Kbox Administrator Guide 3.3
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Kbox Administrator Guide 3.3 as PDF for free.
More details
- Words: 74,758
- Pages: 241
A D M I N G U I D E
Administrator Guide for KBOX 1000 Series
Version 3.3
© 2004-2007 Kace Networks, Inc. All rights reserved. Welcome to KBOX 1000 ownership! Welcome to version 3.3 of the KBOX 1000 Series appliance. This Administrator Guide is designed to help you install, configure, use, and maintain your KBOX 1000 Series appliance. KACE is dedicated to customer success with our primary goal being your ability to quickly utilize your KBOX 1000 Series appliance to save time and eliminate the tedious task of manual inventory, software, and desktop management. If at any time you experience a problem, or have a question regarding your KBOX 1000 Series appliance, please contact one of our support representatives for assistance.
Support Contact: KACE Technical Support (888) 522-3638 for support select option 2 http://www.kace.com/support Company Contact: Kace Networks, Inc. 1616 North Shoreline Blvd. Mountain View, California 94043 (888) 522-3638 office for all inquiries (650) 649-1806 fax
Contents About this guide viii How this guide is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x Additional resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x Contacting Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x The KBOX 1000 Series JumpStart Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi KACE Professional Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Ch. 1
Getting Started with KBOX 1000 Series
........1
Introduction to KBOX 1000 Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Solution Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Organizational Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Software Deployment Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Setting Up Your New KBOX server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Setting up your first KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Alternative Deployment Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Key Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Configuring General settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Configuring KBOX Network settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Ch. 2
Agent Provisioning
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Single Machine Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Provisioning Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Provisioning Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 KBOX Agent Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 KBOX Agent Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Ch. 3
Inventory
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Overview of the Inventory Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Using Advanced Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Creating Search Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Creating Computer Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Filtering Computers by Organizational Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Understanding Computer Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Computer Identity Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Help Tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Operating System Info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 User Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Manufacturer and BIOS Info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Administrator Guide for KBOX 1000 Series, version 3.3
i
Processor and Computer Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Network Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Drive Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Motherboard and related Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Process List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Installed Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Installed Patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Startup Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Harmful Items (Threat Level 5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Printer List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Uploaded Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Custom Inventory Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Customer Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Asset Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Asset History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 KBOX Agent Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Portal Install Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Scripting Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 OVAL Vulnerability Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Failed Managed Installs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Failed Patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 To Install List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Adding computers to inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Adding computers automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Adding computers manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Software Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Adding Software to Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Adding Software Automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Adding Software Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Creating Software Asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Custom Data Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Attaching a Digital Asset to a Software Title . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Monitoring out-of-reach Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Creating Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Viewing Computer Details by Label . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Deleting labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Software Metering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Adding a Software Meter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Editing Software Meter Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Deleting a Software Meter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Configuring the Software Metering Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Software Lookup Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Enabling Software Lookup Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Viewing Software Lookup Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Administrator Guide for KBOX 1000 Series, version 3.3
ii
Ch. 4
Asset Management
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Overview of Asset Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Managing Asset Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Asset Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Managing Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Generating Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Importing Asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Ch. 5
IP Scan
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
IP Scan Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Viewing List of Scheduled Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Creating an IP Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Ch. 6
Distribution
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Distribution Feature Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Types of Distribution Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Distributing Packages through KBOX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Distributing Packages through an Alternate Location . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Managed Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Creating a Managed Installation for Windows Platform . . . . . . . . . . . . . . . . . . . . . . . . . 75 Sharing Managed Software Installation Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Examples of Common Deployments on Windows . . . . . . . . . . . . . . . . . . . . . . . . 79 Standard MSI Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Standard EXE Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Standard ZIP Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Examples of Common Deployments on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Standard RPM Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Standard TAR.GZ Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Examples of Common Deployments on Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Standard TAR.GZ Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Examples of Common Deployments on Macintosh(r) . . . . . . . . . . . . . . . . . . . . 91 File Synchronizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Creating a file synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Creating a Replication Share. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Viewing Replication Share Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Ch. 7
Wake-on-LAN
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Wake-on-LAN Feature Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Issuing a Wake-on-LAN Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Troubleshooting Wake-on-LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Administrator Guide for KBOX 1000 Series, version 3.3
iii
Ch. 8
Scripting
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Scripting Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Using Scripts that are Installed with KBOX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Creating and Editing Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Adding Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Editing Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Importing scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Duplicating scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Using the Run Now Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Run Scripts using the Run Now tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Run Now from the Script Detail page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Monitoring Run Now status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Run Now Detail Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Searching Scripting Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Configuration Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Enforce Registry Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Remote Desktop Control Troubleshooter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Enforce Desktop Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Desktop Shortcuts Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Event Log Reporter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 MSI Installer Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 UltraVNC Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Un-Installer Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Windows Automatic Update Settings policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Ch. 9
Patching
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Overview of Patching feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Bulletin Management workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Downloading patch bulletins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Reviewing & approving bulletins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Deploying bulletins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Reporting patching results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Creating a Replication Share for patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Create new Windows Update Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Updating Patch definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Ch. 10
Security
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Security Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 About OVAL and CVE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
OVAL Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Running OVAL Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 OVAL Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
OVAL Settings and Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 OVAL Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Creating Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Enforce Internet Explorer Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Enforce XP SP2 Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Administrator Guide for KBOX 1000 Series, version 3.3
iv
Enforce Disallowed Programs Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Enforce McAfee AntiVirus Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 McAfee SuperDAT Updater . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Enforce Symantec AntiVirus Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Quarantine Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Lift Quarantine Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Ch. 11
User Portal and Help Desk
. . . . . . . . . . . . . . . . . . . . . . . . . 146
Overview of the User Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 End user view of the User Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Administrator view of the User Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Understanding the Software Library feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Creating a software library to deploy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Using the Knowledge Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Adding Knowledge Base articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Editing and deleting Knowledge Base articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Managing Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Adding users manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Adding users automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 LDAP Browser Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Importing users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Overview of the Help Desk Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Configuring basic Help Desk settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Customizing Help Desk fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Creating and editing Help Desk Tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Submitting Help Desk tickets through email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Editing Help Desk tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Searching Help Desk tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Managing Help Desk tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Understanding the escalation process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 About the satisfaction survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Running Help Desk Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Ch. 12
Server Maintenance
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
KBOX 1000 Series maintenance overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Backing up KBOX 1000 Series data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Backing up KBOX 1000 Series manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Downloading backup files to another location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Restoring KBOX 1000 Series Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Restoring from most recent backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Uploading files to restore settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Updating KBOX 1000 Series software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Verifying minimum server version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Updating the license key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Applying the server update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Verifying the update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Rebooting and shutting down KBOX 1000 Series appliance . . . . . . . . . . . . . . . . . . . . . 178
Administrator Guide for KBOX 1000 Series, version 3.3
v
Updating OVAL definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Troubleshooting the KBOX 1000 Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Accessing KBOX 1000 Series logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Downloading log files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Understanding disk log status data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Ch. 13
Reporting
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
KBOX 1000 Series Reports overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Types of Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Running Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Creating and editing reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Alert Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Creating alert messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Email Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Creating Email Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
KBOX 1000 Series Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Client Check-In Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Distributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Software Threat Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 License Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 KBOX Network Load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 Managed Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 Computer statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Software statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Software Distribution Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Alert Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Patch Bulletin Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 OVAL Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Network Scan Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
LDAP Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Appendix A
Adding steps to a Task
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Steps for Task sections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Appendix B
Database tables
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
KBOX 1000 Series database tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Appendix C
Manual Deployment of KBOX Agent
. . . . . . . . . . . . . . . . . . . 216
Manual Deployment of KBOX Agent on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Installing and Configuring the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Upgrading the KBOX Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Removing the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Verifying Deployment of the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Manual Deployment of KBOX Agent on Solaris . . . . . . . . . . . . . . . . . . . . . . . . . 219 Installing and Configuring the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Upgrading the KBOX Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Administrator Guide for KBOX 1000 Series, version 3.3
vi
Removing the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Verifying Deployment of the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Manual Deployment of KBOX Agent on Macintosh . . . . . . . . . . . . . . . . . . . . . . 221 Installing and Configuring the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Upgrading the KBOX Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Removing the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Verifying Deployment of the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Appendix D
Agent Customization
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Agent Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Appendix E
Warranty, Licensing, and Support
. . . . . . . . . . . . . . . . . . . . . . 227
Warranty and Support Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Administrator Guide for KBOX 1000 Series, version 3.3
vii
P R E F A C E About this guide This chapter provides an overview of this Administrator Guide and provides links to other resources you might find helpful in administering your KBOX 1000 Series appliance. “How this guide is organized,” on page ix “Additional resources,” on page x “Contacting Support,” on page x
How this guide is organized This Administrator Guide is designed to provide all of the information that you’ll need to install configure and deploy the KBOX 1000 Series appliance. This guide is organized into the following top-level section: Orientation and Setup Chapter 1,“Getting Started with KBOX 1000 Series,” starting on page 1 Chapter 2,“Agent Provisioning,” starting on page 14 Chapter 3,“Inventory,” starting on page 26 Chapter 4,“Asset Management,” starting on page 56 Chapter 5,“IP Scan,” starting on page 66 Chapter 6,“Distribution,” starting on page 71 Configuration Chapter 7,“Wake-on-LAN,” starting on page 98 Chapter 9,“Patching,” starting on page 123 Chapter 8,“Scripting,” starting on page 102 Chapter 10,“Security,” starting on page 132 Maintenance and Support Chapter 11,“User Portal and Help Desk,” starting on page 146 Chapter 12,“Server Maintenance,” starting on page 173 Reference Chapter 13,“Reporting,” starting on page 183 Appendix A,“Adding steps to a Task,” starting on page 203 Appendix B,“Database tables,” starting on page 209 Appendix C,“Manual Deployment of KBOX Agent,” starting on page 216 Appendix D,“Agent Customization,” starting on page 224 Appendix E,“Warranty, Licensing, and Support,” starting on page 227
In addition, the symbol to the left denotes an item of interest. These include common configuration questions, specific KBOX behavior, or items that deserve particular attention.
Administrator Guide for KBOX 1000 Series, version 3.3
ix
Conventions This guide uses the following formatting conventions. Format
Description
Bold
Represents buttons, tab labels, and menu selections.
| (pipe)
Separates multiple selections. For example, Inventory | Software.
Table 1-1: Formatting Conventions
Additional resources In addition to this Administrator Guide, KACE also provides the following resources to assist you in installing, configuring, and maintaining the KBOX 1000 Series. A user name and password may be required to access these resources.
Silent Mode Installation Tips and Tricks - http://www.kace.com/support/customer/doc/ SilentInstallationWhitepaper.pdf Installation and Scripting resources - http://www.kace.com/support/customer/ additional_resources.php Tutorial Videos - http://www.kace.com/support/customer/training.php
Contacting Support At KACE, customers are our highest priority, and we structure our support policies and procedures accordingly. Your purchase of the KBOX 1000 Series includes software updates, telephone support, and access to an on-line support portal, which includes: The most up-to-date software and documentation Knowledge base of frequently asked questions Details on the most common software package installation switches Other IT management information. The KACE support team is dedicated to helping you make the most efficient use of your KBOX 1000 Series appliance for your organization. KACE and KACE Certified Partners can help you get the most out of your KBOX 1000 Series appliance with the KBOX™ JumpStart Program and KACE Professional Services.
Administrator Guide for KBOX 1000 Series, version 3.3
x
The KBOX 1000 Series JumpStart Program The KBOX 1000 Series JumpStart Program guarantees that your KBOX 1000 Series appliance will be properly installed and configured for your environment. With the JumpStart Program, you and your team will get custom-tailored, hands-on training to immediately get the maximum value from your investment, with the least amount of time committed from your team. The KBOX 1000 Series JumpStart Program includes: Installation Assistance - Install and configure your KBOX™ 1000 Series appliance; Network scan; learn best practices for use of the KBOX 1000 Series appliance in your environment. Deployment Assistance - Your custom rollout plan includes deployment up to 150 KBOX Agent agents on your network. SW Distribution & Patch Management Assistance - Customized training and one managed installation created. Advanced topics - LDAP or Active Directory integration; ODBC integration with your standard reporting tools. Additional Module training - additional set-up and training is provided for each KBOX 1000 Series module you purchase. To learn more about support services, contact KACE customer support.
KACE Professional Services Delivered by a KACE Partner or KACE engineers, professional services can help you improve your organization's IT efficiency, compliance and security. Professional services are custom tailored to meet your needs. Some common KBOX 1000 Series services include but are not limited to: Custom script development Custom software packaging Application integration Advanced training Security audit analysis Advanced installation and KBOX Agent deployment Managed services. To learn more about professional services, contact your Kace account manager.
Administrator Guide for KBOX 1000 Series, version 3.3
xi
C H A P T E R 1
Getting Started with KBOX 1000 Series The KBOX 1000 Series appliances are easy-to-deploy Systems Management Appliances that deliver all of the powerful features you would expect from a distribution management system and more. This chapter provides guidance on installing and setting up the KBOX 1000 Series appliance to work in your environment. “Introduction to KBOX 1000 Series,” on page 2 “Setting Up Your New KBOX server,” on page 4 “Setting up your first KBOX Agent,” on page 6 “Alternative Deployment Options,” on page 9 “Key Configuration Settings,” on page 10
Introduction to KBOX 1000 Series In general, the administrative operation of the KBOX 1000 Series system management appliance is intuitive and user friendly; however, a review of the basic procedures will likely help new users avoid common pitfalls and internalize KBOX 1000 Series best practices for software management. This section provides an introduction to the components and concepts of your KBOX 1000 Series appliance, and provides an overview of the KBOX 1000 Series workflow for total software management.
Solution Components The KBOX 1000 Series solution is comprised of four primary points of human interface: The Box - The KBOX 1000 Series Systems Management Appliance itself is a high-performance server including (depending on configuration) dual on-board Xeon processors, dual NIC controllers, 1 GB of memory (or more), 3 X 150 GB hard drives (or more) with on-board RAID I support and on-board nightly back up. Administrator Console - The administrator console is a web-based interface that systems administrators use to access and direct the functionality and capabilities within the KBOX 1000 Series. The administrator console supports five primary tasks: Inventory Management, Software Distribution, User Portal, Reporting and, KBOX Settings. Depending on your KBOX 1000 Series configuration you may also have Asset, Scripting, Security, and Help Desk tabs. These are add-on modules. For more information contact the KACE sales team at [email protected] or via phone at 1-888-522-3638. User Portal - The User Portal provides an innovative method for administrators to make software titles available to users on a self-service basis. The end-user portal is not intended to replace traditional push software distribution (as is handled by the Administrator Console and the KBOX Agent). However, the User Portal provides an elegant repository for software titles that are not required by all users. If you have installed the optional Help Desk module, the User Portal also provides a way for users to submit and track help desk tickets. KBOX Agent - The KBOX Agent is the KBOX 1000 Series technology that sits on each desktop that the KBOX 1000 Series manages. The KBOX Agent includes an application component that manages downloads, installations, and desktop inventory. The KBOX Agent also includes the KBOX Agent Management Service that initiates scheduled tasks such as inventory or software update tasks.
Organizational Components KACE Networks recognizes that a large part of IT management is tied into data management. As such, KBOX 1000 Series supports a flexible data model for managing computers, software, users and license keys: LDAP Support - The KBOX 1000 Series includes the ability to auto-discover information via the KBOX Agent or to interface with Active Directory or LDAP organizational units. Filters - Filters enable administrators to manage computers and users based on specified filter criteria. Labels - The KBOX 1000 Series offers advanced labeling capability that puts ad-hoc organizational capabilities in the hands of the software administrator.
Administrator Guide for KBOX 1000 Series, version 3.3
2
Software Deployment Components The KBOX 1000 Series supports several types of distribution packages including: Managed Installations can be configured by the administrator to run silently or in the forefront of the user’s desktop view. Within a “Managed Installation Definition” the administrator can define install, uninstall, or command-line parameters. See “Managed Installations,” on page 74 for detailed information on Managed Installations. File Synchronization is a different way to distribute content to computers with the KBOX agent software. Unlike Managed Installations, File Synchronization is used to distribute files that needs to be placed on a users’ machine without running an installer. See “File Synchronizations,” on page 89 for detailed information on File Synchronization. User Portal Packages are earmarked by administrators for user self-service. Many KACE customers use the portal for handling occasional use applications, print drivers and so on. You also can use the User Portal to resolve Help Desk issues by allowing users to download and install fixes. See “Overview of the User Portal,” on page 147 for detailed information on User Portal Packages. KBOX Agent is a special tab in the interface for managing the KBOX Agent. See the Chapter 2,“Agent Provisioning,” starting on page 14 for details on how to configure and carry out these tasks. The sections that follow describe how to configure the KBOX 1000 Series to meet the needs of your organization.
Administrator Guide for KBOX 1000 Series, version 3.3
3
Setting Up Your New KBOX server While setting up your new KBOX server, perform the following steps. 1. Unpacking the Appliance Make sure that the box in which the appliance was shipped is unpacked and is undamaged in any way. The box should include one set of inner and outer rail assemblies and the mounting screws that you need to install the system into the rack. 2. Updating DNS The KBOX requires its own static IP address. By default, the KBOX will have a hostname of “kbox.” It is highly recommended that you create a record for kbox in your domain corresponding to its static IP before starting the server and client configuration. 3. Setup Location Determine the placement of the appliance in the rack before you install the rails. The appliance should be situated in a clean, dust-free, and well ventilated area. Avoid areas where heat, electrical noise, and electromagnetic fields are generated. Place the appliance near a grounded power outlet. Use a regulating uninterruptible power supply (UPS) to protect the server from power surges, voltage spikes and to keep your system operational in power failures. Leave approximately 30 inches of clearance in the back of the rack for sufficient airflow and ease in servicing. 4. Server Network Configuration Attach a power cord, keyboard, and monitor, but do not connect a network cable at this time. Turn on the KBOX. The first time boot may require 5 to 10 minutes. At the login prompt enter: Login: konfig Password: konfig Using UP and DOWN arrows, modify the static IP address, subnet mask, default gateway, and DNS settings to match your network. Field
Suggested Value
Notes
KBOX Server (DNS) Hostname
Defaults to kbox
It is recommended that you add a static IP entry for “kbox” to your DNS, and use the default Hostname and Web Server Name. The fully-qualified domain name of the KBOX on your network is the value of Hostname concatenated with Domain (for example, kbox.kace.com). Clients will connect to KBOX using the Web Server Name, which can be the hostname, fullyqualified domain name, or IP address (for example, kbox).
Web Server Name
Defaults to kbox
Static IP Address
The IP address of the KBOX server
lDomain
The domain that the KBOX is on
Defaults to corp.kace.com
Subnet mask
Your subnet mask
Defaults to 255.255.255.0
Default gateway
The network gateway for the KBOX server
Administrator Guide for KBOX 1000 Series, version 3.3
4
Primary DNS
The primary DNS server the KBOX should use to resolve hostnames
5. After entering all values, click Apply. Then reboot the KBOX. Log in to confirm web access to the KBOX While the KBOX reboots, plug the Ethernet cable into the port closest to the KBOX power supply, and connect it to a router or hub on your network. Verify the KBOX is now online by browsing to http:// kbox/admin on another computer. If this URL doesn’t open KBOX, try http://defaultip/admin, where default ip is the static IP address that you have assigned to the KBOX. After accepting the EULA (End User License Agreement), log in using the credentials admin/admin. If you can access the KBOX Management Center successfully, it indicates that the KBOX network settings are entered correctly.
Administrator Guide for KBOX 1000 Series, version 3.3
5
Setting up your first KBOX Agent In order for workstations of servers in your environment to connect to the KBOX, they must have the KBOX agent software installed. In this section, you’ll learn how to use the KBOX to install the agent software on a machine in your environment through the KBOX interface.
1. To enable Agent Provisioning functionality: a To go to the KBOX Management Center Web page, go to http://kbox/admin in your web browser. On the KBOX Management Center Web page, click Settings | Network. b The KBOX Settings: Network page appears. Fields are grayed out. Click Edit Mode to edit the field values. c Under Optional File Share Settings at the bottom of the Web page, select the File Share Enabled check box for Agent Provisioning to work from the KBOX. d Click Apply. On clicking Apply, the KBOX will be restarted and you will lose connection to the KBOX. 2. To set up a Provisioning Configuration for a Windows PC: a To go to the KBOX Management Center Web page, go to http://kbox/admin in your web browser. On the KBOX Management Center Web page, click Distribution | KBOX Agent. b Click Provisioning Setup. The Provisioning Setup page appears. c In the Choose action box, select Add New Item. d Under Windows Platform Provisioning Settings, select the Provision this platform check box. e Enter the suggested values in the corresponding fields, as shown in the following table. For more detailed information on all of the options available and detailed instructions, refer to the chapter Agent Provisioning. Suggested Value
Notes
Config Friendly Name
My First KBOX agent installation
This is the identifying name that you will see in lists of available configurations.
Provision IP Range
Enter the IP of a Windows PC that you have access to
Your own PC would be a great example, but you can choose any machine that is accessible on the network and for which you have administrative credentials.
Field
Under “Windows Network Administrative Credentials” Domain (or workgroup)
The domain or workgroup associated with the credentials you are using
User name
An administrative account with access to the target machine
The installation requires an account with administrative privileges to work. Generally, this will be a domain administrator but it could also be a local administrator account.
Administrator Guide for KBOX 1000 Series, version 3.3
6
Password
The password for the account entered above
f Click Save to save the new configuration. 3. To set up a Provisioning Configuration for a Linux, Macintosh, or Solaris PC: a To go to the KBOX Management Center Web page, go to http://kbox/admin in your web browser. On the KBOX Management Center Web page, click Distribution | KBOX Agent. b Click Provisioning Setup. The Provisioning Setup page appears. c In the Choose action box, select Add New Item. d Under Unix (Linux, MacOSX, Solaris) Platform Provisioning Settings, select the Provision this platform check box. e Enter the suggested values in the corresponding fields, as shown in the following table. For more detailed information on all of the options available and detailed instructions, refer to the chapter Agent Provisioning.
Suggested Value
Notes
Config Friendly Name
My First KBOX agent installation
This is the identifying name that you will see in lists of available configurations.
Provision IP Range
Enter the IP of a Linux, Macintosh, or Solaris PC that you have access to
Your own PC would be a great example, but you can choose any machine that is accessible on the network and for which you have administrative credentials.
