scan results: Set whether to keep scans in the ldlogon\vulscanresults folder after processing. Also,
set whether to decompress files if necessary.
o Autofix retry count: Set whether to attempt autofix a set amount of times (1 is the default setting)
before giving up, or whether to attempt autofix indefinitely.
o Rollup core: Set whether to send scan results to a rollup core immediately, and if selected the name
of the rollup core and the URL to use to send results.
Permissions: Set the effective permissions regarding Patch and compliance to users in the User
Management tool.
Manage tags: Allows setting tags on definitions for counting and deployment purposes.
Import definitions
The import definitions option provides the ability to import vulnerability or custom definitions.
This allows importing vulnerability or custom definitions from other Core Servers to implement on this Core
Server.
This option gives ability to save a vulnerability or custom definition to a share. It is then available to be
imported to other Core Servers.
Scan information
The scan information option provides access to quickly view a variety of reports regarding scan information.
Refresh
This option refreshes the view of the windows active in the Patch and Compliance tool.
This crucially advantageous and versatile feature provides ability to search for custom definitions you define
yourself. The definitions can be defined by:
Operating System: Mac, Linux, Unix, or Windows.
Software Product: Including those from various vendors.
Query: As defined by a Management Suite query.
File: If a file exists or does not exist.
HKLM Registry: If a registry key exists, its value, or its data.
Custom Script: As defined by an imported or input VBScript.
The patch scanner, vulscan.exe, runs on the managed devices and reports devices vulnerable, as defined in
the definition. Actionable remediation can be acted upon by:
Script: A VBScript.
Patch: A downloaded patch.
Commands: A variety of commands including:
o Click a button
o Connect to UNC share
o Copy a file
o Execute a program
o Reboot a computer
o Replace text in a file
o Run script
o Start a Windows service
o Stop a Windows service
o Unzip a file
o Write a value to the registry
The steps to accomplish this are as follows:
Additionally any vulnerability, security threat, or other Patch and Compliance type can be examined using the
Custom Definition feature. To do this, perform the following:
You can cancel out of these windows once you have discovered all you want about the vulnerability if you do
not want to create a clone.
For more information from the Ivanti Community website on How to Create Custom Definitions in
LANDESK® Management Suite 9.0 please go to: http://community.ivanti.com/support/docs/DOC-7549
See the More Information at field at the bottom of the Description tab. There is usually a link to a
manufacturer provided definition of the vulnerability.
Properties
This option provides the ability to view properties of vulnerabilities, custom definitions, and all content types in
the Patch and Compliance tool.
Selecting Properties brings up multiple tabs and grants ability to look at all aspects of each item in the Patch
and Compliance tool.
This option gives more versatility that the previous option by giving ability to purge by OS platform, language,
and/or type.
Help
Provides access to the help in the Patch and Compliance tool.
The help is context sensitive and updated with latest product versions to include how to use a tool, and defines
each selection possible in configuring and utilizing the tool.
The compelling reason to set up patching in a rollout method, is to detect those few patches (which come from
time-to-time) that break something in the enterprise, early in the process. By applying patches in a rollout
manner, (deploying to a small group of devices, then to a larger group of devices, then to all devices in the
enterprise) you should detect patches that break something early in the process, and make corrections, before
the patch is deployed throughout the enterprise. The only need for hands-on is if and when such a patch
comes down. If no such patch comes, the entire process of downloading definitions, detecting the devices that
need the patches applied, downloading the remediation files, and deploying the fixes in a rollout manner
throughout the enterprise, (with a bare-minimum impact to local and wide-area network traffic) can all be
automated.
To create a rollout project to automate deploying LANDESK patches, set up the definition download settings to
always add LANDESK patches to the rollout project. Apply the patches to your test group, send an email that
the patches have been downloaded and applied, then wait until an administrator confirms that the patches are
working successfully. Deploy the patches to a pilot group, and then when the patches are installed on 85% of
the devices, set the patches to Autofix and tag them with an Autofix tag to make them easy to identify.
