LDAP group targeting for Windows-Agent Settings Tasks also select iOS MobileDevices

December 5, 2018, 6:21 am

≪ Previous: Configure Ivanti Endpoint Manager web console to use https.

Hello guys,

we have four possible configurations for the endpoint security agent which are set by policy and LDAP targeting.

In the LDAP groups, the users are maintained according to the authorization.

We want to ensure that the endpoint security agent settings are set as quickly as possible after logging on to a client.

Unfortunately, the MobileDevices also receive corresponding guidelines and cannot process them, of course.

Owing to this fact, the MobileDevices no longer process the guidelines actually intended for this purpose.

How can we exclude the MobileDevices from the addressing and still guarantee a fast and not inventory based compliance?

BR Jakob

↧

Copy Files

December 5, 2018, 1:53 am

≫ Next: Security Agent Setting (audit)

≪ Previous: LDAP group targeting for Windows-Agent Settings Tasks also select iOS MobileDevices

Hello,

I have to copy files from a server to a group of machines. Which is the best practice? I used to create Custom Manage Script, unfortunately I lost the old script moving to the new server, and the one I created doesn't work. I know it's a silly question...

↧

Security Agent Setting (audit)

December 5, 2018, 3:14 pm

≫ Next: EPM 2018.1 - LDAP Group membership issue

≪ Previous: Copy Files

We have had a report of a security setting for device control that was changed recently. The "saved by" is NT Authority\ISUR. Is this a false alarm (from what we are told, no one with access has touched this setting)? Is there a way to see (maybe on the db level) hwo changed that setting?

Ivanti 2017.3

↧

EPM 2018.1 - LDAP Group membership issue

September 24, 2018, 9:33 am

≫ Next: Using HTTP for all packages

≪ Previous: Security Agent Setting (audit)

Hi, we're on-prem customer and I've noticed some odd behaviour, it's either on the core/DB or agent, I can't quite work out which one.

The inventory on machines is not recording the LDAP group membership properly. For example, my laptop is in 4 different AD groups, EPM is only showing two, but appears to have mix and matched the records. This only appears to be affecting the machines LDAP group info, user group info is fine.

ldapwhomai reports the group membership properly, I ran an outputted inventory scan and found the below, which seems to suggest it's the agent mixing and matching the memberships:

LDAP Groups - Machine - (Display Name:P) - Name =CN=PG-SW-Pilot Group,OU=Software,OU=Standard Permission Groups,OU=Standard Groups,OU=Groups,OU=User and Group Assets,DC=insurance,DC=lan

LDAP Groups - Machine - (Display Name:P) - Description =Pilot Group for Software Deployments

LDAP Groups - Machine - (Display Name:P) - Name =CN=PG-SW-Google Chrome,OU=Software,OU=Standard Permission Groups,OU=Standard Groups,OU=Groups,OU=User and Group Assets,DC=insurance,DC=lan

LDAP Groups - Machine - (Display Name:P) - Description =Add machines for google chrome deployment

LDAP Groups - Machine - (Display Name:D) - Name =CN=Domain Computers,CN=Users,DC=insurance,DC=lan

LDAP Groups - Machine - (Display Name:D) - Description =All workstations and servers joined to the domain

LDAP Groups - Machine - (Display Name:P) - Name =OU=Portable,OU=Swansea,OU=Clients,OU=Hardware Assets,DC=insurance,DC=lan

If I read this right (and I could well be wrong) it's trying to list the groups using the same display names, i.e. all with the display name of "P" - one for "Name =CN=PG-SW-Pilot Group" and one for "Name =OU=Portable,OU=Swansea,OU" and finally "ame =CN=PG-SW-Google Chrome"

I've tried uninstalling the agent/deleting from the console and reinstalling to no avail.

Tried following this: How to set up and configure policies to use LDAP Groups or LDAP Containers but I don't seem to get any different results.

I've just changed the inventory history to 1 day (we've only just migrated so don't much history to keep) in case it's something in the history causing the issue. But I don't understand how when I get the above output on a manual scan on my computer. I would assume if it was the history or database I should only see that issue on the console, not output on the agent.

Can anyone recommend other settings/logs I can check for what might be causing this issue?

↧

Using HTTP for all packages

December 7, 2018, 9:49 am

≫ Next: Data Translation Services

≪ Previous: EPM 2018.1 - LDAP Group membership issue

I am currently migrating to EPM 2018.3 with a side-by-side migration. I chose to start fresh instead of using our existing database. One of the changes I'd like to make is using HTTP for all packages instead of a combination of HTTP/UNC. Since Mac packages require HTTP and the CSA does as well, it seems to make the most sense.

Are there any caveats to only using HTTP?

Currently, the default HTTP settings leave everything accessible to any user on our network. Although users can't install software, they could easily find information that they shouldn't, such as license keys. Is there a recommended way to make this more secure without causing problems during package and patch deployment?