Field
Under “Network Root Credentials” User name
An administrative account with access to the target machine
Password
The password for the account entered above
The installation requires an account with administrative privileges to work. Generally, this will be a domain administrator but it could also be a local administrator account.
f Click Save to save the new configuration. 4. To Provision your machine: a On the resulting page, you can see the name of the Provisioning Configuration you just created and saved. Select the check box next to your Provisioning Configuration, and then select Run Select Configurations Now in the Choose action box. b The resulting page displays the machine that you have selected to receive the agent. On clicking the Refresh button at the bottom of the page, you can see the column under DNS Lookup update from (unknown) to In progress… to the IP or hostname when it has completed installing. 5. To verify your agent has checked in to the KBOX: a After the installation is completed, the new KBOX agent checks into the KBOX within two minutes, at which time it will provide inventory information about the machine and its software to the KBOX.
Administrator Guide for KBOX 1000 Series, version 3.3
7
b Click Inventory at the top of KBOX Management Center Web page to see a list of machines that have checked in to the KBOX. The most recent machine that has checked in will be at the top of the list, so you should see the hostname of your installed agent. 6. After following the steps above, you should now have one KBOX agent installed and checking in to the KBOX successfully. You could deploy multiple machines simultaneously by creating a configuration that identifies an IP range rather than a single IP. For more detailed information on different options and other platforms, refer to the Chapter 2,“Agent Provisioning,” starting on page 14.
Administrator Guide for KBOX 1000 Series, version 3.3
8
Alternative Deployment Options KBOX 1000 Series customers have successfully deployed the KBOX Agent using many different approaches. In addition to installing clients through KBOX Agent Provisioning as outlined above, other approaches are outlined below. For these options or to install manually on the local machine, you can find the installer files for all supported platforms on the KBOX (if you have enabled the file share) at \\kbox\client\agent_provisioning\. Email: An email notification may be sent to your users either containing the install file itself or pointing to the KBOX 1000 Series or other Web location to retrieve the required installation file. Users can click on the link and install the appropriate file. Log-in Script: Some companies use log-in scripts that provide a great mechanism for deploying the KBOX Agent at login time. If you use log-in scripts, simply post the appropriate file in an accessible directory and create the appropriate script for KBOX Agents to retrieve the file at log-in time. Below is a sample Windows login script which checks for the presence of Microsoft’s .NET framework on the client machine, and installs the appropriate components in order to deploy the KBOX Agent: ---------------------------------------------------------------------------------------------------@echo off if not exist "%windir%\microsoft.net" goto neednet echo .NET already installed. goto end :neednet start /wait \\location\ dotnetfx.exe /q:a /c:"install /l /q" :end if not exist "C:\Program Files\KACE\KBOX" goto needkbox echo KBOX Agent already installed. goto end :needkbox MsiExec.exe /qn /l* kbmsi.log /I \\location\KInstallerSetupSilent.msi ALLUSERS=2 :end -----------------------------------------------------------------------------------------------
Administrator Guide for KBOX 1000 Series, version 3.3
9
Key Configuration Settings Before you begin inventorying and actively managing the software on your network, it is important to properly configure the server. You may also want to look at the Agent Provisioning chapter for details on agent connection settings.
Configuring General settings This section covers the general server configuration settings you should modify before you begin using your KBOX 1000 Series appliance on your network. To configure General Server settings: 1. Select Settings | General. The KBOX Settings: General page appears. If fields are grayed out, you may need to click [Edit Mode] before you can edit the field values. 2. In the General Options area, specify the following settings: Company-Institution Name
Enter the name of your company.
This name appears in any pop-up windows or alerts displayed to your users.
Organization Name
Enter the name of your division or organization.
User Email Suffix
Enter the domain to which your users send email.
For example, kace.com.
Administrator Email
Enter the email address of the KBOX 1000 Series administrator.
This address will receive system-related alerts, including any critical messages.
Send crash report to KACE
Select this check box to send a report to KACE in the event of a KBOX 1000 Series crash.
This option is recommended, since it provides additional information to the Kace technical support team in case you need assistance.
Enable KACE Software Lookup Service (SLS)
Select this check box to be able to access online data about common software applications and how to deploy/ remove them and share anonymous information about the software on machines in your environment.
3. Click Set Options, to save your changes. 4. In the Clock Settings area, verify that the clock is set to the correct time, then click Set Date and Time. It is very important to keep the time of the KBOX 1000 Series accurate, as most time calculations are made on the server and is used in the Inventory tab to reflect when computers have checked into the KBOX 1000 Series. For more information, see Chapter 3,“Inventory,” starting on page 26. Note that changing the server time will require the Web server to re-initialize. This may disrupt KBOX 1000 Series operation for 10 to 15 seconds.
Administrator Guide for KBOX 1000 Series, version 3.3
10
5. Select the appropriate time zone from the drop-down list, then click Adjust Time Zone. When updating the time zone, the KBOX 1000 Series Web Server will be restarted in order for it to reflect the new zone information. Active connections may be dropped during the restart of the Web server. You may need to manually refresh this page in the browser in order to display the new zone settings. 6. In the Logo Overrides area, specify the images to display in the following areas, then click Upload Logos: User Portal
Appears at the top of the User Portal page.
Report
Appears at the top of reports generated by the KBOX 1000 Series.
KBOXClient
Appears in the KBOX Agent.
7. Machine Actions allow you to define one-click actions to carry out against KBOX Agent machines. To customize which action will be carried out, choose an action next to either Action #1 or Action #2, then click Set Actions to save the changes. You can run these Machine Actions by clicking either (Machine Action 1) or (Machine Action 2) next to the computer record on the Inventory | Computers tab. For more information, see “Overview of the Inventory Feature,” on page 27. 8. In the Network Scan Options, select the Show unreachable devices in scan inventory check box if desired, then click Set Scan Options. 9. In the Optional Ignore Client IP Setting, enter any IP addresses you would like ignored as the client IP and then click Save List. This might be appropriate in cases where multiple machines could report themselves with the same IP address, like a proxy address.
Configuring KBOX Network settings The key KBOX network settings were mostly configured when you first logged into the KBOX using the konfig/konfig credentials, but an administrator can verify or change the settings at any time on the KBOX 1000 Series. Any changes made to the Network settings on this page will force the KBOX to reboot after saving. Total reboot downtime should be 1 to 2 minutes provided that the changes result in a valid configuration.
Administrator Guide for KBOX 1000 Series, version 3.3
11
To configure KBOX network settings: 1. Select Settings | Network. The KBOX Settings: Network page appears. Fields are grayed out. Click [Edit Mode] to edit the field values. Field
Suggested Value
Notes
KBOX Server (DNS) Hostname
kbox
As noted above, we recommend adding a static IP entry for “kbox” to your DNS, and using the default Hostname and Web Server Name. The fully-qualified domain name of the KBOX on your network is the value of Hostname concatenated with Domain (for example, kbox.kace.com). Clients will connect to KBOX using the Web Server Name, which can be the hostname, fully-qualified domain name, or IP address (for example, kbox).
Static IP Address
The IP address of the KBOX server
Be extremely careful when changing this setting. If the IP is entered wrongly, the KBOX could become difficult to locate on the network.
Domain
The domain that the KBOX is on
Defaults to corp.kace.com
Subnet mask
Your subnet mask
Defaults to 255.255.255.0
Default gateway
Your default gateway
Primary DNS
The primary DNS server the KBOX should use to resolve hostnames
Secondary DNS
The secondary DNS server the KBOX should use to resolve hostnames
Network Speed
Your network speed
SMTP Server
To enable email notifications through an external SMTP server, set the server name here.
The server named here must allow anonymous (non-authenticated) outbound mail transport.
SSH enabled
Unchecked
It is more secure to leave this option turned off unless Kace technical support needs remote access to the KBOX.
KBOX Web Server Name
The secondary DNS server is optional.
2. Under the Optional Network Time settings, indicate whether the KBOX should consult a Network Time Server and what the server’s hostname is. 3. In the Optional Proxy Settings area, specify the following proxy settings, if necessary: Specify the proxy type, either HTTP or SOCKS5 in the Proxy Type list. Specify the name of the proxy server in the Proxy Server field. Specify the port for the proxy server, the default port is 8080 in the Proxy Port field. Select the Proxy (Basic) Auth check box to use the local credentials for accessing the proxy server.
Administrator Guide for KBOX 1000 Series, version 3.3
12
Specify the user name for accessing the proxy server in the Proxy Username field. Specify the password for accessing the proxy server in the Proxy Password field. 4. In the Optional SSL Settings area, specify the following SSL settings, if desired: a Select the SSL Enabled on port 443 check box to have clients check in to the KBOX server using https. A properly signed SSL Certificate is required to enable SSL. Certificates should be supported by a valid Certificate Authority. SSL settings should only be adjusted after you have properly deployed the KBOX 1000 Series on your LAN in non-SSL mode. If you are enabling SSL, you will need to identify the correct SSL Private Key File and SSL Certificate File. The files must be in Privacy Enhance Mail (PEM) format, similar to those used by Apache-based Web servers and not in the PCKS-12 format used by some Web servers. It is possible to convert a PCKS12 certificate into a PEM format using software like the OpenSSL toolkit. Please contact KACE Technical Support if you wish to enable SSL on you KBOX. b Clear the Enable port 80 access check box. When you activate SSL, port 80 will continue to be active, unless you uncheck this option. By default, the standard KBOX Agent installers will attempt to contact the KBOX via port 80, then switch to SSL over port 443, after getting the server configuration. If you disable port 80, you will need to contact KACE support to adjust the agent deployment scripts to handle SSL. For ease of agent deployment, leaving port 80 active is suggested. c In the Set SSL Private Key File field, browse for the SSL Private Key file. To enable SSL, you need to identify the correct SSL Private Key file. d In the Set SSL Certificate File field, browse for the signed SSL Certificate. To enable SSL, a signed SSL Certificate is required. 5. In the Optional File Sharing Settings area, turn on the server’s File Share by selecting the File Share Enabled check-box. The default password for this share is admin. Files in this share are available at \\kbox\client\. Typically, this is used to access agent provisioning files. If you are not provisioning clients, it is recommended that you leave this option disabled. 6. In the Optional Security Settings area, specify the following security settings: a Clear the Enable backup via ftp check box. Nightly the KBOX creates a backup of the database and the files stored on it. By default, the KBOX allows you to access these files via a read-only ftp server. This would allow you to create a process on another server that pulls this information off the physical KBOX. If you do not need this feature and would prefer to disable the FTP server, you can turn off this option. b Clear the Enable SNMP monitoring check box. SNMP is a network / appliance monitoring protocol that supported by many third party products. If you do not want to expose the KBOX SNMP data, turn off this option. c Clear the Enable database access check box. The KBOX database is accessible via port 3306, to allow you to run reports via an off board tool like Access or Excel. If you do not need to expose the database in this way, you can uncheck this option. 7. In the Network Utilities area, select the desired network utility option from the drop-down list, and then click Test. 8. Click Apply to save any settings on this page, at which time the KBOX will reboot.
Administrator Guide for KBOX 1000 Series, version 3.3
13
C H A P T E R 2
Agent Provisioning The Agent Provisioning feature enables you to install the KBOX agent on machines in your environment directly from the KBOX. You could deploy multiple machines simultaneously by creating a configuration that identifies an IP range rather than a single IP. The procedure for Agent Provisioning varies for Windows and non-Windows operating systems. This chapter contains the following sections: “Single Machine Provisioning,” on page 15 “Provisioning Setup,” on page 16 “Provisioning Results,” on page 21 “KBOX Agent Settings,” on page 22 “KBOX Agent Update,” on page 24
Single Machine Provisioning Single Machine Provisioning provides an easy way for first time deployment of KBOX Agent Technologies to target managed computers. It assumes some default values for settings such as TCP ports, Time outs, KBOX sever name, etc. To quickly deploy KBOX Agent Technologies on a single machine: 1. Select Distribution | KBOX Agent. The KBOX Agent Distribution & Management page appears. 2. Click Single Machine Provisioning. The Single Machine Provisioning page appears. 3. Enter the details as shown in the following table. Target IP
Enter the IP address of the target machine.
Action
Click Install Agent to install the Agent or click Remove Agent to remove the Agent.
Platform
Click the appropriate platform.
KBOX Agent Version
This field displays the KBOX Agent version number.
Domain (or Workgroup)
Enter the domain or workgroup name associated with the credentials you enter below. Note: This field is available only if the platform selected is Windows.
User Name (admin level)
Enter a username that will have the necessary privileges to install on the targeted machines.
Password
Enter the password for the account listed above.
4. Click Run Now to first save the current configuration with a default name as Simple configuration IP Address and immediately run the configuration against the targeted IP.
Administrator Guide for KBOX 1000 Series, version 3.3
15
Provisioning Setup KBOX Agent Provisioning provides a method for the first time deployment of KBOX Agent software to targeted computers. A provisioning configuration identifies one or more IP addresses for the first time deployment or removal of the KBOX Agent. The target IP address is tested for the existence of an agent and if none, will execute a remote install of the agent directly from the KBOX. The provisioning installers are located on the KBOX in the following network share: \\KBOX\client\agent_provisioning where "KBOX" is defined as the hostname of your KBOX (e.g. "kbox" by default); The provisioning files are located in their respective "platform" subdirectories (e.g. Windows files located in the "windows_platform" directory). IMPORTANT: To activate provisioning functionality you must enable the KBOX's file share via the Network Settings Page. Additionally, for the Windows target platform the following must be configured: On Windows XP, "Simple File Sharing" must be turned off. KBOX Provisioning requires standard file sharing with its associated security model. Having "Simple File Sharing" enabled could cause a "LOGON FAILURE" as simple file sharing does not support administrative file shares and associated access security. If Windows Firewall is turned ON, "File and Print Sharing" must be enabled in the Exceptions list of the Firewall Configuration. By default the KBOX will verify the availability of ports 139 and 445 on each target machine before attempting to execute any remote installation procedures. You can choose either Auto Provisioning or Manual Provisioning. Auto Provisioning allows you to provide target IP Range for Provisioning. Manual Provisioning allows you to enter IPs manually and also pick up machines from IP Scan and Inventory. To Add a New Item to Provisioning Setup using Auto Provisioning: 1. Select Distribution | KBOX Agent. The KBOX Agent Distribution & Management page appears. 2. Click Provisioning Setup. The Provisioning Setup page appears. 3. In the Choose action box, select Add New Item. The Provisioning Configuration page appears. 4. Under the General Settings area, select the Auto Provisioning option. 5. Enter the general settings details as shown in the following table. Config Friendly Name
Enter a name for your agent provisioning configuration. Make sure that your configuration names are very specific so that you can differentiate between different configurations.
Provisioning IP Range
Enter IP or IP range. Use hyphens to specify individual IP class ranges, for example, 192 168 2-5 1-200.
Configuration Enabled
Select this check box to enable the configuration.
KBOX Server Name
By default, this is the name of the KBOX you are provisioning agents from. Under normal circumstances, there would be no reason to change this value. If you have multiple KBOX servers, then you could enter another KBOX server name here.
DNS Lookup Enabled
Select this check box to enable DNS lookup.
Administrator Guide for KBOX 1000 Series, version 3.3
16
Name Server for Lookup
This field will default to the DNS server that the KBOX has entered as its primary DNS server under Network settings. Enter the name of another DNS server here, if needed.
Lookup Time Out
Enter the time period after which a DNS lookup will time out
6. If the targeted machine(s) are operating on the Windows platform, then enter details as shown in the following table. Provision this platform
Select this check box.
KBOX Agent Version
This field displays the KBOX Agent version number.
Agent Identification Port
The agent identification port is a port that installed agents would already have open and in use, indicating that we should not try to install the agent again. By default that port number is 52230. If you are using a different port number for this, you can change the port number listed here.
Required open TCP Ports
Enter the list of required open TCP ports. These are the ports the KBOX will use to access the target machine for installation of the KBOX Agent.
Port Scan Time Out
Enter a time period in seconds.
Bypass Port checks
Select this check box to avoid port checks. Selecting this indicates that the KBOX should simply try to install, without checking ports listed above.
Enable Debug Info
Select this check box to enable debug info. By enabling this check box more debug info will be displayed in the machine’s provisioning results.
Remove KBOX Agent
Selecting this check box reverses the logic of this provisioning config, indicating you will use it to remove the KBOX agent from machines rather than installing those agents.
Remove Config.xml file
Select this check box to remove the Config.xml file while removing the Agent.
Domain (or Workgroup)
Enter the domain or workgroup name associated with the credentials you enter below.
User Name (Admin level)
Enter a username that will have the necessary privileges to install on the targeted machines.
Password
Enter the password for the account listed above.
If the targeted machines are operating on the Linux, Macintosh, or Solaris platform, then enter details as shown in the following table. Provision this platform
Select this check box.
Required open TCP Ports
Enter the list of required open TCP ports. These are the ports the KBOX will use to access the target machine for installation of the KBOX Agent.
Port Scan Time Out
Enter a time period in seconds.
Administrator Guide for KBOX 1000 Series, version 3.3
17
Bypass Port Checks
Select this check box to avoid port checks. Selecting this indicates that the KBOX should simply try to install, without checking ports listed above.
Remove KBOX Agent
Selecting this check box reverses the logic of this provisioning config, indicating you will use it to remove the KBOX agent from machines rather than installing those agents.
User Name (admin level)
Enter a user name that will have the necessary privileges to install on the targeted machines.
Password
Enter the password for the account listed above.
7. Under Scheduling, select the appropriate check box and schedule to run the configuration. By choosing a regular schedule, the KBOX will periodically check machines in this IP range to make sure that they have the KBOX agent and install/reinstall as appropriate. 8. To save the Provisioning Configuration, click Save. On clicking Save, the Provisioning Results page appears. You can also click Run Now to save the current configuration and immediately run the configuration against the defined IP range. To cancel the configuration, click Cancel. Deleting a configuration will delete all associated target machines in the provisioning inventory list. Altering or updating a configuration will reset the data in the associated target machine list to the default settings until the subsequent provisioning run. You can also deploy the KBOX agent manually. For more information on the manual deployment of the KBOX agent on Linux, Solaris, and Macintosh, see Appendix C,“Manual Deployment of KBOX Agent,” starting on page 216. To Add a New Item to Provisioning Setup using Manual Provisioning: 1. Select Distribution | KBOX Agent. The KBOX Agent Distribution & Management page appears. 2. Click Provisioning Setup. The Provisioning Setup page appears. 3. In the Choose action box, select Add New Item. The Provisioning Configuration page appears. 4. Under the General Settings area, select the Manual Provisioning option. 5. Enter the general settings details as shown in the following table. Config Friendly Name
Enter a name for your agent provisioning configuration. Make sure that your configuration names are very specific so that you can differentiate between different configurations.
Target IPs
Enter the IP address of the target machine or click Help me pick machines.
Provisioning IP Range
Enter IP or IP range. Use hyphens to specify individual IP class ranges, for example, 192 168 2-5 1-200.Click Add All to add all machines in the specified range.
IP Scan Computers
From the IP Scan Computers drop-down list, select a machine to add to the Target IPs list. This drop-down list is populated from the Network Scan Results. You can filter the list by entering any filter options. Click Add All to add all machines displayed in the list.
Administrator Guide for KBOX 1000 Series, version 3.3
18
Inventory Computers
From the Inventory Computers drop-down list, select a machine to add to the Target IPs list. This drop-down list contains all the computers in the inventory. You can filter the list by entering any filter options. Click Add All to add all machines displayed in the list.
Configuration Enabled
Select this check box to enable the configuration.
KBOX Server Name
By default, this is the name of the KBOX you are provisioning agents from. Under normal circumstances, there would be no reason to change this value. If you have multiple KBOX servers, then you could enter another KBOX server name here.
DNS Lookup Enabled
Select this check box to enable DNS lookup.
Name Server for Lookup
This field will default to the DNS server that the KBOX has entered as its primary DNS server under Network settings. Enter the name of another DNS server here, if needed.
Lookup Time Out
Enter the time period after which a DNS lookup will time out.
6. If the targeted machine(s) are operating on the Windows platform, then enter details as shown in the following table. Provision this platform
Select this check box.
KBOX Agent Version
This field displays the KBOX Agent version number.
Agent Identification Port
The agent identification port is a port that installed agents would already have open and in use, indicating that we should not try to install the agent again. By default that port number is 52230. If you are using a different port number for this, you can change the port number listed here.
Required open TCP Ports
Enter the list of required open TCP ports. These are the ports the KBOX will use to access the target machine for installation of the KBOX Agent.
Port Scan Time Out
Enter a time period in seconds.
Bypass Port checks
Select this check box to avoid port checks. Selecting this indicates that the KBOX should simply try to install, without checking ports listed above.
Enable Debug Info
Select this check box to enable debug info. By enabling this check box more debug info will be displayed in the machine’s provisioning results.
Remove KBOX Agent
Selecting this check box reverses the logic of this provisioning config, indicating you will use it to remove the KBOX agent from machines rather than installing those agents.
Remove Config.xml file
Select this check box to remove the Config.xml file while removing the Agent.
Domain (or Workgroup)
Enter the domain or workgroup name associated with the credentials you enter below.
User Name (admin level)
Enter a username that will have the necessary privileges to install on the targeted machines.
Password
Enter the password for the account listed above.
Administrator Guide for KBOX 1000 Series, version 3.3
19
7. If the targeted machines are operating on the Linux, Macintosh, or Solaris platform, then enter details as shown in the following table. Provision this platform
Select this check box.
Required open TCP Ports
Enter the list of required open TCP ports. These are the ports the KBOX will use to access the target machine for installation of the KBOX Agent.
Port Scan Time Out
Enter a time period in seconds.
Bypass Port checks
Select this check box to avoid port checks. Selecting this indicates that the KBOX should simply try to install, without checking ports listed above.
Remove KBOX Agent
Selecting this check box reverses the logic of this provisioning config, indicating you will use it to remove the KBOX agent from machines rather than installing those agents.
User Name (admin level)
Enter a user name that will have the necessary privileges to install on the targeted machines.
Password
Enter the password for the account listed above.
8. Under Scheduling, select the appropriate check box and schedule to run the configuration. By choosing a regular schedule, the KBOX will periodically check machines in this IP range to make sure that they have the KBOX agent and install/reinstall as appropriate. 9. To save the provisioning configuration, click Save. On clicking Save, the Provisioning Results page appears. You can also click Run Now to save the current configuration and immediately run the configuration against the defined IP range. To cancel the configuration, click Cancel. Deleting a configuration will delete all associated target machines in the provisioning inventory list. Altering or updating a configuration will reset the data in the associated target machine list to the default settings until the subsequent provisioning run.