In this example, you change the definition download settings to add content automatically to a rollout project.
When you use this feature, the downloaded content is added to the project and automatically begins to move
Step One
o Action: A scheduled task that applies the patch to your test group.
o Exit criteria: An 85% success rate, meaning that the patch must be installed on 85% of devices.
o Exit criteria: Administrator approval.
o Email: After the success rate has been met, you get an email saying that the content is waiting for
approval.
Step Two
o Action: A policy-supported push task that applies the patch to your pilot group.
o Exit criteria: An 85% success rate, meaning that the patch must be installed on 85% of devices.
Step Three
o Action: Set the patch to Autofix.
o Action: Tag the patch as Autofix.
Implementation
Configuring Rollout Projects includes creating steps to carry out the process. Rather than using if . . . then
logic, each step performs actions on all content in that step. Steps have three possible outcomes, including:
Continue on to the next step
Stop because the exit criteria have not been met
Approval is required for content to continue to the next step
Actions – Tags
The tags page lets you specify tags to add and/or remove from definitions. Definitions can be assigned tags to
designate them for actions.
Actions -Targets
The targets page lets you select the devices to scan patch definitions and apply remediations to. You can
select by targeted devices, targeted LDAP objects, targeted queries, targeted LDAP queries, targeted device
groups, and targeted scopes. It will even utilize targeted time zones.
Exit criteria
Specifies the exit criteria that must be met before content in this step can advance to the next step of the
workflow (or exit the workflow). The exit criteria page offers the two following options:
Keep content together: Let’s you select whether the keep all content together before advancing to the
next step.
Expected step duration (for charting purposes only): Designates the timeframe length the Gantt chart
will use to display the action history.
Email
The Email section is dependent on the email defaults settings of step duration exceeded, exit criteria met,
approval, and recipients all configured on the Rollout project properties page.
Email – Approval
The approval page lets you select whether to send email when approval is required, and lets you set to use
project defaults (don’t send email), don’t send email, or send email. It also allows you to only send on email
during a configurable timeframe to avoid an email blast.
Action history
An action history shows detail of successes, failures, and warnings. A Gantt chart of items in a project can be
accessed by double-clicking an item in a step of rollout projects.
General
On the General page you select the following:
Project Type: Select either patch management, or software distribution. You must select the project type and
save the project before you can add steps to it.
Email defaults
On the email defaults page you set project default options for sending email notifications.
Select whether to send email when duration is exceeded: Select either don’t send email, or send email.
Duration exceeded threshold: Set the duration timeframe.
Don’t send more than one email per: Set the timeframe to only send one email to avoid an email blast.
Select whether to send email when approval is required: Select either don’t send email, or send email.
Don’t send more than one email per: Set the timeframe to only send one email to avoid an email blast.
Action history
The action history page allows you to view what actions have been performed by the rollout project, and what
content was involved. Each time content enters a step, has actions applied, or is evaluated against exit criteria,
that information is tracked in the action history.
New project or project step: Click to create a new project, or add steps to an existing project.
Properties: Click to access the Rollout project properties window.
Delete selected object: Click to delete a rollout project step, rollout project, or rollout group.
Pause (exclude from processing): Click to pause a rollout project. If the project is set to pause, the
project processor ignores the project and content stays in the step it is assigned to.
Play (include in processing): Click to play a rollout project. When the project is set to play, the project
processor evaluates the content in each step and determines which content needs to move to the next
step.
Display dashboard in a separate window: Click to have the dashboard pop-out in a separate window.
Create a task: Click to create a task to schedule project processing. This will create scheduled tasks to
carry out the project rollout.
Configure settings: Click to configure email send options. This presents the following options:
Sender’s address: Sets the address that appears in the from field in the email. Email recipients can
know to whom they should turn, should they have questions about the email.
SMTP server: Sets the address of the SMTP server which will send the email(s).
Port: Sets the port the SMTP server will use to send the email(s).
User name: A username to access the SMTP server.