Thanks.

↧

Data Translation Services

December 7, 2018, 9:16 am

≫ Next: How to disable IPv6 on the Core and PE

≪ Previous: Using HTTP for all packages

I have no idea how this feature works or what it's for. I read https://help.ivanti.com/ld/help/en_US/LDDA/10.0/Content/DA/ldda-t-data-translation-services.htm

"Data Translation Services (DTS) is a Data Analytics tool for Ivanti® Management Suite that scans your organization's devices for the inventory data you most care about, such as software licensing, warranties, and so on. Once the data is scanned into the inventory database, you can customize, aggregate, and organize it in reports to make informed and practical decisions about hardware and software purchases and needs."

Ok, sounds great. So how to I use it?

When I go to the data translation services to find details about how these are being generated, it's all empty folder structures. I did "green light" the thing.

Does this affect client user/local device CPU processing? Meaning, will the user see a performance hit from enabling it?

My whole goal here is to populate things like the "owner email" fields in the database. These have never been populated for us and we have always been deriving the data from logon user names.

↧

How to disable IPv6 on the Core and PE

December 10, 2018, 9:10 am

≫ Next: Preset DB values bare metal

≪ Previous: Data Translation Services

We are running Ivanti EPM 2018

WE have been having intermittent bandwidth or connectivity issues with clients.

I would like to rule out IPv6 as a cause and was wondering if their was a way to turn it off completely. We do not utilize it here at the University and looking to disable it on all clients anyway.

Any thoughts or help is much appreciated.

↧

Preset DB values bare metal

December 10, 2018, 11:40 pm

≫ Next: Software Audit

≪ Previous: How to disable IPv6 on the Core and PE

We are currently getting new hardware into our IVANTI EPM environment.

We want to prefill some database values before any Inventory Scan has been run. Why? We have some OSD condition based on Computer Model (Found in Computer > System > Model.

But the system value is not present when adding bare metal devices through their MAC address.

Any idea how to prestage the device with that value filled?

↧

Software Audit

October 22, 2018, 9:21 am

≫ Next: Landesk re-installation

≪ Previous: Preset DB values bare metal

Hope I am in the right place, I have been tasked with coming up with a Software Audit process where I can quickly determine if any of our machines have unapproved software installed. My first thought was iVanti should be able to help me complete this task. We have a lot of "In-House" applications so I am thinking that a Query in iVanti might just be the ticket but can't seem to get there. I was thinking of querying the Computer|Software|Add or Remove Programs|Programs and compare that to a list of "approved" software and return any machine that has something installed that wasn't on the list. The problem with this approach is first the Computer|Software|Add or Remove Programs|Programs in inventory includes every update and I don't need that information. Second I cannot seem to find a spot to have a built in list of approved software. Since we have a lot of "In-House" applications I don't think Software monitoring would help with my task.

Has anyone out there come up with a solution similar to what I am trying to accomplish?

Thanks

Will

Security and Compliance Analyst

↧

Landesk re-installation

November 19, 2009, 12:56 am

≫ Next: Has anyone ever created a query to check to see if the Windows server OS was activated???

≪ Previous: Software Audit

Hello,

I just would like to know if there is any procedure or technical documentation on How to reinstall LANDESK ?

I am meeting here a crash of the OS and am not able to restore it so I decided to reinstall the OS and re-install Landesk.

My database is on another computer.

Could you help me?

Thanks a lot for your help.

Eric

↧

Has anyone ever created a query to check to see if the Windows server OS was activated???

August 14, 2018, 5:34 am

≫ Next: Cancel a software distribution?

≪ Previous: Landesk re-installation

Has anyone ever created a query to check to see if the Windows server OS was activated??? I have been asked to make sure all our copies of Windows Server are activated...

↧

Cancel a software distribution?

November 14, 2018, 12:32 pm

≫ Next: Ivanti EPM 2018.1 current experiences

≪ Previous: Has anyone ever created a query to check to see if the Windows server OS was activated???

We are having some issues with a campus-wide push of Cisco AnyConnect where the installer un-installs the existing version but then fails to install the new version. To the end user, it appears the software has disappeared. We've had enough instances of this happening that we are considering canceling the push. We've set the install to occur at login to try and minimize the impact of anyone using the software. We have a large number of machines that are "Pending" with a status of "Delayed - Task will be performed at next login"

My question is if we cancel the push, with these machine already having the package downloaded and queued, will they cancel the install or will it continue on those machines?

Thanks

↧

Ivanti EPM 2018.1 current experiences

October 5, 2018, 9:25 am

≫ Next: Scope to select a Device Group and Bare Metal machines

≪ Previous: Cancel a software distribution?