Administrator Guide for KBOX 1000 Series, version 3.3
20
Provisioning Results Provisioning Results shows you a list of computers which match Agent Provisioning Configurations that you currently have. This list could include machines that have had the Agent installed or which have been discovered by the Configuration. You can view target provisioning and configuration information. Target info results from the most recent provisioning configuration run or execution. Provisioning execution targets the various IP addresses and for each target (node) the execution evaluates the IP addresses availability, agent status, port configuration, etc. The results and logs of each provisioning step are displayed. To View Provisioning Results: 1. Select Distribution | KBOX Agent. The KBOX Agent Distribution & Management page appears. 2. Click Provisioning Results. The Provisioning Results page appears. 3. To view provisioning target information and provisioning configuration information, click the IP Address of the required machine. The KBOX Agent Provisioning page appears. You can take print outs of this page. Click Printer Friendly Version to see a print view of the page.
4. You can view computer inventory by clicking computer inventory under Provisioning Target Info. For more information on computer inventory, see “Adding computers to inventory,” on page 37. 5. To view the DNS lookup details, click the required DNS Lookup on the List Page. If selected, live addresses will be checked against the DNS server to see if they have agent provisioning configured.
Administrator Guide for KBOX 1000 Series, version 3.3
21
KBOX Agent Settings The KBOX Agent Settings options configure the KBOX to properly operate in your computing environment. These options specify how often the client runs on the user desktop and within that run how often a full desktop computer inventory is performed. The "KBOX Agent" options specify how often a KBOX Agent will check in to the KBOX and how often that agent will perform a full computer inventory. For example, a default Run Interval of 30 minutes means that those computers with KBOX Agents installed will check in to the KBOX 1000 Series appliance every 30 minutes. To Configure KBOX Agent: 1. Select Distribution | KBOX Agent. The KBOX Agent Distribution & Management page appears. 2. Click KBOX Agent Settings. The KBOX Agent Settings page appears showing your current agent setting details. These settings are what control the schedule and frequency of your KBOX agents checking in. 3. To edit agent settings, click [Edit Mode]. The KBOX Agent Settings page appears in edit mode. 4. Specify the following agent options Suggested Setting
Field
Notes
Communications Window
12:00 am to 12:00 am
The interval during which the KBOX Agent is allowed to communicate with the KBOX 1000 Series appliance. For example, to allow the KBOX Agent to connect between 1 AM and 6 AM only, select 1:00am from the first drop-down list, and 6:00am from the second.
Agent “Run interval”
1 hours
The interval that the KBOX Agent will check in to the KBOX 1000 Series. Each time a KBOX Agent connects, it will reset its connect interval based on this setting. The default setting is once per hour.
Agent “Inventory Interval”
0
The interval (in hours) that the client KBOX 1000 Series appliance will inventory the computers on your network. If set to zero, the KBOX 1000 Series will inventory clients at every Run Interval.
Agent “Download Throttle”
100
The maximum number of desktop clients that can be downloading packages at one point in time. Packages will not be deployed on machines after the Package Download Throttle has been reached. For example, if the throttle is set to 100 and 100 clients are connected and receiving a deployment, the 101st client will be deferred until another connection point.
Agent “Splash Page Text”
KBOX is verifying your PC Configuration and managing software updates. Please Wait...
The message that appears to users when communicating with the KBOX 1000 Series.
Administrator Guide for KBOX 1000 Series, version 3.3
22
Scripting Update Interval
15 minutes
How often the KBOX Agent should download new script definitions. The default interval is 15 minutes.
Scripting Ping Interval
600 seconds
How often the KBOX Agent should test the connection to the KBOX 1000 Series appliance. The default interval is 600 seconds.
Agent Log Retention
Agent Log Retention disallows the server to store the scripting result information that comes up from the agents. The default is to store all the results. This can have a performance impact on the KBOX. Turning this off, gives you less information about what each client is doing, but will allow the agent checkins to process faster.
5. Click Save to save the KBOX agent settings configuration. On clicking Save, the KBOX Agent Settings page appears in read only mode. These changes will be reflected by agents as of the next time they check into the KBOX.
Administrator Guide for KBOX 1000 Series, version 3.3
23
KBOX Agent Update The KBOX Agent Update feature allows you to automatically update the KBOX Agent software for some or all machines that are checking in your KBOX. KBOX Agent deployments are automatically updated as new agent updates are posted to this area. The KBOX Agent package that you post to the server from this page should be an official KBOX Agent Release received from KACE directly. Before updating KBOX Agent, make sure that you have downloaded and saved locally the following files: update_3.1.XXXX.bin for WINDOWS, where XXXX is the build number. update_mac_3.1.XXXX.bin for Macintosh, where XXXX is the build number. update_linux_3.1.XXXX.bin for Linux, where XXXX is the build number. update_solaris_3.1.XXXX.bin for Solaris, where XXXX is the build number. To Update KBOX Agent Automatically: 1. Select Distribution | KBOX Agent. The KBOX Agent Distribution & Management page appears. 2. Click KBOX Agent Update. The KBOX Agent Automatic Update page appears. 3. Specify the agent updates as shown in the following table. Notes & Version Info
Enter any release notices or version information about the agent.
Enabled
Select this check box to upgrade the Agent the next time the machines check in to KBOX.
Update broken clients
Select this check box to update those machines that are running checking in with the KBOX for new agent versions, but are unable to successfully report inventory information to KBOX. This setting overrides the Limit Update to: settings. From a broken client like this, you could force it to check for a new version of the Agent software by running kupdater.exe manually.
Limit Updates to
Specify a label for automatic upgrades. The upgrades will only be distributed to machines assigned to those labels, except if they are identified as a “broken client” above.
Microsoft Windows/ Apple Mac/Linux/ Solaris
Click Browse to upload the KBOX Client Patch. This file name should be something like update_3.3.8872.bin, although the exact name will depend on which operating system you are updating. Anything other than an official update bin file will fail to properly deploy. The Update Version ID appears on uploading the file.
4. To save the new agent updates, click Save. You can update agents on all platforms at once using a client bundle. To update agents using a client bundle: 1. Download the kbox_patch_agents_xxx.bin file and save it locally. 2. Select Settings | Server Maintenance. 3. Scroll down and click the [Edit Mode] link. 4. Under Update KBOX, click Browse, and locate the update file you just downloaded. 5. Click Update KBOX.
Administrator Guide for KBOX 1000 Series, version 3.3
24
Do not install the client bundle in the KBOX Agent Update link of the KBOX Agent tab. The client bundle must be installed in the Settings | Server Maintenance | Update KBOX section of the Administrator console.
Administrator Guide for KBOX 1000 Series, version 3.3
25
C H A P T E R 3
Inventory The KBOX 1000 Series Inventory feature lets you identify machines and software on your network and organize computers by using labels and filters. “Overview of the Inventory Feature,” on page 27 “Using Advanced Search,” on page 29 “Understanding Computer Details,” on page 34 “Adding computers to inventory,” on page 37 “Software Inventory,” on page 38 “Monitoring out-of-reach Computers,” on page 42 “Labels,” on page 43 “Software Metering,” on page 45 “Processes,” on page 48,” “Startup,” on page 50,” “Service,” on page 51” “Software Lookup Services,” on page 52
Overview of the Inventory Feature Inventory is collected by the KBOX Agent and reported when computers check in with the KBOX 1000 Series. The data is then listed on one of the Inventory tabs: Computers, Software, or MIA. The inventory data is collected automatically according to the schedule specified under the Distribution |KBOX Agent | Provisioning Results. Although it is presented under the Inventory tab, the IP Scan feature is discussed in its own chapter. For information about this feature, see Chapter 5,“IP Scan,” starting on page 66.
Click to run Machine Action
Click to create notification filter
Click to create search filter
The computer’s machine name and labels to which the computer
The last time the machine checked in
Use drop-down to filter view by label
Figure 3-1: Inventory - Computers tab The Computer Search & Filter page displays the computer’s IP address and the user connected to it. Clicking the blue icon beside the IP address invokes a remote desktop connection if the computer is online and if remote desktop is configured. From the Computers tab you can: Search by keyword or invoke an Advanced Search Create a Filter to apply labels to computers automatically Create Notifications based on computer attributes Add/delete new computers manually Filter the Computer Listing by label
Administrator Guide for KBOX 1000 Series, version 3.3
27
Apply or remove labels Show or hide labels To view details about a computer click the machine name.
Administrator Guide for KBOX 1000 Series, version 3.3
28
Using Advanced Search Although you can search computer inventory using keywords like Windows XP, or Acrobat, those types of searches might not give you the level of specificity you need. Advanced search, on the other hand, allows you to specify values for each field present in the inventory record and search the entire inventory listing for that value. This is useful, for example, if you needed to know which computers had a particular version of BIOS installed in order to upgrade only those affected machines. To specify advanced search criteria: 1. Click the Advanced Search tab. 2. Select a field from the drop-down list. 3. Specify the search parameters, then enter the value to search for. 4. Click Search.
Creating Search Filters Filtering provides a way to dynamically apply a label based on search criteria. It is often helpful to define filters by inventory attribute. For example, you could create a label called “San Francisco Office” and create a filter based on the IP range or subnet for machines in San Francisco. Whenever machines check in that meet that attribute, they would receive the San Francisco label. This is particularly useful if your network includes laptops that often travel to remote locations.
This feature assumes that you have already created labels to associate with a filter. For information about creating labels, see “Labels,” on page 43.
The table below lists some examples of useful filters that could be applied to a machine based on its inventory attributes: Filter Examples Sample Label Name
Sample Condition
XP_Low_Disk
Windows XP Machine with less than 1 GB of free hard disk at last connection
XP_No_HF182374
Windows XP Machine without Hotfix 18237 installed at last connection
Building 3
Machine connecting to the KBOX 1000 Series is detected in a specified IP range known to originate in building 3.
CN_sales
Computers connecting where computer name contains the letters “sales”.
Table 3-2: Filter Examples
Administrator Guide for KBOX 1000 Series, version 3.3
29
To create a filter: 1. Select Inventory | Computers, then click the Create Filter tab. The Filter criteria fields appear. 2. Specify the search criteria. 3. Choose the label to associate with the filter. 4. To see whether the filter produces the desired results, click Test Filter. 5. Click Create Filter to create the filter. Now, whenever machines that meet the specified filter criteria check into the KBOX 1000 Series, they will automatically be assigned to the associated label. You can modify or delete a filter after it has been created on the Reporting | Filters tab.
Administrator Guide for KBOX 1000 Series, version 3.3
30
Creating Computer Notifications You can also use the Notification feature to search the inventory for computers that meet certain criteria, such as disk capacity or OS version, and then send an E-mail automatically to an administrator. For example, if you wanted to know when computers had a critically low amount of disk space left, you could specify the search criteria to look for a value of 5MB or smaller in the Disk Free field, and then notify an administrator who can take appropriate action. To create a notification: 1. Select Inventory | Computers, and then click the Create Notification tab. 2. Specify the search criteria. 3. Specify a title for the search. 4. Enter the mail address of the recipient of the notification. 5. To see whether the filter produces the desired results, click Test Notification. 6. Click Create Notification to create the notification. Now, whenever machines that meet the specified notification criteria check into the KBOX 1000 Series, an mail will automatically be sent to the specified recipient. You can modify or delete a notification after it has been created on the Reporting | Email Alerts tab.
Filtering Computers by Organizational Unit If you want to filter computers based on an Organizational Unit found in LDAP or AD, you can create LDAP Filters to do this from the Reporting | LDAP Filters tab. LDAP Filters allow the automatic labeling of machine records based on LDAP or Active Directory interaction. The search filter will be applied to the external server and should any entries be returned then automatic labeling results. If the external server requires credentials for administrative login (aka non-anonymous login), supply those credentials. If no LDAP user name is given, then an anonymous bind will be attempted. Each LDAP filter may connect to a different LDAP/AD server. Figure 3-3: LDAP Filters tab You may bind to an LDAP query based on the following KBOX 1000 Series variables: Computer Name Computer Description Computer MAC IP Address User Name User Domain Domain User.
Administrator Guide for KBOX 1000 Series, version 3.3
31
To create an LDAP Filter: 1. Select Reporting |LDAP Filters. 2. Select Add New Item from the Choose action drop-down list. The LDAP Filter: Edit Detail page appears. 3. Enter the following information: Enabled
Select this check box to enable.
Filter Type
Select the filter type.
Associated Label Name
Select the label to associate with this filter.
Associated Label Notes
If any notes were entered in the label definition, those would appear here under Associated Label Notes.
Server Host Name
Specify the IP or the Host Name of the LDAP Server. Note: For LDAPS, use the IP or the Host Name, as ldaps:// HOSTNAME
LDAP Port Number
Specify the LDAP Port number which could be either 389 / 636 (LDAPS).
Search Base DN
Specify the Search Base DN. For example: CN=Users,DC=kace,DC=com
Search Filter
Specify the Search Filter. For example: (&(sAMAccountName=admin)(memberOf=CN=financial,DC=ka ce,DC=com))
LDAP Login
Specify the LDAP login. For example: LDAP Login: CN=Administrator, CN=Users,DC=kace=com
LDAP Password
Specify the password for the LDAP login.
If you are unable to fill in the information for Search Base DN and Search Filter, you can use the LDAP Browser Wizard. For more information on how to use the LDAP Browser Wizard, refer to “LDAP Browser Wizard,” on page 155. 4. Click Save. Each time a machine checks into the KBOX 1000 Series, this query will run against the LDAP server. The admin value in the 'Search Filter' will be replaced with the name of the user that is logged onto this machine. If a result is returned, then the machine gets the label specified in the Associated Label field. NOTE: To test your Filter, click the Test button and review the results.
Administrator Guide for KBOX 1000 Series, version 3.3
32
You can also create an LDAP Filter using the LDAP Browser. To create an LDAP Filter using the LDAP Browser: 1. Select Reporting |LDAP Filters. 2. Select Add New Item Using LDAP Browser from the Choose action drop-down list. The LDAP Filter: Edit Detail page appears. 3. Enter the following information: Enabled
Select this check box to enable.
Filter Type
Select the filter type.
Associated Label Name
Select the label to associate with this filter. This field is mandatory.
4. Click Next to configure the LDAP settings. The LDAP Browser Wizard is displayed. For more information on how to use the LDAP Browser Wizard, refer to “LDAP Browser Wizard,” on page 155.
Administrator Guide for KBOX 1000 Series, version 3.3
33
Understanding Computer Details From the Computers tab, you can select a computer in inventory and view its details. The Computer Detail page provides details about a computer’s hardware, software, install, patch, help desk, and OVAL vulnerability history, among other attributes. The following sections describe each of the detail areas on this page. To expand or collapse the sections, click the + sign next to the section headers.
Computer Identity Information This section provides information to help identify the computer on your network, including its name, description, IP address and KACE ID, among other attributes. You also can see the last time this computer checked in to the KBOX 1000 Series, and the last time the computer record was changed.
Help Tickets This section provides a list of the Help Desk Tickets associated with this machine. These can either be Tickets assigned to the machine owner or Tickets submitted by the machine owner. To view a Help Desk Ticket’s details, click the Ticket ID (for example, TICK:0032).
Operating System Info This section provides details about the computer’s operating system including installed OS and service packs, OS version number and build, and the date and time of OS installation. The Current Uptime and Last System Reboot fields tell you at a glance, whether the machine has been rebooted recently, which could indicate whether or not OS updates have been applied.
User Information Because many computers can be used by more than one individual, the User Information section provides details about the most recent user of this computer, including his or her user name and domain.
Manufacturer and BIOS Info This section displays the computer’s make and model, as well as its BIOS details, such as name, version, and serial number. If the computer is manufactured by Dell, there also is a hot button link directly to the Dell Web site where you can view the support record for this computer, including the days left on the support agreement, and also compare the original and current system configurations.
Processor and Computer Memory This section displays the processor type and speed, total and used RAM, and current and maximum registry size.
Network Interfaces This section displays the type and version of NIC card installed in the computer, as well as the computer’s MAC and IP addresses, and indicates whether or not DHCP is enabled.
Administrator Guide for KBOX 1000 Series, version 3.3
34
Drive Information This section specifies the configuration of drives installed on the computer (e.g., CD/DVD-ROM drive), and displays the total and used disk space amounts for each hard disk installed.
Motherboard and related Hardware This section displays information about the computer’s motherboard, as well as other hardware details like sound card and video controller(s).
Process List This section lists all of the processes that are currently running on this computer. This list is the same as would be displayed on the computer’s Task Manager | Processes tab.
Installed Programs This section displays the titles and versions of software programs installed on this computer. The programs listed here are the same as would be listed on the computer’s Add/Remove Programs List.
Installed Patches This section lists all of the Microsoft patches that have been installed on this computer.
Startup Programs This section displays all of the programs that are configured to launch when this computer starts up. These are the same programs listed in the computer’s Start | All Programs | Startup menu.
Services This section displays all of the services that are running on this machine. On clicking any of the services the service: edit service detail page is displayed. The fields on this page represent the service detail information that is automatically discovered and communicated from the KBOX Agent.
Harmful Items (Threat Level 5) This section displays the items that have threat level 5. Whenever you set threat level 5 – harmful to any software, process, startup item and service associated with this machine, it is displayed in this list.
Printer List This section displays all of the printers that this computer is configured to use. This is the same information that is located in the computer’s Start | Printers and Faxes window.
Uploaded Files This section displays a list of the files that have been uploaded to the KBOX 1000 Series from this machine using the “upload a file” script action.
Custom Inventory Fields This section lists any Custom Inventory fields that were created for this machine, along with the field name and value.
Administrator Guide for KBOX 1000 Series, version 3.3
35
Customer Information This section contains notes entered during the creation of the computer’s inventory record, and is the only editable section on this page. You can append or delete any notes in this field. Click Save after editing this field.
Asset Information This section displays the details of the Asset that is associated with that machine. Details such as the date and time when the Asset record was created, the date and time when it was last modified, type of the asset and name of the asset are displayed.
Asset History This section displays the changes done to the Asset of that machine. It lists all the changes along with the date and time when each change was done.
KBOX Agent Logs This section displays the logs for the KBOX Agent application, updates to scripts run on this machine, and the current status, if available, of any activity currently in progress. A question mark (?) in the status column indicates that the KBOX Agent hasn’t checked in yet, therefore its status is unknown.
Portal Install Logs This section provides details about User Portal packages installed on this machine.
Scripting Logs This section lists the Configuration Policy scripts that have been run on this computer, along with the status, if available, of any scripts in progress.
OVAL Vulnerability Results This section displays the results of OVAL Vulnerability tests run on this machine. Only tests which failed on this computer are listed by the OVAL ID and marked as Vulnerable. Tests which passed are grouped together and marked as Safe.
Failed Managed Installs This section displays a list of Managed Installations that failed to install on this machine. To access details about the Managed Installation, click the link to view the Managed Software Installation detail page.
Labels This section displays the label assigned to that machine. Labels are used to organize and categorize machines
Failed Patches This section displays a list of any patch bulletins that failed to install on this machine. To access more details about the patches click the link to view the bulletin detail page.
To Install List This section lists the Managed Installations that will be sent to the machine the next time it connects.
Administrator Guide for KBOX 1000 Series, version 3.3
36
Adding computers to inventory The KBOX 1000 Series provides the convenience of adding computers to inventory automatically, which is especially useful when you maintain a large number of computers on your network. However, the KBOX 1000 Series also provides the flexibility to add computers to inventory manually should you need to. For example, you can track computers that do not currently have KBOX Agent support or computers that are not available on your LAN.
Adding computers automatically To add computers automatically, you can perform a IP scan, which will gather data about all of the computers on your network, including software installed on them, and create inventory records for them. In addition, installing the KBOX Agent on the computers on your network will cause them to check in to the KBOX 1000 Series and upload all of the available inventory data. For more information about IP Scans, see Chapter 5,“IP Scan,” starting on page 66.
Adding computers manually If you have machines on your network that are not connected to your LAN, but you still want to be able to maintain inventory data in one central place, you can add those computers to the KBOX 1000 Series manually from the Inventory | Computer tab. To add a computer to inventory manually: 1. Select Inventory | Computers tab. 2. Select Add New Item from the Choose action drop-down list. The Computer: Edit Computer Detail page appears. 3. Specify the requested computer details. For an example of the requested information, view the computer record of a machine that is already listed in inventory. 4. If you prefer, you can import the machine.xml file for this computer. The KBOXClient.exe can take an optional command line parameter -inventory. To configure this, type: KBOX Agent/exe-inventory The KBOX Agent collects the inventory data and generates a file called machine.xml, which you can upload here. If you choose this option, the KBOX 1000 Series ignores all other field values on this screen.
Administrator Guide for KBOX 1000 Series, version 3.3
37
Software Inventory In addition to the computers on your network, the KBOX 1000 Series Inventory feature also keeps an inventory of the software titles installed on each of the computers in inventory. From the Inventory | Software tab you can see at a glance all of the software installed across your network. By default, the Software List shows only the first 100 (in alphabetical order) software titles detected. To view all software installed, click the Show All link. From the Software List page you can: Add or delete software Add or remove labels Sort the view by label. To view the details of a software title, click the linked name.
Administrator Guide for KBOX 1000 Series, version 3.3
38
Adding Software to Inventory As with computers, you can add software to inventory either automatically or manually. The KBOX 1000 Series provides the convenience of adding software titles to inventory automatically, which is especially useful when you maintain determine all of the titles installed on all of the machines in your network. However, the KBOX 1000 Series also provides the flexibility to add software titles to inventory manually should you need to. For example, you can add a title that is not yet installed on your network so that you can create a managed installation from it and deploy it to the computers on your network at one time.
Adding Software Automatically To add software automatically, you can perform a IP scan that gathers data about all of the software titles on your network and creates inventory records for them. In addition, installing the KBOX Agent on the computers on your network will cause them to check in to the KBOX 1000 Series appliance and upload all of the available software inventory data. For more information about IP Scans, see Chapter 5,“IP Scan,” starting on page 66.