Password: A password to access the SMTP server.
Addresses: Sets a global email recipients list that will combine with the list configured on the email
defaults – recipients page of each rollout project.
Help: Click to access the Management Suite Help.
1. What types of contents can be downloaded from subscription servers and implemented in Patch
Management?
Imagine managing a device connected to the internet, anywhere in the world, from your Management Suite
Console! Such is not only a theoretical possibility, but it actually occurs, on a daily basis, throughout the world,
with the Cloud Services Appliance. Any task that Management Suite can do to managed device, which is
initiated by the device, can be done through the Cloud Services Appliance. Examples of managing a Client
through a Cloud Services Appliance may include:
In network communications within a corporate firewall, managed devices with the Management Suite Agent,
communicate via routers, switches and hubs, through the corporate network, to communicate with the
Management Suite Core Server.
In network communications outside the corporate firewall, through the Internet, intricate and expensive
implementations including routers, switches, hubs, virtual private networks (VPNs), and firewalls, are
assembled, connected, configured, and used.
A virtual version is also available for download and implementation on any local machine in your demilitarized
zone (DMZ).
Whether you use a physical or virtual version, the Cloud Services Appliance acts as a gateway between
managed devices throughout the world, and the Core Server.
The Cloud Services Appliance, by default, is set to handle 4000 simultaneous connections, each device
requiring two (2) separate connections. One connection is required to the Cloud Services Appliance from the
Client, and one connection to the Core Server from the Cloud Services Appliance, for a total of 2,000
simultaneous Client connections. If there is a need for more connections, multiple Cloud Services Appliances
can be implemented.
The Cloud Services Appliance operating system is a custom 64-bit Linux architecture running on
CentOS6.
All communication between the Client and Core Server utilizes SSL communication on port 443
(usually open by default on the most secure networks).
The usual Web interface for Linux (Apache) has been removed and replaced by a proprietary, secure,
Ivanti Web interface.
Certificate services are installed and utilized on each Cloud Services Appliance.
SUMO (checksum scanner) protects all operating system and vital files by running scans on key files
every few minutes, to assure the files have not been changed or compromised - by cyber-attack or
virus infection - in any way. In the event a key file was compromised, an e-mail would immediately be
sent to an administrator for immediate action to be taken.
Built-in firewall protection and port limitation is utilized on each Cloud Services Appliance.
Robust logging can be implemented further protecting the Cloud Services Appliance by providing
valuable information in the event of a successful cyber-attack or virus infection.
“Root”, the key Linux account, has been removed further protecting the Cloud Services Appliance from
cyber-attacks.
Passwords for all accounts on the Cloud Services Appliance require strong passwords
o 8 characters at a minimum
Seeing that the Cloud Services Appliance is in a more vulnerable place for cyber-attack, the Cloud Services
Appliance Security precautions are in place.
To support connectivity from a web browser the Cloud Services Appliance is configured with two IP Addresses.
One comes from the Intranet side, while the other comes from the Internet side. Either can be used to connect
with rights to configure the Cloud Services Appliance.
To connect to the Cloud Services Appliance via SSH, see the Ivanti Community Article at
http://community.ivanti.com/support/docs/DOC-26157.
1. Install the Cloud Services Appliance hardware in the server room in the server rack. It will need to be
able to access the two (2) Ethernet cables which will provide connectivity to:
a. The Intranet – where it can contact the physical segment where the Core Server resides.
There is a complete set of documentation concerning the Cloud Services Appliance on the Cloud Services
Appliance landing page on the Ivanti Community website at: http://community.landesk.com/support/docs/DOC-
10162.
1. What port does the Cloud Services Appliance use to communicate with the Core Server and Managed
Devices?
3. How can you connect with the Cloud Services Appliance from an outside device to configure or change
configuration on the Cloud Services Applance?
4. What is FIPS 140-2 and how do you enable it on the Cloud Services Appliance?
5. What are strengths and weaknesses of having a physical vs a virtual Cloud Services Appliance?