Good Afternoon,

I wanted to start a friendly discussion on everyone's experiences with Ivanti 2018.1 so far. I am wondering if the problems we are having are an issue with an unknown bug (which i highly doubt) or something else on our end.

Currently our problem is random, but templates fail to deploy usually on the Deployment of packages stage of the template. But a template that takes normally say 2 hours to run, now takes 5 or more hours to run and most of the time fails. It seems to be completely random (location based). Our network team states that they see nothing wrong. We do have an active case open and working with support, but wanted feedback from anyone using 2018.1.

Our other experiences so far are with Network Map: Even though we are not discovering over WAP but the agent discovered all nodes from our laptop devices from our wireless subnets. It also discovered users home networks and added them to our network MAP and not sure how we can remove that. i haven't contacted support about this as our other issue is more important. For the time being we disabled Network mapping.

Another possible issue is with PXE Booting. I had PXE booting working in 2017.3 and since upgrading to 2018.1 I seem to not be able to detect a PXE rep on the subnet. Again becuase of the other issue, I have not looked into this at this time.

Outside of that, everything else seems to be going great.

So that being said, what have your experiences been?

↧

Scope to select a Device Group and Bare Metal machines

October 23, 2018, 6:36 pm

≫ Next: Compare Variable Assistance

≪ Previous: Ivanti EPM 2018.1 current experiences

I am currently trying to figure out how to set up a scope so that a limited user can provision a machine in a specific Device Group, but also has the ability to Provision BareMetal Machines.

Any ideas or thoughts behind this?

We are currently on 2018.1 of Ivanti Endpoint Manager so far.

↧

Compare Variable Assistance

October 30, 2018, 11:24 am

≫ Next: Password Director - Off Network Users

≪ Previous: Scope to select a Device Group and Bare Metal machines

I am trying to run a compare variable action using if conditions to apply an action on machines that are deployed running Bitlocker.

I want to look up the database field :

"Computer"."Mass Storage"."Drive Encryption"."Protection Status"

This field has two states:

"1 - on" and "0 - off"

What i want is when "1 - on" is found, it runs a script and if it is not found, it continues.

What I have done:

1. Created public variable with Database value with the above information

2. I created a provision template and put an if condition statement under the System Migration and use the Compare Variable. See attached Graphic

For now, i just want the Wait window to pop up to verify functionality. It seems this does not work and I am not sure why.

I have tries the value to be = and 1 - on as well and it fails.

Thoughts, Tips, Comments?

Any help is appreciative.

↧

Password Director - Off Network Users

December 11, 2018, 11:53 am

≫ Next: How is Device Type determined?

≪ Previous: Compare Variable Assistance

I was wondering if anyone could answer a simple question.

If someone forget's their Active Directory passwords and is out of the office or not on the AD network, Does Password Director give the option to get someone in without being connected?

↧

How is Device Type determined?

October 18, 2018, 5:44 pm

≫ Next: Cross Domain Group users not enumerating

≪ Previous: Password Director - Off Network Users

I have desktop PCs that show up with Type= Workstation, and others are Type= Machine. How does the system determine this, and why would similar computers show up differently?

↧

Cross Domain Group users not enumerating

December 12, 2018, 1:45 pm

≫ Next: RC WS blank screen via csa

≪ Previous: How is Device Type determined?

Scenario:

Two domains DomA and DomB

Users members of groups in either domain or both.

We can deploy to group members only where the User and group are members of the same domain.

So users in DomA who are members of a Group in DomA seems to work fine and the same holds true to DomB.

But if we have a Local or Universal Security group with Users from the Foreign Domain we cannot deploy using the Group.

even though there is a full trust between domains or so I have been told.

Here is a Table to help explain it

User	Member Of Group	Result
DomA\Jack	DomA\Finance	Works
DomB\John	DomB\Sales	Works
DomA\Jack	DomB\Sales	Fails to resolve
DomB\John	DomA\Finance	Fails To resolve

Picture for what shows when we browse to the Group

Does anyone have suggestions on how to deal with this? We will be migrating to one domain but until then...

↧

RC WS blank screen via csa

December 14, 2018, 1:02 am

≫ Next: Portal Manager - Remove applications already installed

≪ Previous: Cross Domain Group users not enumerating

Hi, we have some problem with remote control ws and csa (external) agents: after connect it shows blank screen. Core version 2018.3 fresh install, for internal agents html and ws remote control work properly, for external (via csa) agent html rc is ok, but ws doesn't work. Need ideas to resole issue

↧

Portal Manager - Remove applications already installed

December 14, 2018, 2:27 am

≫ Next: Ivanti 2018.3 Locking out my AD account

≪ Previous: RC WS blank screen via csa

Hello,

we use the portal manager for installing applications to users.

Is it possible, in case the application was already present on the user's client, display the remove button instead of install?

Many thanks

Stefano

↧