Adding Software Manually Although the KBOX creates inventory records for the software titles found on your network, there might be applications you want to add to inventory manually. To add software to inventory manually: 1. Select Inventory | Software. 2. Select Add New Item in the Choose Action drop-down list. The Software : Edit Software Details page appears. 3. Enter the general software details. Be sure to create the Display Version, Vendor, and Software Title information consistently across software inventory in order to assure proper downstream reporting. 4. Upload or specify links to available information files associated with the software. 5. In the Assign To Label field, select the labels to assign. 6. Enter any other details in the Notes field. Specify the Custom Inventory ID (rule), for example, C:\RegistryValueGreaterThan(SOFTWARE\Network Associates\TVD\Shared Components\VirusScan Engine\4.0.xx,szDatVersion,4.0.44). Before sending any software to a remote client, KBOX verifies whether or not that file is present on the target machine. If it is detected, then it is not sent to the machine a second time. In some instances, installed programs do not register in add/remove programs or in standard areas of the registry. In such cases, KBOX may not be able to detect the presence of the application without additional information from the administrator and, therefore, KBOX may repeat the install each time the client connects. The Custom Inventory ID rule must have three values separated by commas, not include neither single nor double quotes, contain a key that exists under LocalMachine. Failure to follow these specifications will result in a FALSE test result, and the install would proceed. For more information, see “Custom Data Fields,” on page 38.
Administrator Guide for KBOX 1000 Series, version 3.3
39
7. Select the supported operating systems in the Supported Operating Systems field. 8. In the Custom Inventory ID (rule) field, enter the Custom Inventory ID. 9. Beside the Upload & Associate File, click Browse, and then click Open. 10. Under Metadata, specify the following information: Category
Select the desired category.
Threat Level
Select the threat level.
Hide from Software Lookup Service
Select this check box if you want to hide this information from the Software Lookup Services.
11. Click Save The software detail page displays license information for the software. You can also view the license asset detail by clicking on the license link.
Creating Software Asset You can create a software asset using the Inventory | Software tab. To create a software asset: 1. Select Inventory | Software. 2. Select the appropriate software and then select Create Asset from the Choose Action drop-down list. The Assets page appears.
Custom Data Fields You can create custom data fields in order to read information from a target machine and report it in the Computer Inventory manifest. This is useful for reading and reporting on information in the registry and elsewhere on the target machine. For example, DAT file version number from the registry, file created date, file publisher, or other data. To create a custom data field: 1. Select Inventory | Software. 2. Select Add New Item from the Choose action drop-down list. 3. Specify a Display Name for the field. 4. In the Custom Inventory (ID) rule area, enter the appropriate syntax according to the information you want to return: To return a Registry Value, enter RegistryValueReturn(string absPathToKey, string valueName, string valueType), replacing valueType with either “TEXT”, “NUMBER”, or “DATE”. Note that NUMBER is specifically an integer value. Example: RegistryValueReturn(HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\Virusscan Online,SourceDisk, TEXT) To return File Information, enter FileInfoReturn(string fullPath, string attributeToRetrieve, string valueType) Example: FileInfoReturn(C:\Program Files\Internet Explorer\iexplore.exe, Comments,TEXT)
Administrator Guide for KBOX 1000 Series, version 3.3
40
You can retrieve the following attributes from the FileInfoReport() function: Comments CompanyName FileBuildPart FileDescription FileMajorPart FileMinorPart FileName FilePrivatePart FileVersion InternalName IsDebug IsPatclhed IsPreRelease IsPrivateBuild IsSpecialBuild
Language LegalCopyright LegalTrademarks OriginalFilename PrivateBuild ProductBuildPart ProductMajorPart ProductMinorPart ProductName ProductPrivatePart ProductVersion SpecialBuild CreatedDate ModifiedDate AccessedDate.
5. Click Save.
Attaching a Digital Asset to a Software Title Whether you add the software to inventory automatically or manually, after a particular software title is in inventory, you will need to associate the files required to install the software before distributing a package to users for installation. To associate multiple files, create a .zip file and associate the resulting archive file. To attach digital asset to a software title: 1. Select Inventory | Software. 2. Click the linked name of the software title. The Software: Edit Software Detail page appears. 3. Beside Upload & Associate File, click Browse. 4. Locate the file to upload, then click Open. 5. Modify other details as necessary, then click Save. The Software-To-Computer Deployment Detail table at the bottom of the Software | Edit Software Detail page shows which computers have the software title installed.
Administrator Guide for KBOX 1000 Series, version 3.3
41
Monitoring out-of-reach Computers The KBOX 1000 Series MIA tab, gives you a way to view the machines that haven’t checked in to KBOX 1000 Series in some time. You can filter the MIA view by machines that have missed the last 1, 5, or 10 syncs, or which have not communicated with KBOX 1000 Series in the last 1-90 days. The MIA tab also displays the IP and MAC Addresses of the computers. From the MIA tab you can remove the computers from the KBOX 1000 Series inventory, as well as assign them to labels to group them for management action.
Administrator Guide for KBOX 1000 Series, version 3.3
42
Labels In many areas of the KBOX 1000 Series you will see a labels select list, which allows you to constrain the action to a specific label or group of labels. There are several ways to group machines with the KBOX 1000 Series. Once grouped by a label, software, scripts, reports, or software deployments can all be managed on a per label basis. The label functionality can be manually applied from the Inventory | Labels tab, or automatically, via LDAP or Active Directory, (Reporting | LDAP Filters tab), or even applied by machine attribute, as we saw earlier from the Computers | Create Filter functionality. On the Label Management page you can add or delete labels, search labels, as well as see how many computers belong to a particular label.
Creating Labels Labels can be used to organize and categorize software, people, and machines. Labels are intended to be used in a flexible manner and how you use labels is completely customizable. For example, Labels can reflect corporate structures, organizations, processes, or geographical locations like "Engineering", "Staging", "Building A", etc. Labels can be used to identify deployment groups and target machines for distribution packages. All items that support "labeling" can have none, one, or multiple labels. Deleting labels will remove any existing association of that label with any machine, login, or software.
To create a label: 1. Select Inventory | Labels. 2. Select Add New Item from the Choose action drop-down list. The Labels : Edit Detail page appears. 3. Enter a name for the label in the Label Name field. 4. Enter any relevant notes about the label in the Notes field. 5. If necessary, enter a value for KACE_ALT_LOCATION. This allows you to define what should replace the string in the KACE_ALT_LOCATION in the Alternate Download Location value in Managed Installs and File Synchronizations. You should not have a machine in two labels that both specify an alternate location value. 6. Specify the Username and Password for the KACE_ALT_LOCATION. 7. Click Save.
Viewing Computer Details by Label After you’ve created a label, you can view details about the computers on your network that belong to that label. From the Label Detail view you can see: The IP addresses and machine names of the computers in the label The number of Managed Installations and File Synchronizations deployed to the label The number of network scans and scripts run on the machines in the label The number of alerts, portal packages, and users associated with the label.
Administrator Guide for KBOX 1000 Series, version 3.3
43
To view label details: 1. Select Inventory | Labels. 2. Click the linked name of the label. The Labels: Edit Detail page appears. 3. Click the + sign beside the section headers to expand or collapse the view.
Deleting labels Deleting labels will remove any existing association of that label with any machine, login, or software. You can delete labels two ways: from the Label List view, or from the Label: Edit Detail page. To delete a label: 1. To delete labels, do one of the following: From the Labels List view, select the check box beside the label, then select Delete Selected Item(s) from the Choose action drop-down list. From the Labels: Edit detail page, click Delete. 2. Click OK to confirm deleting the selected label.
Administrator Guide for KBOX 1000 Series, version 3.3
44
Software Metering The KBOX 1000 Series Metering feature allows you to keep track of software use across your enterprise. The Metering feature records and reports the details on software use that can help you manage license compliance and better negotiate license renewals and upgrades.You can record and view software usage for the last 1, 2, 3, 6, or 12 months. Detail pages provide information on individual software processes, including the name of the computer that is using the software, the number of times the software was launched, the total minutes the software was used, and when the software was last used.
Adding a Software Meter You can add a software meter to monitor the specified process name on the agent machine. To add a Software Meter: 1. Select Inventory | Metering. The Software Metering page appears. 2. Select Add New Item in the Choose action drop-down list. The Software Metering: Edit Detail page appears. 3. Enter Software Meter details as follows: Enabled
Select this check box to enable software metering for this software.
Process Name
The specified process name will be monitored on the KBOX Agent machine.
Associated Software
To track usage only on machines with a specific software version deployed, choose the related software inventory item.
Notes
Enter any notes that further describe or explain this software meter.
Licenses
Displays license information for the software. To view the license asset details, click on the license link.
4. Click Save to save your changes or click Cancel to return to the Software Metering Listing page. Your Software Meter now appears in the Software Metering Listing page.
The results of the software metering can be seen at two places: On the Software Metering page On the Software Metering: Edit Detail page To view Software Metering results: 1. Select Inventory | Metering. The Software Metering page appears. The software metering page displays useful information such as the Process Name, Enabled, Installed, Licensed, In Use, etc. 2. Click the process name. The Software Metering: Edit Detail page appears. The Month-to-date usage Detail table displays information such as Computer Name, Times Launched, Minutes Used and Last Used.
Administrator Guide for KBOX 1000 Series, version 3.3
45
Editing Software Meter Details You can edit a software meter to monitor the specified process name on the agent machine. To edit Software Meter details: 1. Select Inventory | Metering. The Software Metering page appears. 2. Click the process name. The Software Metering: Edit Detail page appears. 3. Edit Software Meter details as shown in the following table: Enabled
Select this check box to enable software metering for a software process.
Process Name
The specified process name will be monitored on the KBOX Agent machine.
Associated Software
To track usage only on machines with a specific software version deployed, choose the related software inventory item.
Notes
Enter any notes that further describe or explain this software meter.
4. Click Save to save your changes or click Cancel to return to the Software Metering page.
Deleting a Software Meter You can delete a software meter. To delete a Software Meter: 1. Select Inventory | Metering. The Software Metering page is appears. 2. Select the processes of which software meter or meters you want to delete. 3. Select Delete Selected Item(s) from the Choose action drop-down list. 4. Click Yes to confirm deleting the software meter(s). Else, click Cancel to cancel deleting the software meter(s).
Configuring the Software Metering Settings You can configure the software metering settings. To configure Software Metering settings: 1. Select Inventory | Metering. The Software Metering page appears. 2. Select the process name. 3. Select Configure Settings in the Choose action drop-down list. The Software Metering Settings page appears. 4. Edit configuration settings as shown in the following table: Enabled
Select this check box for metering to run on the target machines.
Allow Run While Disconnected
Select this check box for metering to run even if the machine cannot contact the KBOX to report results. The results will be stored on the machine and will be uploaded once contact with the KBOX is established.
Allow Run While Logged Off
Select this check box for metering to run even if a user is not logged in. If you clear this check box, the script will run only when a user is logged into the machine.
Administrator Guide for KBOX 1000 Series, version 3.3
46
5. Edit deployment settings as shown in the following table: Deploy to All Machines
Select this check box if you want to deploy to all the Machines. Click OK in the confirmation dialog box.
Limit Deploy To
You can limit deployment to one or more labels. Press CTRL and click to select more than one label.
Supported Operating Systems
Select the operating system to which you want to limit deployment. Press CTRL and click to select more than one operating system. Note: Leave blank to deploy to all operating systems.
6. Click Save to save your changes or click Cancel to return to the Software Metering page.
Administrator Guide for KBOX 1000 Series, version 3.3
47
Processes The KBOX 1000 Series Processes feature allows you to keep track of processes that are running on all agent machines across your enterprise. The Processes feature records and reports the processes details information.You can record and view software usage for the last 1, 2, 3, 6, or 12 months. Detail pages provide information on individual processes, including the name of the computer running those processes, system description, and the last user. Using Processes feature, you can: View Process details Delete selected processes Disallow selected processes Meter selected processes Apply labels Remove labels The processes are categorized in: Audio / Video, Business, Desktop, Development, Driver, Games, Internet, Malware, Security, and System Tool. To View Process Details 1. Select Inventory | Processes. The Processes page appears. 2. Click on the process name to view details. The Process Details page appears. 3. Select labels to assign to process in the Assign To Label box. 4. Enter any notes that further describe this process in the Special Notes box. 5. Select the category of the process in the Category drop-down list. 6. Select the threat level of the process in the Threat Level drop-down list. 7. Click Save to save the processes details. You can read comments on the process submitted by other users by clicking [Read Comments] on the Process Details page. You can also ask for help from Kace about the processes by clicking [Ask For Help.] You need kace username and password to log in to the Kace database. You can also see computers with running the selected process. You can view a printer friendly version of this page and take print outs of the report. To delete process: 1. Select Inventory | Processes. The Processes page appears. 2. Select the processes to delete. 3. Select Delete Selected Item(s) in the Choose Action drop-down list. A confirmation message appears. 4. Click OK to confirm deleting the selected processes. Else, click Cancel to cancel the deletion operation.
Administrator Guide for KBOX 1000 Series, version 3.3
48
To disallow processes: 1. Select Inventory | Processes. The Processes page appears. 2. Select the processes to disallow. 3. Select Disallow Selected Item(s) in the Choose Action drop-down list. The Script : Edit Detail page appears. 4. Enter the script configuration details, and then click Run Now to run Disallowed Programs Policy. For more detailed information on scripting and Disallowed Programs Policy, refer to Chapter 8,“Scripting,” starting on page 102
Administrator Guide for KBOX 1000 Series, version 3.3
49
Startup The KBOX 1000 Series Startup feature allows you to keep track of startup programs on all agent machines across your enterprise. The Startup feature records and reports the startup program detail information. Detail pages provide information on startup programs, including the name of the computer running those startup programs, system description, and the last user. Using Startup feature, you can: View startup program details Delete selected startup programs Apply or remove labels The startup programs are categorized in: Audio / Video, Business, Desktop, Development, Driver, Games, Internet, Malware, Security, and System Tool. To View Startup detail information: 1. Select Inventory | Startup. The Startup Programs page appears. 2. Click on the startup program name to view details. The Startup Programs : Edit Startup Programs Detail page appears. 3. Select labels to assign to startup program in the Assign To Label box. 4. Enter any notes that further describe this startup program in the Notes box. 5. Select the category of the startup program in the Category drop-down list. 6. Select the threat level of the startup program in the Threat Level drop-down list. 7. Click Save to save the startup program details. You can read comments on the startup program submitted by other users by clicking [Read Comments]. You can also ask for help from Kace about the startup programs by clicking [Ask For Help.] You need kace username and password to log in to the Kace database. You can also see computers with running the selected startup program. You can view a printer friendly version of this page and take print outs of the report. To delete startup program details: 1. Select Inventory | Startup. The Startup Programs page appears. 2. Select the startup program to delete. 3. Select Delete Selected Item(s) in the Choose Action drop-down list. A confirmation message appears. 4. Click OK to confirm deleting the selected startup programs. Else, click Cancel to cancel the deletion operation.
Administrator Guide for KBOX 1000 Series, version 3.3
50
Service The KBOX 1000 Series Service feature allows you to keep track of services running on all agent machines across your enterprise. The Service feature records and reports the services detail information. Detail pages provide information on services, including the name of the computer running those services, system description, and the last user. Using Services feature, you can: View services details Delete selected services Apply or delete labels The services are categorized in: Audio / Video, Business, Desktop, Development, Driver, Games, Internet, Malware, Security, and System Tool. To view service detail information: 1. Select Inventory | Service. The Services page appears. 2. Click the service name to view details. The Service : Edit Service Detail page appears. 3. Select labels to assign to service in the Assign To Label box. 4. Enter any notes that further describe this service in the Notes box. 5. Select the category of the service in the Category drop-down list. 6. Select the threat level of the service in the Threat Level drop-down list. 7. Click Save to save the service details. You can read comments on the service submitted by other users by clicking [Read Comments]. You can also ask for help from Kace about the service by clicking [Ask For Help.] You need kace username and password to log in to the Kace database. You can also see computers with running the selected startup program. You can view a printer friendly version of this page and take print outs of the report. To delete services detail information: 1. Select Inventory | Service. The Services page appears. 2. Select the services to delete. 3. Select Delete Selected Item(s) in the Choose Action drop-down list. A confirmation message appears. 4. Click OK to confirm deleting the selected services. Else, click Cancel to cancel the deletion operation.
Administrator Guide for KBOX 1000 Series, version 3.3
51
Software Lookup Services The KBOX Software Lookup Services (SLS) automatically discovers and publishes information on software programs and processes. KBOX SLS provides information on software and process as they appear on KBOX management appliances systems across the globe. KBOX SLS is available for all major platforms including Windows, Mac, Red Hat Linux, and Solaris. KBOX SLS also includes software command line arguments, uninstall commands, and installation advice. To add/view any information on the SLS website, you need to establish a unique account for the SLS site. You would need to use these credentials to add any new comments.
Enabling Software Lookup Service You need to select the 'Enable KACE Software Lookup Service' check box in the General Settings tab to be able to access the data available with Kace about common software applications and how to deploy/ remove them and share anonymous information about the software on machines in your environment. You can integrate KACE and user submitted information directly from the Software Lookup Service. If the 'Enable KACE Software Lookup Service' check box in the General Settings tab is selected, you can share the information of the software in your KBOX with the SLS website. For more information on how to enable Software Lookup Service in your KBOX appliance, see “Configuring General settings,” on page 10. To Enable Software Lookup Service: 1. Select Settings | General. The KBOX Settings: General page appears. 2. Under General Options, click the Edit Mode link next to Set Options tab. 3. Select the Enable KACE Software Lookup Service check box to enable the Software Lookup Service. A confirmation message appears. 4. Click OK. 5. Click Set Options to set the options. The KBOX information will now be shared with the Kace SLS site.
Viewing Software Lookup Services You can view Software Lookup Services contents of your KBOX. From the Inventory tab, you can view SLS information on software, processes, startup programs, and services. Software Lookup Services can also be viewed from the Distribution | Managed Installations and Distribution | File Synchronization. To View Software Lookup Services information: 1. Select Inventory | Software. The Software page appears, which lists the software installed on client machines. 2. Select the software title in order to see the associated information from the Software Lookup Service. The Software:Edit Software Detail page appears.
Administrator Guide for KBOX 1000 Series, version 3.3
52
You can see more information of the application on the Kace SLS site.
Click Read Comments to view the comments and to add comments on the Kace SLS site.
Figure 3-4: Software: Edit Software Detail page
If you have not enabled Software Lookup Services at the Settings | General page, you will not be able to view SLS information and a note will appear asking you to enable the Software Lookup Services. Refer to “To Enable Software Lookup Service:,” on page 52.
3. To Update the software information on Kace SLS site, perform the following steps: a Under Metadata, select the software category in the Category list. b In the Threat Level list, select the threat level.
Administrator Guide for KBOX 1000 Series, version 3.3
53
c If you would prefer not to share information about this particular item, select the Hide from Software Lookup Service check box. In order to provide the best information to your fellow SLS users, we recommend not hiding items from the Software Lookup Service.The information shared doesn't include any personally identifiable information about your company or users. d Click Save to save the edited information. 4. You can view following SLS information on the Software:Edit Software Detail page. Field
Description
Average Threat Level
This value is an average of the threat levels assigned by SLS users who have assigned a threat level. This is intended as a guide for software you may not be familiar with. A threat level of 1 would be interpreted as safest.
User Submitted Comments
The information displayed on this page and the information presented on the Kace website is related to the particular software title you have selected from the KBOX. Click Read Comments to view the comments on the SLS site. You need to login on the Kace SLS site using login credentials to add comments.
Categories
Displays the software categories that have been assigned to this software title by SLS users and the percentage of those users who have assigned each.
Quiet Installation Switches
Displays known Quiet Installation Switches for the item you have selected.
Description
It displays information on product description, product URL, links to support and help, and lockdown information.
Install Command Line Help
It displays information on Standard MSI Commands, Standard Install Commands, and Uninstall Help.
Administrator Guide for KBOX 1000 Series, version 3.3
54
Administrator Guide for KBOX 1000 Series, version 3.3
55
C H A P T E R 4
Asset Management The KBOX 1000 Series allows you to manage and track assets in your environment in a flexible and customizable way. “Overview of Asset Management,” on page 57 “Managing Asset Types,” on page 58 “Managing Assets,” on page 61 “Licensing,” on page 63 “Importing Asset,” on page 65
Overview of Asset Management The KBOX 1000 Series allows you to manage and track assets in your environment in a flexible and customizable way. By establishing asset types and relationships to other asset types and other objects in the KBOX, you will be able to report on existing assets as well as track licensing and cost information in a way that works for you in your environment. In looking at asset management in the KBOX, it is important to understand that there are two types of assets, organizational assets (like Department, Location or Cost Center) and physical assets (like Computers, Users, Phones or Projectors). Commonly, the organizational assets are used as a way to collect similar sets of physical assets. Before you begin to use assets, you should establish the asset types that will make sense for you, both in terms of the organization elements you want to use as well as what physical asset types you are hoping to track. You can view the list of available assets from the Asset | Assets tab. With the Assets tab you can: Add or delete assets Configure Asset types Add or delete software licenses Import data
Administrator Guide for KBOX 1000 Series, version 3.3
57
Managing Asset Types There are two types of asset types: Organizational information (Cost Center, Department, Location) the organizational assets are used as a way to collect similar sets of physical assets. Actual physical assets (computers, users, phones, projectors) where the organizational ones are pointed to by the physical ones mainly There are several built-in Asset Types — Computer, Cost Center, Department, Location, Owner, Vendor. Built-in assets can not be deleted. If you delete an asset type, then all the assets using that asset type will get deleted. You can add an unlimited number of asset types and these types have a default attribute 'Name'. You can not create an asset type with the same name as the built-in asset type name. Asset types can be organized into logical groups or hierarchies to allow for roll up reporting. Asset types can have any number of attributes. Assets can point to other Assets and to Inventory records like Machine, User, and Software. Relationships can be either one - to - one or one - to - many. Asset fields have a default value that should be used when filling in a new asset. Changing the default value in the asset type does not change any existing records, but only affects newly created records.
Asset Association You can create an assets field and associate it to another asset using the field type. Associations are defined in asset types and are used in assets. Assets associations are of following types: User Parent Asset Computer Asset Cost Center Asset Department Asset License Asset Location
Computer Asset When a machine checks into the KBOX, an asset of type computer is automatically created. The Computer Asset is mapped to a machine automatically using following two fields: 1. Mapped Inventory field 2. Mapped Asset field The mapped inventory field enables you select a field that is checked against the inventory to verify if the machine just checked in is already an asset. For example: if the machine inventory field = IP address
Administrator Guide for KBOX 1000 Series, version 3.3
58
Matching asset field = Name and a machine with an IP address shows up, the IP is checked against IP of machines that are already assets. If no such asset, then a new asset with Name = IP address is created. If the mapped inventory field is by IP and the matching asset field is different, perhaps an asset field called IP, then an asset is created with the Name as system name, and the IP as IP. The matching asset field has to be of type text. To add new asset type: 1. Select Asset | Asset Types. The Asset Types page appears. 2. Select Add New Item from the Choose action drop-down list. The Asset Type Detail page appears. 3. Enter a name for the asset type in the Name field. You can not create a new asset type with the same name as a built-in asset type name.
4. You can add associations by adding an asset field. To add asset fields, click the Fields table.
button in the Asset
5. Enter following details depending on the asset type selected. Field
Value
Name
Type a relevant name for the custom asset field, such as Asset Code, Purchase Date, or Building Address Line 1. This name appears on the data entry page for the asset.
Select Values
This field is enabled when you select Single Select or Multiple Select from the Field Type list. Type the values that should appear in the custom asset field. You must type at least one value in this field. If you want to type multiple values, you must separate each value with a comma.
Default
Type the default value for this field. If you select Single Select or Multiple Select from the Field Type list, you must type one of the values given in the Select Values field.
Required
Select this check box to make this custom asset field a mandatory field. If you select this check box, you need to enter a value for this custom asset field before saving the Asset detail page.
Administrator Guide for KBOX 1000 Series, version 3.3
59
Field Type
Select the appropriate field type. Single select (single value length 255, list length 65k). Multiple select (single value length 255, list length 65k) Text field (length 255) Attachment (This field allows you to attach a file to the asset.) Note: You can create multiple fields of attachment type per asset type. Notes (length 65K) Date ('1000-01-01' to '9999-12-31') Number (-9223372036854775808 to 9223372036854775807) Parent. This field type allows this asset to point to the same type of asset in a parent-child relationship. For example, you might allow Location types to have a Parent connection, allowing 'New York' to point to a 'North America' Location. This can then be used in the reporting system to show all Assets in North America. This report will contain all the assets in New York and in North America. User. This field type allows you to associate an asset record with one of the User records from the Inventory system. Asset ASSET_TYPE. This field type is similar to the single select field type and the multiple select field type. However, you cannot specify the values for this custom field type. The values are retrieved from the current list of Assets in the system.
Allow Multiple
This check box is enabled when you select Asset ASSET_TYPE from the Field Type list. Select this check box to allow this custom field to point to multiple records. For example, the License Asset type can point to many computers that are approved for a particular License. A single relationship might have a printer pointing to a single Department record, indicating that this printer is used by only one department.
When you rename a custom asset field, the values for that custom field are retained. However, when you remove the custom asset field, values for that custom field are removed from all assets. When you change the Field Type of a custom asset field, the system tries to retain the previous values, but you may also lose some data. For instance, if you had a custom asset field named Model Number that is of type Text. Model Number has a value of 'A123'. If you were to change the Field Type from Text to Number, the system might not be able to convert that 'A123' to a valid number. In this case, the value for Model Number is set to zero. If you click Delete, the Asset Type definition and the assets of this type are removed from the system. If there are assets that point to the Asset Type definition that you deleted, the asset association is removed. 6. Click Save to save the entries in the Asset Fields table. 7. Click Save to save the added asset type.
Administrator Guide for KBOX 1000 Series, version 3.3
60
Managing Assets You can add a new asset, delete an existing asset, or view assets by using the Asset | Assets tab. You can not delete parent asset if that parent asset has child assets. Assets can be viewed by asset type or by the associations. You can view the related assets that are not part of any particular asset and can clone any existing asset. Changes done to the asset are recorded as part History. Asset History is displayed on the Asset Detail page. To add an asset: 1. Select Asset | Assets. The Assets page appears. 2. Select the asset type you want to add from the Choose action drop-down list. The Asset Detail page appears. 3. Enter the name of the selected asset type in the Name field, and then click Save. All the asset types have a standard field as Name. If you are adding asset of computer type, then you need to enter following information: a Select the machine from the Machine list, and then enter the filter criteria in the Filter box. Machine is a default field that comes with the asset type. b Enter the date of asset creation in the Date Created box. c Enter additional information on the asset in the notes box. d Enter the asset id in the id box. Date created, notes, and id are the asset fields created for asset of computer type.
4. If you want to add another asset, then click Save and New. Otherwise, click Save to save the asset. To view assets: 1. Select Asset | Assets. The Assets page appears. 2. To view assets by asset types or association, select the asset type or association from the View by asset type drop-down list. A list of filtered assets appears. The Assets page also shows the associated assets.
3. Select the asset title to see detailed information of that asset. The Asset Detail page appears. 4. If you want to clone the asset details, click Clone, and then click Save. 5. After editing the asset information, click Save.
Administrator Guide for KBOX 1000 Series, version 3.3
61
6. In the Related Assets table, you can view the related assets that are not parent of this asset. Click the asset name to view asset details of this related asset. For example, if computer A's Location is associated to computer X, then computer A will be listed as a related asset on computer X's page, but on computer A's page, you can not see computer X. Child assets are shown on the related assets list. If the asset you are viewing is associated to a software or machine, then on clicking that asset name will take you to the Inventory page.
7. In the History table, you can view changes done to the asset.
Administrator Guide for KBOX 1000 Series, version 3.3
62
Licensing With KBOX, you can create, edit, and delete license assets. You can assign licenses to software and computers, specify or view the number of licenses available, and keep track of the expiry date for each license. When you assign a license to a software, the license is linked with the software. You can view this license information in the software detail page, the metering page, and the software library admin and user pages. You can also navigate to the license asset detail page by clicking on the license link in the software detail page, the metering page, and the software library admin and user pages. To add new license: 1. Select Asset | Assets. The Assets page appears. 2. Select License from the Choose action drop-down list. The Asset Detail page appears. 3. Enter the following information: Name
Enter the name for this license.
Seats Licensed
Enter the number of licenses available.
Applies to Software
Select the software to which you want to assign this license.
Approved for Computer
Select the computer to which you want to assign this license.
License Mode
Select the appropriate license mode.
Product Key
Enter the license key for the product.
Unit Cost
Enter the cost of each license.
Expiration Date
Enter the expiration date for this license.
Vendor
Select the vendor name for this license.
Filter
Enter the filter criteria for the Vendor list.
Purchase Order #
Enter the purchase order number for this license.
Purchase Date
Enter the date when you purchased this license.
Notes
Enter notes about this license.
License Text
Enter license text, such as the end-user license agreement.
4. Click Save. To save and add another license asset, click Save and New.
Administrator Guide for KBOX 1000 Series, version 3.3
63
Generating Reports You can run various reports to display information about the licenses assigned to software and computers. Description of these reports is provided below. Category
Report
Description
Compliance
Software Compliance Simple
Lists the licenses and counts like the License list page with details such as vendor, PO#, and Notes.
Compliance
Software License Compliance Complete
Lists software and computers that are impacted by each license record.
Compliance
Unapproved Software Installation
Lists software found on computers that do not have approved licenses.
Table 4-1: License Reports
Administrator Guide for KBOX 1000 Series, version 3.3
64
Importing Asset The Asset Import feature allows you to import assets data from CSV file into the desired asset type. To import assets data: 1. Select Asset | Asset Import. The Kace Asset Import Wizard - Uploadfile page appears. 2. In the Select File box, specify CSV file path or click Browse to select CSV file. 3. Select Is header name in the file check box if the CSV file contains header. 4. Click Next. It will take you to Asset Type Selection page. 5. Select the asset type from the Asset Type list, to which data need to be imported from CSV file. 6. Click Next. It will take you to mapping page, which displays mapping of CSV fields against fields of selected Asset Type. 7. Under Standard Fields, perform the following steps: a Select the CSV field from the drop-down list box to match the corresponding standard field. b Select the PK check box to choose this field as the primary key. Mapping of Standard fields is Mandatory.
8. Under Asset Fields, perform the following steps: a Select the CSV field from the drop-down list box to match the corresponding Asset field. b Select the PK check box to choose this field as the primary key. You can select one or more fields as composite primary key.
If none of records for Asset Type match with value of CSV field chosen as primary key then record will be inserted. If only one records for Asset Type match with value of CSV field chosen as primary key then record will be updated. If more than one records for Asset Type match with value of CSV field chosen as primary key then record will be flagged as duplicate. 9. Click Preview. It will take you to the confirmation page. 10. Click Import Data. The Kace Asset Import Wizard - Result page appears. 11. To import more assets data, click More Import. Otherwise, click Done.
Administrator Guide for KBOX 1000 Series, version 3.3
65
C H A P T E R 5
IP Scan IP scan is an appliance-side KBOX 1000 Series technology that allows you to scan a range of IP addresses to detect the existence and attributes of various devices on a network. “IP Scan Overview,” on page 67 “Viewing List of Scheduled Scans,” on page 68 “Creating an IP Scan,” on page 69
IP Scan Overview The KBOX 1000 Series can scan a range of IP addresses for SNMP enabled machines, allowing you to retrieve information about machines connected to your network. Although IP Scans have their own serverside scheduling, you can invoke a scan on-demand, or schedule a IP scan to run at a specific time. IP scan reports a variety of inventory data that lets you monitor the availability and service level of a target machine. And because IP scan scans ports in addition to IP addresses, you can collect data even without knowing the IP addresses of the target machines. IP scan will scan any type of device (as long as it has an IP address on the network) including computers, printers, network devices, servers, wireless access points, routers and switches. You can create and view IP scans from the Inventory | IP Scan tab. From the Network Scan Results page you can: View scan schedules Schedule new scan Delete selected items Apply a label/delete a label Create a remote connection to the machine, if configured under Machine Action.
Administrator Guide for KBOX 1000 Series, version 3.3
67
Viewing List of Scheduled Scans By default, the IP Scan tab displays the results of configured Network Scans that have been run. You can modify this view to show the scans that are schedule to occur in the future. To view scheduled scans: 1. Select Inventory | IP Scan. 2. Select View Scan Schedules in the Choose action drop-down list.
Administrator Guide for KBOX 1000 Series, version 3.3
68
Creating an IP Scan You can create a network scan that will look for DNS, Socket, and SNMP across a subnet or subnets. You also define a network scan to look for devices listening on a particular port (for example, Port 80). This allows you to see devices that are connected to your network even when the KBOX Agent isn’t installed on those devices. When defining a network scan, it’s important to balance scope of the scan (number of IP addresses you’re scanning) with the depth of the probe (number of attributes you’re scanning for) so that you do not overwhelm your network or KBOX 1000 Series appliance itself. For example, if you needed to scan a large number of IP addresses frequently, you would want to keep the number of ports, TCPIP connections, etc., relatively small. As a general rule, KACE recommends scanning a particular subnet no more than once every few hours. The KBOX Agent listens to port 52230. To determine which machines on your network are running KBOX Agent, you could define a network scan to report which machines were listening on that port. To create an IP scan: 1. Select Inventory | IP Scan. The Network Scan Result page appears. 2. Select Schedule New Scan in the Choose action drop-down list. The Network Scan Setting page appears. 3. Enter a name for the scan in the Network Friendly Scan Name field. 4. Enter the IP range to scan in the Network Scan IP Range field. 5. Specify the DNS lookup test details: DNS Lookup Enabled
If selected, live addresses will be checked against the DNS server to see if they have a name associated with them. This can help you identify known nodes on your network.
Name Server for lookup
Specify hostname or IP address.
Lookup time out
Specify the time out interval (in seconds).
6. Select the Ping Test Enabled check box. The Ping test must be enabled in order to run other tests. The Ping or Socket tests determine if the address is alive. If it is, then a SNMP or a Port Scan can be run against it. If the Ping and Socket tests are disabled, then the other tests will not be run. 7. Specify the Connection test details: Connection Test Enabled
Select to allow Network scan do perform connection testing.
Connection Test Protocol
Specify the protocol to use.
Connection Test Port
Specify the port to use for testing the connection.
Connection Time Out
Specify the time out interval (in seconds).
Administrator Guide for KBOX 1000 Series, version 3.3
69
8. Specify SNMP test details: SNMP Enabled
Select to enable SNMP scanning.
SNMP Public String
Enter Public string.
9. Specify Port scan test details: Device Port Scan Enabled
Select to enable port scanning of device ports.
TCP Port List
A comma-separated list of TCP ports to scan.
UDP Port List
A comma-separated list of UDP ports to scan.
Port Scan Time Out
Specify the time out interval (in seconds).
10. Specify scan schedule: Don’t Run on a Schedule
Tests will run in combination with an event rather than on a specific date or at a specific time. Use this option in combination with one or more of the “Also” choices below. For example, use this option in conjunction with “Also Run at User Login” to run whenever the user logs in.
Run Every n minutes/hours
Runs at the specified time.
Run Every day/specific day at HH:MM AM/PM
Runs on specified day at the specified time.
Run on the nst of every month/ specific month at HH:MM AM/PM
Runs on the specified time on the 1st, or 2nd, etc. of every month or only the selected month.
11. Click Save or Scan Now to run scan immediately. Deleting a Scan Configuration will also delete all associated scan inventory items. If you wish to maintain the scan inventory but not "rescan" just set the schedule of the scan configuration to not run.
Administrator Guide for KBOX 1000 Series, version 3.3
70
C H A P T E R 6
Distribution The KBOX 1000 Series Distribution feature provides various methods for deploying software, updates, and files to computers on your network. “Distribution Feature Overview,” on page 72 “Types of Distribution Packages,” on page 73 “Managed Installations,” on page 75 “Examples of Common Deployments on Windows,” on page 79 “Examples of Common Deployments on Linux,” on page 83 “Examples of Common Deployments on Solaris,” on page 87 “Examples of Common Deployments on Macintosh(r),” on page 91 “File Synchronizations,” on page 94 “Replication,” on page 96
Distribution Feature Overview KACE recommends that customers follow a predefined set of procedures before deploying any software on their network. The following flow diagram represents a high-level example of common distribution procedures. You can modify this process to meet the needs of your organization. However, to avoid distribution problems, it is important to test various deployment scenarios prior to deployment. p y Inventory & Assess
Test
Target
Deploy
Report
Figure 6-1: Basic Deployment Procedure Perhaps the most important concept in the deployment procedure is to test each deployment before rolling it out to a large number of users. The KBOX 1000 Series verifies that a package is designated for a particular system, machine, or operating system; however, it cannot assess the likelihood that a particular package will behave well with existing applications on the target machine. Therefore, we strongly suggest that you establish procedures for testing each piece of software before deploying it on your network. One way to do this is to develop a test group of target machines. You can then deploy – via the KBOX 1000 Series – to the test group and verify compatibility with the operating system and other applications within your test group. You can do this by creating a test label and perform a test distribution before you go live in your environment. You can create a test label from the Inventory | Labels tab. For more information about creating labels, see “Labels,” on page 43. This chapter will focus primarily on the Test, Target, Deploy portions of this flow diagram. For more details on creating an inventory of computers and software packages in use on your network, see Chapter 3,“Inventory,” starting on page 26.
Administrator Guide for KBOX 1000 Series, version 3.3
72
Types of Distribution Packages There are three primary types of distribution packages you can deploy to the computers on your network: managed installations, file synchronizations, and KBOX Agent. Distribution packages (whether for managed installation, file synchronization, or user portal packages) CANNOT be created until a digital file is associated with an Inventory Item. This rule applies even if you are: Sending a command, rather than an installation or a digital file, to target machines. Redirecting the KBOX Agent to retrieve the digital asset (for example,.exe,.msi) from an alternate download location. To create a distribution: 1. Install the package manually on a machine. 2. Take an inventory of that machine. For more information on how to take an inventory, see “Software Inventory,” on page 38. 3. Use the item listed in the Software Inventory list for the Managed Installation. If you need to create packages with different settings, such as parameters, labels, or deployment definitions, you can create multiple distribution packages for a single Inventory item. However, the MI cannot be verified against more than one inventory item because the MI checks for the existence of one and only one inventory item. Although the KBOX Agent tab is listed under the Distribution tab, “Deploying KBOX Agent” is discussed as part of the installation and setup process in Chapter 1,“Getting Started with KBOX 1000 Series,” starting on page 1. For information about updating an existing version of KBOX Agent, please see Chapter 12,“Server Maintenance,” starting on page 173.
Distributing Packages through KBOX Packages distributed through KBOX are only deployed to target desktops if the Inventory Item is designated to run on the target operating system. For example, if the Inventory Item is defined for Windows XP Professional only, the Inventory Item will not deploy on Windows 2000. Similarly, the package will not deploy if it is designated for a target label for which the target machine is not a member. For example, if the Deployment Package is set to deploy to a Label called Office A, it will not deploy to machines that are not in Office A. When KBOX creates a software inventory item, it will only record the operating systems on which the item was installed, in the Inventory detail record.
Distributing Packages through an Alternate Location KBOX supports software distribution from remote file stores. The KBOX Agent can retrieve digital installation files from remote file stores, as opposed to KBOX, including a UNC address, a DFS source, or an HTTP location. The CIFS and SMB protocols are supported. KBOX also supports SAMBA servers and fileserver appliances. In order to activate this capability, you must enter an Alternate Checksum (MD5) that matches the MD5 checksum on the remote file share (for security purposes). You may use any tool to establish your checksum. For creating your MD5 hash, you can use the KBOX Admin Utilities tool, which is available on the KBOX Agent CD. There are other utilities that will work equally well.
Administrator Guide for KBOX 1000 Series, version 3.3
73
If no checksum is entered, then the digital asset on the file share must exactly match the digital asset associated with the Deployment Package on the KBOX 1000 appliance. Also, the target path must include the complete filename (for example, \\fileserver_one\software\adobe.exe). When KBOX is fetching files, the priority for fetching files is as follows: 1. Alternate download location 2. Replication point 3. KBOX If there is no replication point, the KBOX agent fails over to KBOX.
Administrator Guide for KBOX 1000 Series, version 3.3
74
Managed Installations Managed Installations enable you to deploy software to the computers on your network that require an installation file to run. You can create a Managed Installation package from the Distribution | Managed Installation page. From the Managed Installations tab you can: Create or delete Managed Installations Execute or disable Managed Installations Specify a Managed Action Apply or remove a label Search Managed Installations by keyword
Creating a Managed Installation for Windows Platform When creating a Managed Installation, you can specify whether you want to interact with users by showing a message before or after installation, indicate whether the package should be when the user is logged in or not, and limit deployment to a specific label. The following section provides general steps for creating a managed installation. For specific details on creating a managed installation for an .MSI, .EXE, or .ZIP file, please refer to the subsequent sections. To create a managed installation for Windows platform: 4. Click Distribution | Managed Installations. 5. Select Add New Item in the Choose action drop-down list. The Managed Software Installation: Edit Detail Page appears. 6. Select the software from the drop-down list. You can filter the list by entering any filter options. 7. Enter the following information: Run Parameters
Specify the installation behavior. The maximum field length is 256 characters. If your path exceeds this limit, on the command line, point to a BAT file that contains the path and the command. If your Parameters file path includes spaces (for example, \\kace_share\demo files\share these files\setup.bat), place quotes around the path (for example, “\\kace_share\demo files\share these files\setup.bat”.
Full Command Line
If desired, specify full command-line parameters. Please refer to the MSI Command Line documentation for available runtime options.
Un-Install using Full Command Line
Select this check box to uninstall software.
Run Command Only
Select this check box to run the command line only.
Administrator Guide for KBOX 1000 Series, version 3.3
75
Managed Actions
Managed Action allows you to select the most appropriate time for this package to be deployed. Available options are: Disabled Execute anytime (next available) Execute before logon (before machine boot) Execute after logon (before desktop loads) Execute while user logged on Execute while user is logged off
8. Specify the deployment details: Deploy to All Machines
Select this check box if you want to deploy to all machines.
Limit Deployment To Selected Labels
Select a label to limit deployment only to machines grouped by that label. Press CTRL and click labels to select more than one label.
Limit Deployment To Listed Machines
You can limit deployment to one or more machines. From the drop-down list, select a machine to add to the list. You can add more than one machine. You can filter the list by entering filter options.
Deploy Order
The order in which software should be installed. Lower deploy order will deploy first.
Max Attempts
Specify the maximum number of attempts, between 0 and 99, to indicate the number of times the KBOX 1000 Series appliance will try to install the package. If you specify 0, KBOX will enforce the installation forever.
Deployment Window(24H clock)
Specify the time (using a 24 hr. clock) to deploy the package. Deployment Window times will affect any of the Managed Action options. Also, the run intervals defined under the Server Settings>Options page will override and/or interact with the deployment window of a specific package.
9. Set user interaction details: Allow Snooze
Select this check box to allow snooze. When you select this check box, the following additional fields appear: Snooze Message: Enter a snooze message. Snooze Timeout: Specify a timeout, in minutes, for which the message will be displayed. Snooze Timeout Action: Select a timeout action that will take place at the end of the timeout period. For example, you might select Install now because you are installing at a time when you know that the users are away from their desktops. You might select Install later because the installer needs some user interaction and it would not work if the users were not at their desktops.
Administrator Guide for KBOX 1000 Series, version 3.3
76
Custom Pre-Install Message
Select this check box to display a message to users prior to installation. When you select this check box, additional fields appear: Pre-Install User Message: Enter a pre-install message. Pre-Install Message Timeout: Specify a timeout, in minutes, for which the message will be displayed. Pre-Install Timeout Action: Select a timeout action that will take place at the end of the timeout period from the drop-down list. Options include Install later or Install now. For example, you might select Install now because you may be installing at a time when you know that the user is away from his or her desktop, making it a good time to install. Or, you might select Install later if the installer needs some user interaction and it would not work if the user was not at his or her desktop.
Custom Post-Install Message
Select this check box to display a message to users after the installation completes. When you select this check box, message field and timeout options appear. Enter a message and a timeout value in minutes.
Delete Downloaded Files
Select this check box to delete the package files after installation.
Use Alternate Download
Select this check box to specify details for alternate download. When you select this check box, the following fields appear: Alternate Download Location: Specify the location where the KBOX Agent can retrieve digital installation files. Alternate Checksum: Specify an Alternate Checksum (MD5) that matches the MD5 checksum on the remote file share (for security purposes). Alternate Download User: Specify a user name that will have the necessary privileges to access the alternate download location. Alternate Download Password: Specify the password for the user name. Note: If the target machine is part of a replication label, then the KBOX will not fetch software from the alternate download location.
10. Click Save.
Sharing Managed Software Installation Information The Distribution | Managed Installation tab enables to share the managed software installation information on the Kace SLS site. To Share Managed Software Installation Information on Kace SLS: 1. Select Distribution | Managed Installation. The Managed Installations page appears. 2. Select the managed installation you want to share with Software Lookup Services. The Managed Software Installation : Edit Detail page appears.
Administrator Guide for KBOX 1000 Series, version 3.3
77
3. After editing managed installation information, click Share with Software Lookup Service to share managed installation information with SLS. 4. Click Save. You can view the SLS information on this page. For more information on Software Lookup Services, see “Software Lookup Services,” on page 52.
Administrator Guide for KBOX 1000 Series, version 3.3
78
Examples of Common Deployments on Windows Three of the most common package deployments contain .msi, .exe, and .zip files. This section provides examples for each type of deployment. For each of these examples, you must have already uploaded the file to KBOX prior to creating the Managed Installation package. We recommend installing the software on a QA machine, waiting a sufficient amount of time for the KBOX Agent to connect to the KBOX 1000 series appliance and create an inventory item for the software, and then creating the Managed Installation package. You also can run the file KBScriptRunner tool located in Program Files\KACE\KBOX to force the KBOX Agent to check in with the KBOX 1000 appliance.
Standard MSI Example Using .MSI files is an easy, self-contained way to deploy software on Windows-based machines. If you have a .MSI that requires no special transformation or customization, the deployment is simple. If you are not sure about the installation parameters for your MSI installation, you can open the command prompt, and then type msiexec to view available options.
To create a managed installation for a .MSI file: 1. Select Distribution | Managed Installations. The Managed Installations page appears. 2. Select Add New Item in the Choose action drop-down list. The Managed Installation: Edit Detail Page appears. 3. Select the software from the drop-down list. You can filter the list by entering any filter options. 4. Set the following installation details: Run Parameters
Specify the installation behavior. The maximum field length is 256 characters. If your path exceeds this limit, please point to a BAT file on the command line that contains the path and the command. If your Parameters file path includes spaces (for example, \\kace_share\demo files\share these files\setup.bat), place quotes around the path. For example, “\\kace_share\demo files\share these files\setup.bat”.
Full Command Line
If desired, specify full command-line parameters. Please refer to the MSI Command Line documentation for available runtime options.
Un-Install using Full Command Line
Select this check box to uninstall software.
Run Command Only
Select this check box to run the command line only.
Administrator Guide for KBOX 1000 Series, version 3.3
79
Managed Actions
Managed Actions allow you to select the most appropriate time for this package to be deployed. Available options are: Disabled Execute anytime (next available) Execute before logon (before machine boot) Execute after logon (before desktop loads) Execute while user logged on Execute while user logged off
5. Specify the deployment details: Deploy to All Machines
Select this check box if you want to deploy to all the Machines.
Limit Deployment To Selected Labels
Select a label to limit deployment only to machines grouped by that label. Press CTRL and click labels to select more than one label.
Limit Deployment To Listed Machines
You can limit deployment to one or more machines. From the dropdown list, select a machine to add to the list. You can add more than one machine. You can filter the list by entering filter options.
Deploy Order
The order in which software should be installed. Lower deploy order will deploy first.
Max Attempts
Specify the maximum number of attempts, between 0 and 99, to indicate the number of times the KBOX 1000 Series appliance will try to install the package. If you specify 0, KBOX will enforce the installation forever.
Deployment Window(24H clock)
Specify the time (using a 24 hr. clock) to deploy the package. Deployment Window times will affect any of the Managed Action options. Also, the run intervals defined under the Server Settings->Options page will override and/or interact with the deployment window of a specific package.
6. Set user interaction details: Allow Snooze
Select this check box to allow snooze. When you select this check box, the following additional fields appear: Snooze Message: Enter a snooze message. Snooze Timeout: Specify a timeout, in minutes, for which the message will be displayed. Snooze Timeout Action: Select a timeout action that will take place at the end of the timeout period. For example, you might select Install now because you are installing at a time when you know that the users are away from their desktops. You might select Install later because the installer needs some user interaction and it would not work if the users were not at their desktops.
Administrator Guide for KBOX 1000 Series, version 3.3
80
Custom Pre-Install Message
Select this check box to display a message to users prior to installation. When you select this check box, additional fields appear: Pre-Install User Message - Enter a pre-install message. Pre-Install Message Timeout - Specify a timeout in minutes for which the message will be displayed. Pre-Install Timeout Action - Select a timeout action that will take place at the end of the timeout period from the drop-down list. Options include Install later or Install now. For example, you might select Install now because you may be installing at a time when you know that the user is away from his or her desktop, making it a good time to install. Or, you might select Install later if the installer needs some user interaction and it would not work if the user was not at his or her desktop.
Custom Post-Install Message
Select this check box to display a message to users after the installation completes. When you select this check box, message field and timeout options appear. Enter a message and a timeout value in minutes.
Delete Downloaded Files
Select this check box to delete the package files after installation.
User Alternate Download
Select this check box to specify details for alternate download. When you select this check box, the following fields appear: Alternate Download Location - Specify the location from where the KBOX Agent can retrieve digital installation files. Alternate Checksum - Specify an Alternate Checksum (MD5) that matches the MD5 checksum on the remote file share (for security purposes). Alternate Download User - Specify a username that will have the necessary privileges to access the Alternate Download Location. Alternate Download Password - Specify the password for the username specified above. Note: If the target machine is part of a replication label, then the KBOX will not fetch software from the alternate download location.
7. Click Save.
Administrator Guide for KBOX 1000 Series, version 3.3
81
Standard EXE Example The standard EXE example is identical to the MSI example above with one exception: /I is not required in the “run parameters” line when using a .exe. When using an EXE it is often helpful to identify switch parameters for a quiet or silent installation. To do this, specify /? in the run parameters field.
Standard ZIP Example Deploying software using a .zip file, is a convenient way to package software when more than one file is required to deploy a particular software title (for example, setup.exe plus required configuration and data files). For example, if you have a CD-ROM containing a group of files required to install a particular application, you can package them together in a .zip file, and upload them to KBOX for deployment. The KBOX Agent will automatically run deployment packages with .MSI and .EXE extensions. However, KBOX 1000 Series also provides a capability for administrators to Zip many files together and direct the KBOX 1000 Series to unpack the Zip and run a specific file within. If you intend to deploy a .ZIP file, you must place the name of the file within the .zip that you would like to run in the Command (Executable) field within the Deployment Package (for example, runthis.exe). To create a managed installation for a .zip file: 1. Browse to the location that contains the necessary installation files. 2. Select all files, and create a .zip file using WinZip or other utility. 3. Create an inventory item for the target deployment. You can do this manually from the Inventory | Software tab, or by installing the package on a KBOX Agent machine that regularly connects to the KBOX 1000 Series appliance. 4. Associate the .zip file with the inventory item and upload it to the KBOX 1000 Series. 5. Select Distribution | Managed Installation. The Managed Installations page appears. 6. Select Add New Item in the Choose action drop-down list. The Managed Software Installation : Edit Detail page appears. 7. Select the software title with which the .zip file is associated from the software drop-down list. 8. In the Full Command Line field, please specify the complete command with arguments. Example: setup.exe /qn 9. Enter other package details as described in the Creating a Managed Installation procedures. 10. Click Save.
Administrator Guide for KBOX 1000 Series, version 3.3
82
Examples of Common Deployments on Linux The supported package deployments are .rpm, .zip, .bin, .tgz and tar.gz files. This section provides examples for each type of deployment. For each of these examples, you must have already uploaded the file to KBOX prior to creating the Managed Installation package. We recommend installing the software on a QA machine, waiting a sufficient amount of time for the KBOX Agent to connect to the KBOX 1000 series appliance and create an inventory item for the software, and then creating the Managed Installation package. You can also run the file runallkbots located in \KACE\KBOX to force the KBOX Agent to check in with the KBOX 1000 appliance.
Standard RPM Example You can deploy software on Linux-based machines using .rpm files. To create a managed installation for a .rpm file: 1. Select Distribution | Managed Installations. The Managed Installations page appears. 2. Select Add New Item in the Choose action drop-down list. The Managed Installation: Edit Detail Page appears. 3. Select the software from the drop-down list. You can filter the list by entering any filter options. 4. By default the kbox agent will attempt to install the .rpm file via the following command. In general, this should be sufficient to install a new package or update an existing one to a new version: rpm -U packagename.rpm 5. If you have selected a zip/tgz/tar.gz file, then the content will be unpacked and the root directory searched for all .rpm files. The installation command will be run against each of them. KBOX will find all rpm files at the top level of an archive automatically, so you can install more than one package at a time. You can also create an archive containing a shell script and then specify that script name as the full command. KBOX will run that command if it is found and log an error if is not. If you want to change the default parameters, you have to specify the Full Command Line. You may specify wildcards in the filenames you use. Enclose the filename in single or double quotation marks if it contains spaces. The files will the unarchived into a directory in "/tmp" and that will become the current working directory of the command. On Red Hat Linux, you do not need to include any other files in your archive other than your script if that's all you wish to execute.
If the PATH environment variable of your root account does not include the current working directory and you wish to execute a shell script or other executable that you've included inside an archive, specify the relative path to the executable in the Full Command Line field. The command will be executed inside a directory alongside the files which have been unarchived. For example, if you want to run a file called "installThis.sh", you would package it up alongside a .rpm file and then put the
Administrator Guide for KBOX 1000 Series, version 3.3
83
command "./installThis.sh" in the Full Command Line field. If you archived it inside another directory, like "foo", the Full Command Line field should be "./foo/installThis.sh". Both these examples, as well as some other KBOX functions, assume that "sh" is in root's PATH. If you're using another scripting language, you may need to specify the full path to the command processor you wish to run in the Full Command Line, like "/bin/sh ./installThis.sh". Include appropriate arguments for an unattended, batch script. If you select the uninstall check box in the MI detail, the KBOX agent will run the command //usr/sbin/rpm -e packagename.rpm on either your standalone rpm file or each rpm file it finds in the archive, removing the package(s) automatically. Uninstallation in this way will be performed only if the archive or package is downloaded to the client. If you select the check box for "Run Command Only", you should specify a Full Command Line to ensure the correct removal command is run on the correct package. Since no package is downloaded in this case, you should specify the path in the installation database where the package receipt is stored. 6. If your package requires additional options, you can enter the following installation details: Run Parameters
You don’t need to specify any parameters if you have a .rpm file. If no Run Parameters are filled in, -U will be used by default.Setting a value here will override the default “-U” option. For instance, if you set Run Parameters to: “–ivh --replacepkgs”, then the command that would run on the computer would be: rpm -ivh –replacepkgs package.rpm
Full Command Line
You don’t need to specify a full command line if you have a .rpm file. The server executes the installation command by itself. The Linux client will try to install this via: rpm [-U | Run Parameters] "packagename.tgz” If you don’t want to use the default command at all, you can replace it completely by specifying the complete command line here. Remember that if you have specified an archive file, this command will run against all of the .rpm files it can find.
Un-Install using Full Command Line
Select this check box to uninstall software. If the Full Command Line above is filled in, it will be run. Otherwise, by default the agent will attempt the command, which is generally expected to remove the package.
Run Command Only
Select this check box to run the command line only. This will not download the actual digital asset.
Managed Action
Managed Action allows you to select the most appropriate time for this package to be deployed. Execute anytime (next available) and Disabled are the only options available for Linux platform.
7. Specify the deployment details: Deploy to All Machines
Select this check box if you want to deploy to all the machines.
Limit Deployment To Selected Labels
Select a label to limit deployment only to machines grouped by that label. Press CTRL and click labels to select more than one label.
Limit Deployment To Listed Machines
You can limit deployment to one or more machines. From the drop-down list, select a machine to add to the list. You can add more than one machine. You can filter the list by entering filter options.
Administrator Guide for KBOX 1000 Series, version 3.3
84
Deploy Order
The order in which software should be installed. Lower deploy order will deploy first.
Max Attempts
Specify the maximum number of attempts, between 0 and 99, to indicate the number of times the KBOX 1000 Series appliance will try to install the package. If you specify 0, KBOX will enforce the installation forever.
Deployment Window(24H clock)
Specify the time (using a 24 hr. clock) to deploy the package. Deployment Window times will affect any of the Managed Action options. Also, the run intervals defined under the Server Settings->Options page will override and/or interact with the deployment window of a specific package.
8. Set user interaction details: Allow Snooze
This option is not available for Linux platform.
Custom Pre-Install Message
This option is not available for Linux platform.
Custom Post-Install Message
This option is not available for Linux platform.
Delete Downloaded Files
Select this check box to delete the package files after installation.
Use Alternate Download
Select this check box to specify details for alternate download. When you select this check box, the following fields appear: Alternate Download Location - Specify the location from where the KBOX Agent can retrieve digital installation files. Alternate Checksum - Specify an Alternate Checksum (MD5) that matches the MD5 checksum on the remote file share (for security purposes). Alternate Download User - Specify a username that will have the necessary privileges to access the Alternate Download Location. Alternate Download Password - Specify the password for the username specified above. Note: If the target machine is part of a replication label, then the KBOX will not fetch software from the alternate download location.
9. Click Save.
Administrator Guide for KBOX 1000 Series, version 3.3
85
Standard TAR.GZ Example Deploying software using a tar.gz file is a convenient way to package software when more than one file is required to deploy a particular software title (for example, packagename.rpm plus required configuration and data files). For example, if you have a CD-ROM containing a group of files required to install a particular application, you can package them together in a tar.gz file, and upload them to KBOX for deployment. To create a managed installation for a tar.gz file: 1. Use the following two commands to create tar.gz file: tar –cvf filename.tar packagename.rpm gzip filename.tar This will create filename.tar.gz 2. Create an inventory item for the target deployment. You can do this manually from the Inventory | Software tab, or by installing the package on a KBOX Agent machine that regularly connects to the KBOX 1000 Series appliance. 3. Associate the tar.gz file with the inventory item and upload it to the KBOX 1000 Series. 4. Select Distribution | Managed Installation. The Managed Installations page appears. 5. Select Add New Item in the Choose action drop-down list. The Managed Software Installation: Edit Detail page appears. 6. Select the software title with which the tar.gz file is associated from the software drop-down list. 7. This file will be uncompressed and searched for all .rpm files. The installation command will be run against each of them. 8. If no Run Parameters are filled in, -U will be used by default. 9. You don’t need to specify a full command line. The server executes the installation command by itself. The Linux client will try to install this via: rpm [-U | Run Parameters] "packagename.tgz” 10. Enter other package details as described in the Creating a Managed Installation procedures for .rpm file above. 11. Click Save.
The KBOX Agent will automatically run deployment packages with .rpm extensions. However, KBOX 1000 Series also provides a capability for administrators to Zip many files together and direct the KBOX 1000 Series to unpack the Zip and run a specific file within.
Administrator Guide for KBOX 1000 Series, version 3.3
86
Examples of Common Deployments on Solaris The supported package deployments are .pkg, pkg.gz, .zip, .bin and tar.gz. This section provides examples for each type of deployment. For each of these examples, you must have already uploaded the file to KBOX prior to creating the Managed Installation package. We recommend installing the software on a QA machine, waiting a sufficient amount of time for the KBOX Agent to connect to the KBOX 1000 series appliance and create an inventory item for the software, and then creating the Managed Installation package. You can also run the file runallkbots located in \KACE\KBOX to force the KBOX Agent to check in with the KBOX 1000 appliance.
To create a managed installation for a .pkg file: 1. Select Distribution | Managed Installations. The Managed Installations page appears. 2. Select Add New Item in the Choose action drop-down list. The Managed Installation: Edit Detail Page appears. 3. Select the software from the drop-down list. You can filter the list by entering any filter options. 4. By default the kbox agent will attempt to install the .pkg file via the following command. In general, this should be sufficient to install a new package or update an existing one to a new version: pkgadd -n -d "packagename.pkg" [Run Parameters] 5. If you have selected a zip/pkg.gz/tar.gz file, then the contents will be unpacked and the root directory searched for all .pkg files. The installation command will be run against each of them. KBOX will find all pkg files at the top level of an archive automatically, so you can install more than one package at a time. You can also create an archive containing a shell script and then specify that script name as the full command. KBOX will run that command if it is found and log an error if is not. If you want to change the default parameters, you have to specify the Full Command Line. You may specify wildcards in the filenames you use. Enclose the filename in single or double quotation marks if it contains spaces. The files will the unarchived into a directory in "/tmp" and that will become the current working directory of the command. You can put a zero-byte .pkg file in your archive if all you want to do is execute a shell command or some other executable.
If the PATH environment variable of your root account does not include the current working directory and you wish to execute a shell script or other executable that you've included inside an archive, specify the relative path to the executable in the Full Command Line field. The command will be executed inside a directory alongside the files which have been unarchived. For example, if you want to run a file called "installThis.sh", you would package it up alongside a .pkg file and then put the command "./installThis.sh" in the Full Command Line field. If you archived it inside another directory, like "foo", the Full Command Line field should be "./foo/installThis.sh". Both these examples, as well as some other KBOX functions, assume that "sh" is in root's PATH. If you're using another scripting language, you may need to specify the full path to the command
Administrator Guide for KBOX 1000 Series, version 3.3
87
processor you wish to run in the Full Command Line, like "/bin/sh ./installThis.sh". Include appropriate arguments for an unattended, batch script. If you select the uninstall check box in the MI detail, the KBOX agent will run the command: /usr/sbin/pkgrm -n packagename.pkg on either your standalone rpm file or each rpm file it finds in the archive, removing the package(s) automatically. Uninstallation in this way will be performed only if the archive or package is downloaded to the Agent. If you select the check box for "Run Command Only", you should specify a full command line to ensure the correct removal command is run on the correct package. Since no package is downloaded in this case, you should specify the path in the installation database where the package receipt is stored. 6. If your package requires additional options, you can enter the following installation details: Run Parameters
You don’t need to specify any parameters if you have a .pkg file. If no Run Parameters are filled in, all will be used by default to install all packages in the .pkg file. Setting a value here will override the default option.
Full Command Line
You don’t need to specify a full command line if you have a .pkg file. The server executes the installation command by itself. The Solaris client will try to install this via: pkgadd -n -d "packagename.pkg" [Run Parameters] If you don’t want to use the default command at all, you can replace it completely by specifying the complete command line here. Remember that if you have specified an archive file, this command will run against all of the .pkg files it can find.
Un-Install using Full Command Line
Select this check box to uninstall software. If the Full Command Line above is filled in, it will be run. Otherwise, by default the agent will attempt the command, which is generally expected to remove the package.
Run Command Only
Select this check box to run the command line only. This will not download the actual digital asset.
Managed Action
Managed Action allows you to select the most appropriate time for this package to be deployed. Execute anytime (next available) and Disabled are the only options available for Solaris platform.
7. Specify the deployment details: Deploy to All Machines
Select this check box if you want to deploy to all the machines.
Limit Deployment To Selected Labels
Select a label to limit deployment only to machines grouped by that label. Press CTRL and click labels to select more than one label.
Limit Deployment To Listed Machines
You can limit deployment to one or more machines. From the drop-down list, select a machine to add to the list. You can add more than one machine. You can filter the list by entering filter options.
Deploy Order
The order in which software should be installed. Lower deploy order will deploy first.
Max Attempts
Specify the maximum number of attempts, between 0 and 99, to indicate the number of times the KBOX 1000 Series appliance will try to install the package. If you specify 0, KBOX will enforce the installation forever..
Administrator Guide for KBOX 1000 Series, version 3.3
88
Deployment Window(24H clock)
Specify the time (using a 24 hr. clock) to deploy the package. Deployment Window times will affect any of the Managed Action options. Also, the run intervals defined under the Server Settings > Options page will override and/or interact with the deployment window of a specific package.
8. Set user interaction details: Allow Snooze
This option is not available for Solaris platform.
Custom Pre-Install Message
This option is not available for Solaris platform.
Custom Post-Install Message
This option is not available for Solaris platform.
Delete Downloaded Files
Select this check box to delete the package files after installation.
Use Alternate Download
Select this check box to specify details for alternate download. When you select this check box, the following fields appear: Alternate Download Location - Specify the location from where the KBOX Agent can retrieve digital installation files. Alternate Checksum - Specify an Alternate Checksum (MD5) that matches the MD5 checksum on the remote file share (for security purposes). Alternate Download User - Specify a username that will have the necessary privileges to access the Alternate Download Location. Alternate Download Password - Specify the password for the username specified above. Note: If the target machine is part of a replication label, then the KBOX will not fetch software from the alternate download location.
9. Click Save.
Standard TAR.GZ Example Deploying software using a tar.gz file is a convenient way to package software when more than one file is required to deploy a particular software title (for example, packagename.pkg plus required configuration and data files). For example, if you have a CD-ROM containing a group of files required to install a particular application, you can package them together in a tar.gz file, and upload them to KBOX for deployment. To create a managed installation for a tar.gz file: 1. Use the following two commands to create tar.gz file: tar –cvf filename.tar packagename.pkg gzip filename.tar This will create filename.tar.gz. 2. Create an inventory item for the target deployment. You can do this manually from the Inventory | Software tab, or by installing the package on a KBOX Agent machine that regularly connects to the KBOX 1000 Series appliance. 3. Associate the tar.gz file with the inventory item and upload it to the KBOX 1000 Series. 4. Select Distribution | Managed Installation. The Managed Installations page appears.
Administrator Guide for KBOX 1000 Series, version 3.3
89
5. Select Add New Item in the Choose action drop-down list. The Managed Software Installation: Edit Detail page appears. 6. Select the software title with which the tar.gz file is associated from the software drop-down list. 7. This file will be uncompressed and searched for .pkg files. The installation command will be run against each of them. 8. If no Run Parameters are filled in, all will be used by default to install all packages in the .pkg file. 9. You don’t need to specify a full command line. The server executes the installation command by itself. The Solaris client will try to install this via: pkgadd -n -d "packagename.pkg" [Run Parameters] If extension is tar.gz:
tar xzpf “packagename” If extension is .zip:
unzip “packagename.zip” If extension is .gz:
gunzip “packagename.gz” 10. Enter other package details as described in the Creating a Managed Installation procedures for .pkg file above. 11. Click Save.
The KBOX Agent will automatically run deployment packages with .pkg extensions. However, KBOX 1000 Series also provides a capability for administrators to Zip many files together and direct the KBOX 1000 Series to unpack the Zip and run a specific file within.
Administrator Guide for KBOX 1000 Series, version 3.3
90
Examples of Common Deployments on Macintosh(r) On the Apple MacOS X platform, there is a universal installer with the usual file extension of .pkg. (This format is different from the Solaris .pkg files.) You cannot upload a .pkg file directly, because .pkg files are actually directories at a low level and web browsers can't handle uploading entire directories. You do not need to use an installer for KBOX to install plain packages. These are the ".app" packages you might normally drag to your Applications folder. These must be archived as well, since they are also directories at a very low level, just like installer packages. You can even archive installers alongside plain applications. KBOX will run the installers first and then copy the applications into the Applications folder. The supported package deployments are .pkg, .app, .dmg, .zip, .tgz and tar.gz. If you package the file as a disk image, KBOX will mount and unmount it quietly. This section provides examples for each type of deployment. For each of these examples, you must have already uploaded the file to KBOX prior to creating the Managed Installation package. We recommend installing the software on a test machine, waiting a sufficient amount of time for the KBOX Agent to connect to the KBOX 1000 series appliance and create an inventory item for the software, and then creating the Managed Installation package. You can also run the file runallkbots located in /Library/KBOXAgent/Home/bin to force the KBOX Agent to check in with the KBOX 1000 appliance.
To create a managed installation: 1. Select Distribution | Managed Installations. The Managed Installations page appears. 2. Select Add New Item in the Choose action drop-down list. The Managed Installation: Edit Detail Page appears. 3. Select the software from the drop-down list. You can filter the list by entering any filter options. 4. By default the kbox agent will attempt to install the .pkg file via the following command. In general, this should be sufficient to install a new package or update an existing one to a new version: installer -pkg packagename.pkg -target / [Run Parameters] 5. If you have selected a zip/tgz/tar.gz file, then the contents will be unpacked and the root directory searched for all .pkg files. The installation command will be run against each of them. KBOX will search for all the .pkg files on the top level of an archive and execute that same installer command on all of them in alphabetical order. After that, KBOX will search for all plain applications (.app) on the top level of the archive and copy them to /Applications with this command: ditto -rscs Application.app /Applications/Application.app If you wish to execute a script or change any of these command lines more fully, you may specify the appropriate script invocation as the Full Command Line. You may specify wildcard in the filenames you use. Enclose the filename in single or double quotation marks if it contains spaces. The files will the
Administrator Guide for KBOX 1000 Series, version 3.3
91
unarchived into a directory in "/tmp" and that will become the current working directory of the command. On MacOS, you do not need to include any other files in your archive other than your script if that's all you wish to execute.
If the PATH environment variable of your root account does not include the current working directory and you wish to execute a shell script or other executable that you've included inside an archive, be sure to specify the relative path to the executable in the Full Command Line field. Remember, you'll be executing your command inside a directory alongside the files which have been unarchived. For example, if you want to run a file called "installThis.sh", you would package it up alongside a .pkg file and then put the command "./installThis.sh" in the Full Command Line field. If you archived it inside another directory, like "foo", the Full Command Line field should be "./foo/installThis.sh". Both these examples, as well as some other KBOX functions, assume that "sh" is in root's PATH. If you're using another scripting language, you may need to specify the full path to the command processor you wish to run in the Full Command Line, like "/bin/sh ./installThis.sh". Be sure to include appropriate arguments for an unattended, batch script. If you select the uninstall check box in the MI detail, KBOX will remove each .app it finds in the top level of your archive from the Applications folder. Thus, if you include two files in your archive named "MyApp.app" and "MyOtherApp.app", those two applications will disappear from your Applications folder if they exist there. Uninstallation in this way will be performed only if the archive or package is downloaded to the client. If you select the check box for "Run Command Only", you should specify a full command line to ensure the correct removal command is run on the correct package. Since no package is downloaded in this case, you should specify the path in the installation database where the package receipt is stored or run the correct file removal command to delete the files from the Applications folder. In that case, you can download a script inside an archive and run the script on the Full Command Line. 6. If your package requires additional options, you can enter the following installation details: Run Parameters
You cannot apply "Run Parameters" to the above mentioned commands.
Full Command Line
You don’t need to specify a full command line. The server executes the installation command by itself. The Macintosh(r) client will try to install this via: installer -pkg packagename.pkg -target / [Run Parameters] or ditto -rsrc packagename.app /Applications/theapp If you don’t want to use the default command at all, you can replace it completely by specifying the complete command line here. Remember that if you have specified an archive file, this command will run against all of the .pkg files or .app files it can find.
Un-Install using Full Command Line
Select this check box to uninstall software. If the Full Command Line above is filled in, it will be run. Otherwise, by default the agent will attempt the command, which is generally expected to remove the package.
Run Command Only
Select this check box to run the command line only.This will not download the actual digital asset.
Administrator Guide for KBOX 1000 Series, version 3.3
92
Managed Action
Managed Action allows you to select the most appropriate time for this package to be deployed. Execute anytime (next available) and Disabled are the only options available for Macintosh(r) platform.
7. Specify the deployment details: Deploy to All Machines
Select this check box if you want to deploy to all the machines.
Limit Deployment To Selected Labels
Select a label to limit deployment only to machines grouped by that label. Press CTRL and click labels to select more than one label.
Limit Deployment To Listed Machines
You can limit deployment to one or more machines. From the dropdown list, select a machine to add to the list. You can add more than one machine. You can filter the list by entering filter options.
Deploy Order
The order in which software should be installed.Lower deploy order will deploy first.
Max Attempts
Specify the maximum number of attempts, between 0 and 99, to indicate the number of times the KBOX 1000 Series appliance will try to install the package. If you specify 0, KBOX will enforce the installation forever.
Deployment Window(24H clock)
Specify the time (using a 24 hr. clock) to deploy the package. Deployment Window times will affect any of the Managed Action options. Also, the run intervals defined under the Server Settings->Options page will override and/or interact with the deployment window of a specific package.
8. Set user interaction details: Allow Snooze
This option is not available for Macintosh(r) platform.
Custom Pre-Install Message
This option is not available for Macintosh(r) platform.
Custom Post-Install Message
This option is not available for Macintosh(r) platform.
Delete Downloaded Files
Select this check box to delete the package files after installation.
Use Alternate Download
Select this check box to specify details for alternate download. When you select this check box, the following fields appear: Alternate Download Location - Specify the location from where the KBOX Agent can retrieve digital installation files. Alternate Checksum - Specify an Alternate Checksum (MD5) that matches the MD5 checksum on the remote file share (for security purposes). Alternate Download User - Specify a username that will have the necessary privileges to access the Alternate Download Location. Alternate Download Password - Specify the password for the username specified above. Note: If the target machine is part of a replication label, then the KBOX will not fetch software from the alternate download location.
9. Click Save.
Administrator Guide for KBOX 1000 Series, version 3.3
93
File Synchronizations File synchronizations enable you to distribute software files to the computers on your network. These can be any type of file, such as PDF, ZIP files, or EXE files, which are simply downloaded to the user’s machine, but not installed.
Creating a file synchronization Using file synchronizations, you can push out any type of file to the computers on your network. You can choose to install the files from the KBOX 1000 Series, or you can specify an alternate location where users will download the file. The string KACE_ALT_Download in the Alternate Download Location field will be replaced with the value assigned by the corresponding LABEL. You should not have a machine in more than one LABEL with an Alternate Download Location specified. To create a file synchronization: 1. Select Distribution | File Synchronization. The File Synchronizations page appears. 2. Select Add New Item in the Choose action drop-down list. The File Synchronization: Edit Detail page appears. 3. Select the software title to install in the Software Title to Install drop-down list. 4. Set or modify the following installation details: Notes
Enter any information related to the software title selected.
Location (full directory path)
Specify the location on the users machine where you want to upload this file.
Location User
If the Location specified above is a shared location, specify the User login name.
Location Password
If the Location specified above is a shared location, specify the login password.
Enabled
Select this check box to download the file the next time the KBOX Agent checks in to the KBOX 1000 Series appliance.
Create Location (if doesn’t exists)
Creates the installation location if not already there.
Replace existing files
Select this check box to overwrite existing files of the same name on the target machines.
Do Not Uncompress Distribution
Select this check box if you are distributing a compressed file and do not want the file uncompressed.
Persistent
Select this check box if you want the KBOX 1000 Series to confirm every time that this package does not already exist on the target machine before attempting to deploy it.
Create shortcut (to location)
Select this check box if you want to create a desktop shortcut to the file location.
Shortcut name
Type a display name for the shortcut.
Delete Temp Files
Select this check box to delete temporary installation files.
Administrator Guide for KBOX 1000 Series, version 3.3
94
5. Specify the deployment details: Limit Deployment to
Specify a label for the package. The file will be distributed to the users assigned to the label, such as operating system affected by the synchronization.
6. Set user interaction details: Pre-Install User Message
Select this check box to display a message to users prior to installation. When you select this check box, additional fields appear: Pre-Install User Message - Enter a pre-install message. Pre-Install Message Timeout - Specify a timeout in minutes for which the message will be displayed. Pre-Install Timeout Action - Select a timeout action that will take place at the end of the timeout period from the drop-down list. Options include Install later or Install now. For example, you might select Install now because you may be installing at a time when you know that the user is away from his or her desktop, making it a good time to install. Or, you might select Install later if the installer needs some user interaction and it would not work if the user was not at his or her desktop.
Post-Install User Message Select this check box to display a message to users after the installation completes. When you select this check box, message field and timeout options appear. Enter a message and a timeout value in minutes. Deployment Window
Specify the time (using a 24 hr. clock) to deploy the package. Deployment Window times will affect any of the Managed Action options. Also, the run intervals defined under the Server Settings | Options page will override and/or interact with the deployment window of a specific package.
Use Alternate Download
Select this check box to specify details for alternate download. When you select this check box, the following fields appear: Alternate Download Location - Specify the location from where the KBOX Agent can retrieve digital installation files. Alternate Checksum - Specify an Alternate Checksum (MD5) that matches the MD5 checksum on the remote file share (for security purposes). Alternate Download User - Specify a username that will have the necessary privileges to access the Alternate Download Location. Alternate Download Password - Specify the password for the username specified above. Note: If the target machine is part of a replication label, then the KBOX will not fetch software from the alternate download location.
7. Click Save. To distribute files previously deployed after the deployment window has closed, click the Resend Files button.
Administrator Guide for KBOX 1000 Series, version 3.3
95
Replication A Replication Share allows a KBOX Agent to replicate software installers to a share for use by other KBOX Agents. This allows users to download software from the share instead of directly from the KBOX 1000 Series. This is useful if you have machines in a remote office where downloading the software once for each machine would impact the network. From the Replication tab, users can: Add or delete replication shares Enable or disable replication shares
Creating a Replication Share Replication shares can only be created on one of the machines listed in the KBOX Inventory | Computers tab. If you want to create a share on a machine not listed there, you will need to create an inventory record for the machine before continuing. For more information, see Chapter 3,“Inventory,” starting on page 26. The Replication Machine will need write permissions to the Destination Path to write the software files. To create a replication share: 1. Select Distribution | Replication. The Replication Shares page appears. 2. Select Add New Item in the Choose Action drop-down list. The Replication Share: Edit Detail page appears. 3. Select the machine on which the share will reside in the Replication Machine drop-down list. 4. Specify the Replication Share destination details: Destination Path
Specify the destination path where the replication machine should copy all the software from the KBOX 1000 Series. All software items with digital assets are copied, including patches. The Replication Machine will need write permissions to the Destination Path to write the software files.
Destination Path User
Specify the login name for the share.
Destination Path Password
Specify the password for the share.
5. Select a label for the Replication Share. Make sure that the label does not have ALT_KACE_LOCATION specified on it. 6. Specify the replication share download details: Download Path
Specify the download path from where machines in the replication label will copy these assets instead of downloading them directly from KBOX. The Clients will need read permission to this share.
Download Path User
Specify the login name the users in the replication share label will enter to access the assets on the replication share.
Download Path Password
Specify the password for the share. The password the users in the replication share label will enter to access the assets on the replication share.
7. Enter comments in the Notes field as necessary.
Administrator Guide for KBOX 1000 Series, version 3.3
96
8. Click Save. 9. After creating a replication share, select the Enabled check box to allow users to begin using the share to download digital assets.
Viewing Replication Share Details After clicking Save, the Replication Shares list will be displayed showing the new replication share. You can view the list of digital assets that will be copied to this share by clicking the linked name of the Replication Share and scrolling down to the table at the bottom. You can also click the Details link beside the Replication Machine field to view the computer inventory record for the Replication Share. Click the Details link beside the Labels field to view the computers and users assigned to that label.
Administrator Guide for KBOX 1000 Series, version 3.3
97
C H A P T E R 7
Wake-on-LAN The KBOX 1000 Series Wake-on-LAN feature provides the ability to “wake up” computers equipped with network cards that are Wake-on-LAN compliant. “Wake-on-LAN Feature Overview,” on page 99 “Issuing a Wake-on-LAN Request,” on page 100 “Troubleshooting Wake-on-LAN,” on page 101
Wake-on-LAN Feature Overview The KBOX 1000 Series Wake-on-LAN feature enables you to remotely power-on device on your network, even if those machines don’t have the KBOX Agent installed. Wake-on-LAN can target a label, or specific MAC-addressed machine. Wake-on-LAN is often used to power on machines prior to some IT activity, such a distributing a package from the KBOX 1000 Series to a subnet, to ensure that the distribution or update reaches as many of the target machines as possible. Because many of the updates are performed during off-hours to minimize the impact on your network, some of the machines targeted for updating might be turned off at the time you are performing the updates. In such cases, you could issue a Wake-on-LAN call to turn computers on prior to performing updates, running scripts, or distributing packages. This feature only supports machines that are equipped with a Wake-On-LAN-enabled network interface card (NIC) and BIOS.
Using the Wake-on-LAN feature on the KBOX 1000 Series will cause broadcast UDP traffic on your network on port 7. This traffic should be ignored by most computers on the network. The KBOX 1000 Series sends 16 packets per Wake-on-LAN request because it must guess the broadcast address that is required to get the "Magic Packet" to the target computer. This amount of traffic should not have a noticeable impact on the network.
Administrator Guide for KBOX 1000 Series, version 3.3
99
Issuing a Wake-on-LAN Request You can wake multiple devices at once by specifying a label to which those devices belong, or you can wake computers or network devices individually. If you need to wake devices on a regular basis, for example to perform monthly maintenance, you could schedule a Wake-on-LAN to go out a specific time. If the device you want to wake is not inventoried by the KBOX 1000 Series but you still know the MAC (Hardware) address and its last-known IP address, you can manually enter the information to wake the device. To issue a Wake-on-LAN request: 1. Click Distribution | Wake-on-LAN. The Wake-on-LAN page appears. 2. To wake multiple devices, select a label from the Labels drop-down list. 3. To wake computers individually, select them from the Wake a Computer list. Press CTRL, and then click to select multiple computers. 4. To wake a network device, specify the device’s IP address in the Devices field. 5. Enter the filter criteria in the Filter field. 6. Specify the MAC address of the device in the MAC Address field. 7. Specify the IP address of the device in the IP Address field. 8. Click Send Wake-on-LAN. After sending the Wake-on-LAN request, you will see the results at the top of the page indicating the number of machines that received the request and to which label, if any, those machines belong. To schedule a Wake-On-LAN request: 1. Click Distribution | Wake-on-LAN. 2. Click the Schedule a routine Wake-on-LAN event link. The Wake-on-LAN page appears. 3. Select Add New Item in the Choose action drop-down list. The Wake-on-LAN Settings page appears. 4. In the Labels to Wake-on-LAN box, select the labels to include in the request. Press CTRL, then click to select multiple labels. 5. In the Limit by Operating Systems box, select the operating systems to include in the request. 6. Specify the Wake-on-LAN schedule in the Scheduling area: Don’t Run on a Schedule
Tests will run in combination with an event rather than on a specific date or at a specific time.
Run Every day/specific day at HH:MM AM/PM
Runs every day or only the selected day at the specified time.
Run on the nst of every month/specific month at HH:MM AM/PM
Runs on the 1st, or 2nd, etc. of every month or only the selected month at the specified time.
7. Click Save. On clicking Save, you will see the Wake-on-LAN tab with the scheduled request listed. From this view you can edit or delete any scheduled requests.
Administrator Guide for KBOX 1000 Series, version 3.3
100
Troubleshooting Wake-on-LAN If a Wake-on-LAN request fails to wake devices, your network devices could be configured in a way that is causing Wake-on-LAN to fail: The device does not have a WOL-capable network card or is not configured properly. The KBOX 1000 Series has incorrect information about the subnet to which the device is attached. UDP traffic is not routed between subnets or is being filtered by a network device. Broadcast traffic is not routed between subnets or is being filtered by a network device. Traffic on Port 7 is being filtered by a network device. For more assistance with troubleshooting Wake-on-LAN, see http://support.intel.com/support/network/sb/ cs-008459.htm
Administrator Guide for KBOX 1000 Series, version 3.3
101
C H A P T E R 8
Scripting The optional Policy and Scripting Module provides a pointand-click interface for performing many tasks that would typically require a manual process or advanced programming. This feature is available only for computers that run on the Windows operating system. “Scripting Module Overview,” on page 103 “Creating and Editing Scripts,” on page 105 “Using the Run Now Function,” on page 111 “Searching Scripting Log Files,” on page 114 “Configuration Policies,” on page 115
Scripting Module Overview If you purchased the optional KBOX 1000 Series Policy and Scripting Module, you now have a way to easily and automatically perform a variety of tasks across your network through customized scripts that run when and where you want them to. You can automate tasks like installing software, checking antivirus status, changing registry settings, or configuring browser settings by creating a custom script and then scheduling deployment to the endpoints on your network. Each script consists of metadata, dependencies (where necessary), rules, tasks, and deployment and schedule settings. Dependencies are supporting files that are needed for the script to run, such as executable, .zip files, etc. When creating your script, you will be prompted to upload any required dependencies. Rules are tasks performed in a specified order on the target machine. Each task determines whether processing should continue or end at the end of each task. Tasks are the individual steps being carried out by the script. In each script, you can have any number of tasks. Whether or not a task is executed is dependent upon the success or failure of the previous task and any rules for performing subsequent tasks. There are two types of scripts you can create: policies and jobs. Policies are generally used to perform tasks that will be repeated, such as checking to see whether McAfee Antivirus is installed and working. Jobs are used to perform one-time tasks, such as uninstalling software or moving files.
Administrator Guide for KBOX 1000 Series, version 3.3
103
Using Scripts that are Installed with KBOX KBOX installs the following scripts by default: Script Name
Description
Force Checkin
Runs KBScriptRunner on client to force checkin. WARNING: do not run this with more than 50 clients selected as this can overload the server with requests.
Defragment the C: drive
Example script to defragment the c:
DOS-DIR
DOS-DIR
Inventory Startup Programs Fix
On some machines, a missing registry entry causes all of the contents of the system32 directory to be reported as the Startup Programs. This script fixes the registry entry if it is missing.
KBOX Remote Control Disabler
Disables KBOX Remote Control functionality on Windows XP Professional by configuring Terminal Services properly.
KBOX Remote Control Enabler
Enables KBOX Remote Control functionality on Windows XP Professional by configuring Terminal Services properly.
KBOXClient debug logs Disable
If the client is checking in and a problem occurs with the inventory and deployment, this script will disable the debug switch.
KBOXClient debug logs Enable
If the client is checking in and a problem occurs with the inventory and deployment, this script will enable the client debug and send the debug back to the server. This only turns on debug for the inventory and deployment part of the client. It does not enable debugging of the scheduling service.
Make Removable Drives Read-Only
Removable drives may only be mounted read-only. This prevents people from absconding with corporate data, though they may transport data to their PC.
Make Removable Drives Read-Write
Removable drives may be mounted read-write.
Message Window Script Example
This is an example script to illustrate use of message window. Your script must have properly paired create/destroy message window commands in order to work properly. Message Windows remain displayed until user dismisses, until the script finishes executing, or until the timeout is reached, whichever comes first.
Reset KUID
Deletes the registry keys that identify a machine. You should also delete the specific machine record from the inventory tab.
Shutdown a Windows system
It specifies timeout in seconds while the message in quotes will be displayed to the user. Omit for silent immediate shutdown.
USB Drives Disable
USB Drives may not be used at all.
USB Drives Enable
USB Drives may be used.
Table 8-1: Default scripts in KBOX
Administrator Guide for KBOX 1000 Series, version 3.3
104
Creating and Editing Scripts There are three ways you can create scripts: by importing an existing script (in XML format), by making a copy of an existing script, or by creating a new script from scratch. You can perform these actions from the Scripting | Scripts tab. The process of creating scripts is an iterative one. After creating a script, it’s a good idea to deploy the script to a limited number of machines (you can create a test label to do this) so that you can verify it is doing what you intend before deploying it to all of the machines on your network. It’s good practice to leave a script disabled until after you have done all of your editing and testing and you are ready to run the script.
Administrator Guide for KBOX 1000 Series, version 3.3
105
Adding Scripts Scripts are made up of one or more Tasks. Within each Task there are Verify and Remediation sections where you can further define the script behavior. If a section is left blank, it defaults to success. For example, if you leave the Verify section blank, it will end in On Success. To add a script: 1. Select Scripting | Scripts. 2. Select Add New Item from the Choose action drop-down list. The Script: Edit Detail page appears. 3. In the Configuration area, enter the requested details: Name
Provide a meaningful name for the script to make it easier to distinguish from others listed on the Scripts tab.
Description
Describe briefly the actions the script will perform. Although this field is optional like the Name field, it will help you to distinguish one script from another on the Scripts tab.
Type
Classify the script as either a Job or a Policy. This distinction has no affect on how the script will run, however, it can help to differentiate those scripts that will run regularly (policies) from those that will run only once (jobs).
Status
Use this field to indicate whether the script is in development (Draft) or has been rolled out to your network (Production). Use Template if you are building a script that will be used as the basis for future scripts.
Enabled
Select this check box to run the script on the target machines. Do not enable until you are finished and want to run it. Enable on a test label before you enable on all machines.
Allow Run While Dis- Select this option if you want to allow the script to run even if the target connected machine cannot contact the KBOX 1000 Series to report results. In such a case, results will be stored on the machine and uploaded to the KBOX 1000 Series until the next contact. Allow Run While Logged Off
Select this option if you want to allow the script to run even if a user is not logged in. To run the script only when the user is logged into the machine, clear this option.
4. Specify the deployment options: Deploy to All Machines
Select this check box if you want to deploy to all the Machines.
Limit Deployment To Selected Labels
Select a label to limit deployment only to machines grouped by that label. Press CTRL and click labels to select more than one label.
Limit Deployment To Listed Machines
You can limit deployment to one or more machines. From the drop-down list, select a machine to add to the list. You can add more than one machine. You can filter the list by entering filter options.
Supported Operating Systems
Select an operating system on which the script will run. If you selected a label as well, the script will only run on machines with that label if they are also running the selected operating system.
Administrator Guide for KBOX 1000 Series, version 3.3
106
Scheduling
In the Scheduling area, specify when and how often the script will run. Don’t Run on a Schedule
Tests will run in combination with an event rather than on a specific date or at a specific time. Use this option in combination with one or more of the “Also” choices below. For example, use this option in conjunction with “Also Run at User Login” to run whenever the user logs in.
Run Every n minutes/hours
Test will run on every hour and minutes as specified.
Run Every day/specific day at HH:MM AM/PM
Test will run on the specified time on the specified day.
Run on the nst of every month/specific month at HH:MM AM/PM
Test will run on the specified time on the 1st, or 2nd, etc. of every month or only the selected month.
Custom Schedule
This option allows you to set an arbitrary schedule using standard cron format. For example, 1,2,3,5,20-25,30-35,59 23 31 12 * * means: On the last day of year, at 23:01, 23:02, 23:03, 23:05, 23:20, 23:21, 23:22, 23:23, 23:24, 23:25, 23:30, 23:31, 23:32, 23:33, 23:34, 23:35, 23:59. The KBOX 1000 Series doesn’t support the extended cron format.
Also Run Once at next Client Checkin
This option runs the script once when new scripts are downloaded from the KBOX 1000 Series. The time interval for downloaded scripts is set in KBOX Settings | Client Options | Scripting Update Interval.
Also Run at Machine Boot Up
This option runs the script at machine boot time. Be aware that this will cause the machine to boot up slower than it might normally.
Also Run at User Login
This option runs the script after the user has entered their Windows login credentials.
5. Click Run Now to immediately push the script to all machines. Use this option with caution. For more information about the Run Now button, see “Using the Run Now Function,” on page 111.
6. To browse for and upload files required by the script, click Add new dependency, click Browse, and then click Open to add the new dependency file. Repeat this step to add additional new dependencies as necessary. 7. Click Add Task Section to add a new task. The process flow of a task in a script is shown below. IF Verify THEN Success ELSE IF Remediation THEN Remediation Success ELSE Remediation Failure Figure 8-2: Example of Task process flow
Administrator Guide for KBOX 1000 Series, version 3.3
107
8. Under Job or Policy Rules, set the following options for Task 1: Attempts
The number of times the script will attempt to run. If the script fails but remediation is successful, you may want to run the task again to confirm the remediation step. To do this, set the number of Attempts to 2 or more. If the Verify section fails, it will be run Attempts number of times.
On Failure
Select Break if you want the script to stop running upon failure. Select Continue if you want the script to perform remediation steps upon failure.
9. In the Verify section, click Add to add a step, and then select one or more steps to perform. See Appendix A,“Steps for Task sections,” starting on page 204. 10. In the On Success and Remediation sections, select one or more steps to perform. See Appendix A,“Adding steps to a Task,” starting on page 203. 11. In the On Remediation Success and On Remediation Failure sections, select one or more steps to perform. See Appendix A,“Adding steps to a Task,” starting on page 203. To remove a dependency, task, or step, click the trash can icon This icon appears when your mouse hovers over an item.
beside the item.
Editing Scripts You can edit scripts on the Script: Edit Detail page, or in an XML editor. To use the XML editor, click the View raw XML editor link at the top of the Script: Edit Detail page. Scripts created using one of the wizards can be re-edited using the wizard in addition to these methods. To edit a script: 1. Select Scripting | Scripts. 2. Click the name of the script you want to edit. The Script: Edit Detail page appears. 3. Modify the script as desired. 4. Click Save. To delete a script: 1. Select Scripting | Scripts. 2. Select the check box beside the script you want to delete. 3. Choose Delete Selected Item(s) from the Choose action drop-down list. 4. Click OK to confirm deletion.
Administrator Guide for KBOX 1000 Series, version 3.3
108
Importing scripts If you prefer to create your script in an external XML editor, you can upload your finished script to the KBOX 1000 Series. Be sure that the imported script conforms to the following structure: The root element One or more elements. Exactly one element within each element. Exactly one <execute> element within each element. One or more elements within each element. <execute disconnected=”false” logged_off=”false”> Figure 8-3: Example of XML structure for KBOX 1000 Series script In the above example, we see an example of a simple XML script. The element corresponds to the Configuration section on the Script: Edit Detail page and is where you will specify the name of the policy or job (optional), and the script type (policy or job). Within this element you also will indicate whether the script will run when the target machine is disconnected or logged off from the KBOX 1000 Series. Within the element you will specify whether the script is enabled and describe the specific tasks the script is to perform. Tip: If you are creating a script that will perform some of the same tasks as an existing script, you may want to consider creating a copy of that existing script, then opening the copied script in XML editor view to better understand what is possible in the element. For more information, see “Duplicating scripts,” on page 110.
Administrator Guide for KBOX 1000 Series, version 3.3
109
To import an existing script: 1. Click the Scripting button, then choose the Scripts tab. 2. From the Choose action drop-down list, select Import from XML. The Script: Edit Detail page appears. 3. Paste the existing script into the space provided, then click Save.
Duplicating scripts If you have already created a script that performs many of the tasks required of your new script, the simplest way to begin is to make a copy of the current script, then modify the steps as required, and then upload any new dependency files. To duplicate an existing script: 1. Select Scripting | Scripts. 2. Click the linked name of the script you want to copy to open it for editing. The Script: Edit Detail page appears. 3. Click the Duplicate button. The Scripts list page appears, which includes a new script named “Copy of xxx”, where “xxx” is the name of the copied script. 4. Click the linked name of the copied script to open it for editing. Continue as you would in “Adding Scripts,” on page 106.
Administrator Guide for KBOX 1000 Series, version 3.3
110
Using the Run Now Function The Run Now function provides a way for you to run scripts on selected machines immediately without setting a schedule. You may want to use this function if you have machines on your network that you suspect are infected with a virus or other vulnerability which could compromise your entire network if not resolved right away. Run Now is also useful for testing and debugging scripts on a specific machine or set of machines during development. The Run Now function is available in three places: Run Now tab - Running Scripts from the Scripting | Run Now tab allows you to run one script at a time on the target machines. Script: Edit Detail Page - Running Scripts from the Script : Edit Detail page allows you to run one script at a time on the target machines. Scripts List Page - Running scripts from the Scripts List Page using the Run Now option from the Choose action drop-down list allows you to run more than one script at the same time on the target machines. CAUTION: Because a script is deployed immediately when you click Run Now, use this feature cautiously, and do not deploy unless you are certain that you want to run the script on the target machines. Be sure to specify a label on which to run the script, otherwise it will deploy to all machines by default. See “Creating Labels,” on page 43 for more information.
Run Scripts using the Run Now tab You can run scrips using the Scripting | Run Now tab. To run Scripts using the Run Now tab: 1. Select Scripting | Run Now. The Run Now page appears. 2. Select the Script you want to run in the Scripts list. You can use the Filters to filter the Scripts list. 3. Select the machines on which Script needs to run from the Inventory Machines list. Selected machine name appears in the Machine Names field. You can use the Filters to filter the machine names list. You can add all the machines by clicking Add All. Atleast one machine name should be present in the list to run the script. 4. Click Run Now to run the selected Script.
Run Now from the Script Detail page To use the Run Now function from the Script Detail page: 1. To minimize the risk of deploying to unintended target machines, KACE recommends that you create a label that represents the machine or machines on which you want to use the Run Now function. See “Creating Labels,” on page 43 for more information. 2. Select the Scripting tab.
Administrator Guide for KBOX 1000 Series, version 3.3
111
3. Select the script you want to run. The Script: Edit Detail page appears. 4. Select the label or labels that represent the machine(s) on which you want to run the script. Press CTRL and click to select multiple labels. 5. Scroll to the bottom of the Scheduling section, then click Run Now. To use the Run Now function from the Scripts Lists Page: 1. To minimize the risk of deploying to unintended target machines, KACE recommends that you create a label that represents the machine or machines on which you want to use the Run Now function. See “Creating Labels,” on page 43 for more information. 2. Select the Scripting tab. 3. Select the script or scripts you want to run. 4. Select Run Now from the Choose action drop-down list.
Monitoring Run Now status When you click Run Now or select Run Now from the Choose action drop-down list, the Run Now Status tab appears where you will see a new line item for the script. The Pushed column indicates the number of machines on which the script is attempting to run. The Completed column indicates the number of machines that have finished running the script. The numbers in these columns increment accordingly as the script runs on all of the selected machines. The icons above the right-hand column provide further details of the script status. Icon
Description The script completed successfully. The script is still being run, therefore its success or failure is unknown. An error occurred while running the script.
Table 8-4: Run Now Status tab icons If there were errors in pushing the scripts to the selected machines, you can search the scripting logs to determine the cause of the error. For more information about searching logs, see “Searching Scripting Log Files,” on page 114. The Run Now function communicates over port 52230. One reason a script might fail to deploy is if firewall settings are blocking the KBOX Agent from listening on that port.
Administrator Guide for KBOX 1000 Series, version 3.3
112
Run Now Detail Page For more information on a Run Now item, click the linked start time on the Run Now Status page to display the item’s Run Now Detail page. The Run Now Detail page displays the results of a script that was run manually using the Run Now Function, instead of running it on a schedule. The Push Failures section lists those machines that the server could not contact, and therefore did not receive the policy. Once pushed, it may take some time for the machine to complete a policy. Machines that have received the policy, but have not reported their results yet are listed in the Scripts Running section. After the policy is run, it will report either success or failure. The results will be sorted under the appropriate section. Each individual computer page also has the results of the Run Now events run on that machine.
Administrator Guide for KBOX 1000 Series, version 3.3
113
Searching Scripting Log Files The Search Logs page allows you to search the logs uploaded to the KBOX 1000 Series appliance by the machines on your network. To search scripting logs: 1. Select Scripting |Search Logs. 2. Enter the keywords to search for in the Search for field. You can use the following operators to change how the logs are searched: Operator
Function
+
A leading plus sign indicates the word must be present in the log.
-
A leading minus sign indicates the word must not be present in the log.
*
A trailing asterisk can be used to find logs that contain words that begin with the supplied characters.
“
A phrase enclosed in double quotes matches only if the log contains the phrase exactly as typed.
Table 8-5: Available search operators 3. To search only in logs uploaded by a particular script, choose the script name. 4. Select the log type to search in from the drop-down list. Options include: Output, Activity, Status, and Debug. 5. In the Historical field, select whether to search in only the most recent logs or in all logs from the drop-down list. 6. To search only in logs uploaded by KBOX Agents in a particular label group, select the label from the drop-down list. 7. Click Search.
Administrator Guide for KBOX 1000 Series, version 3.3
114
Configuration Policies The Configuration Policy page displays a list of wizards you can use to create policies that manage various aspects of the computers on your network. To access the list of available Configuration Policy wizards, click the Scripting button, then select the Configuration Policy tab. This section includes descriptions of the settings for each of the policies you can create. Available wizards include: Enforce Registry Settings Remote Desktop Control Troubleshooter Enforce Desktop Settings Desktop Shortcuts Wizard Event Log Reporter MSI Installer Wizard UltraVNC Wizard Un-Installer Wizard Windows Automatic Updates Settings.
Administrator Guide for KBOX 1000 Series, version 3.3
115
Enforce Registry Settings This wizard allows you to quickly create scripts that enforce particular registry settings. To enforce registry settings: 1. Use regedit.exe to locate and export the values from the registry that you are interested in. 2. Open the .reg file that contains the registry values you want with notepad.exe and copy the text. 3. Select Scripting |Configuration Policy. 4. Click Enforce Registry Settings. The Configuration Policy : Enforce Registry Settings page appears. 5. Enter a policy name in the Policy Name field. 6. Paste the copied registry values into the Registry File field. 7. Click Save. After clicking Save you will be taken to the Script: Edit Detail page, where you will need to enable and set a schedule for this policy to take effect. A new script will be created that will check that the values in registry file match the values found on the target machines. Any values that are missing or incorrect will be replaced. See “Adding Scripts,” on page 106 for more information.
Remote Desktop Control Troubleshooter This editor creates a troubleshooting script for the KBOX 1000 Series Remote Control functionality. The script that this page generates will test the following things: Terminal Services: To access a Windows XP Professional machine using Remote Desktop, Terminal Services must be running. This script will verify that this is the case; Firewall Configuration: If the Windows XP SP2 Firewall is running on the machine, several different configurations may be affecting whether the Remote Desktop requests are being blocked by the firewall. To troubleshoot remote behavior: 1. Select Scripting |Configuration Policy. 2. Click Remote Desktop Control Troubleshooter. The Configuration Policy : Remote Control Troubleshooter page appears. Under Firewall Configuration, specify the desired settings. 3. Click Save. After clicking Save you will be taken to the Script: Edit Detail page, where you will need to enable and set a schedule for this policy to take effect. See “Adding Scripts,” on page 106 for more information.
Administrator Guide for KBOX 1000 Series, version 3.3
116
Enforce Desktop Settings This wizard allows you to build policies that affect the user's desktop wallpaper. The Wallpaper bitmap file is distributed to each machine affected by the policy. This file must be in the Bitmap (.bmp) format. To create a policy to enforce Desktop Settings: 1. Select Scripting |Configuration Policy. 2. Click Enforce Desktop Settings. 3. Select the Use wallpaper check box to enforce this setting. 4. Click Browse to select and upload the .bmp file to use for the wallpaper. 5. Select a position for the wallpaper image from the Position drop-down list. Select Stretch to stretch the image so that it covers the entire screen. Select Center to display the image in the center of the screen. Select Tile to repeat the image over the entire screen. 6. Click Save. After clicking Save you will be taken to the Script: Edit Detail page, where you will need to enable and set a schedule for this policy to take effect. See “Adding Scripts,” on page 106 for more information.
Desktop Shortcuts Wizard This wizard allows you to quickly create scripts that add shortcuts to users' Desktop, Start Menu, or Quick Launch bar. You can create an Internet shortcut and can put a URL to the target with no parameters and working shortcut. To create scripts to add shortcuts: 1. Select Scripting |Configuration Policy. 2. Click Desktop Shortcuts Wizard. The Configuration Policy : Enforce Shortcuts page appears. 3. Enter a name for the desktop shortcut policy in the Policy Name field. 4. Click Add Shortcut. 5. Specify the shortcut details. Name
The text label that will appear below or beside the shortcut.
Target
The application or file that is launched when the shortcut is clicked, e.g., Program.exe.
Parameters
Any command line parameters. For example: /S /IP=123.4
WorkingDir
Changes current working directory. For example: C:\Windows\Temp
Location
Select the location where the shortcut will appear from the drop-down list. Options include Desktop, Quick Launch, and Start Menu.
6. Click Save Changes to save the new shortcut. 7. Click Add Shortcut to add more shortcuts. To edit or delete a shortcut, hover over a shortcut and click the Trash can icon that appears. 8. Click Save. After clicking Save you will be taken to the Script: Edit Detail page, where you will need to enable and set a schedule for this policy to take effect. See “Adding Scripts,” on page 106 for more information.
Administrator Guide for KBOX 1000 Series, version 3.3
117
Event Log Reporter This wizard creates a script that queries the Windows Event Log and uploads the results to the KBOX 1000 Series. To create an Event Log query: 1. Select Scripting |Configuration Policy. 2. Click Event Log Reporter. The Configuration Policy : Event Log Reporter page appears. 3. Specify query details: Output filename
The name of the log file created by the script.
Log file
The type of log you want to query. Options include Application, System, and Security.
Event Type
The type of event you want to query. Options include Information, Warning, and Error.
Source Name
Use this optional field to restrict the query to events from a specific source.
4. Click Save. After clicking Save you will be taken to the Script: Edit Detail page, where you will need to enable and set a schedule for this policy to take effect. See “Adding Scripts,” on page 106 for more information.
MSI Installer Wizard This wizard helps you set the basic command line arguments for running MSI based installers. See the MSI Command Line documentation for full details. To create the MSI Installer policy: 1. Select Scripting |Configuration Policy. 2. Click MSI Installer Wizard. The Configuration Policy : MSI Wizard page appears. 3. Enter the following information: Action
Select a task. Options include Install, Uninstall, Repair missing files, and Reinstall all files.
Software
Select the application you want to install, uninstall, or modify.
MSI filename
Enter a MSI filename.
User Interaction
Select an option to specify how the installation should appear to end users. Options include: Default, Silent, Basic UI, Reduced UI, and Full UI. See MSI documentation for a complete description of the available options.
Installation Directory
Specify the installation directory.
Additional Switches
Include any additional installer switches. Additional Switches will be inserted between the msiexe.exe and the /i foo.msi arguments.
Administrator Guide for KBOX 1000 Series, version 3.3
118
Additional Properties
Include any additional properties. Additional Properties will be inserted at the end of the command line. For example: msiexec.exe /s1 /switch2 /i patch123.msi TARGETDIR=C:\patcher PROP=A PROP2=B
Feature List
Enter the features to install. Separate features with commas.
Store Config per machine
Select this box to do per-machine installations only.
After install
Select the behavior after installation. Options include: Delete installer file and unzipped files Delete installer file, leave unzipped files Leave installer file, delete unzipped files Leave installer file and unzipped files.
Restart Options
Select the restart behavior. Options include: No restart after installation Prompts user for restart Always restart after installation Default
Logging
Select the type(s) of installer messages to log. Press CTRL and click to select multiple message types. Options include: None All Messages Status Messages Non-fatal warnings All error messages Start up actions Action-specific records User requests Initial UI parameters Out-of-memory or fatal exit information Out-of-disk-space messages Terminal properties Append to existing file Flush each line to the log See MSI documentation for a complete description of the available logging options.
Log File Name
Specify the name of the log file.
4. Click Save. After clicking Save you will be taken to the Script: Edit Detail page, where you will need to enable and set a schedule for this policy to take effect. See “Adding Scripts,” on page 106 for more information.
Administrator Guide for KBOX 1000 Series, version 3.3
119
UltraVNC Wizard The UltraVNC Wizard creates a script to distribute UltraVNC to Windows computers on your network. UltraVNC is a free software solution that allows you to display the screen of a computer (via Internet or network) on another computer. You can use your mouse and keyboard to control the other computer remotely. It means that you can work on a remote computer, as if you were sitting in front of it, right from your current location.This wizard creates a script to deploy UltraVNC to your computers. See UltraVNC documentation for complete details. Go to http://www.uvnc.com/ for UltraVNC downloads and documentation.
To distribute UltraVNC to the computers on your network: 1. Select Scripting | Configuration Policy. 2. Click UltraVNC Wizard. The Configuration Policy : Ultra VNC Wizard page appears. 3. Specify UltraVNC installation and authentication options: Install Options
Install Mirror Driver
Check the Mirror Driver box to if you want to install the optional UltraVNC Mirror Video Driver. The Mirror Video Driver is a driver that UltraVNC can use to be quickly and efficiently notified with screen changes. Using it on an UltraVNC server results in an excellent accuracy. The video driver also makes a direct link between the video driver framebuffer memory and UltraWinVNC server. Using the framebuffer directly eliminates the use of the CPU for intensive screen blitting, resulting in a big speed boost and very low CPU load. See UltraVNC documentation for complete details.
Authentication
Install Viewer
Check the Mirror Driver box to if you want to install the optional UltraVNC Mirror Video Driver.
VNC Password
Provide a VNC password for authentication.
Require MS Logon
If you want to use MS Logon authentication, use MSLogonACL.exe /e acl.txt to export the ACL from your VNC installation. Copy and paste the contents of the text file into the ACL field. It is advisable to look at the script that is generated by this wizard to make sure it is doing something you expect. You can view the raw script by clicking View raw XML Editor on the Script Detail page.
Administrator Guide for KBOX 1000 Series, version 3.3
120
4. Specify UltraVNC miscellaneous options: Disable Tray Icon
Check this box if you do not want to display the UltraVNC tray icon on the target computers.
Disable client options in tray icon menu
If you did not check Disable Tray Icon, check this box if you do not want to display client options in the tray icon menu on the target computers.
Disable properties panel
Check this box to disable the UltraVNC properties panel on the target computers.
Forbid the user to close down WinVNC
Check this box if you do not want to allow computer users to shut down WinVNC.
5. Click Save. After clicking Save you will be taken to the Script: Edit Detail page, where you will need to enable and set a schedule for this policy to take effect. See “Adding Scripts,” on page 106 for more information.
Un-Installer Wizard This wizard allows you to quickly build a script to uninstall a software package. The resulting script can perform three actions: Execute an uninstall command;Kill a process; and Delete a directory. To create an uninstaller script: 1. Select Scripting | Configuration Policy. 2. Click Un-Installer Wizard. The Configuration Policy : Uninstaller page appears. 3. Enter the following information: Job Name
Enter a name for the uninstaller script.
Software Item
Select the software item to uninstall. The wizard will attempt to fill in the correct uninstall command. Verify that the values are correct.
Uninstall Command Directory Uninstall Command File
When you select the software item, the wizard will attempt to fill in the uninstall command directory, file, and parameters.
Uninstall Command Parameters
Review the entries to make sure the values are correct.
Kill Process
To have a process killed before executing the uninstall command, enter the full name of the process in the Kill Process field. (For example: notepad.exe)
Delete Directory.
To have a directory deleted after executing the uninstall command, enter the full name of the directory in the Delete Directory field here. (For example: C:\Program Files\An Example App\).
4. Click Save. After clicking Save you will be taken to the Script: Edit Detail page, where you will need to enable and set a schedule for this policy to take effect. See “Adding Scripts,” on page 106 for more information.
Administrator Guide for KBOX 1000 Series, version 3.3
121
Windows Automatic Update Settings policy This policy allows you to configure a script to control Windows Automatic Updating system. Detailed information can be found at Microsoft's Knowledge Base Article 328010 (http://support.microsoft.com/kb/ 328010). To modify Windows Automatic Update settings: 1. Select Scripting | Configuration Policy. 2. Click Windows Automatic Update Settings. The Windows Automatic Update Policy page appears. The Windows Automatic Update Policy page appears. 3. Enter the following information: Automatic (recommended)
Select this option to enable automatic downloading of Windows Updates.
Download updates for me, but let me choose when to install them.
Select this option to ensure that you always receive the latest downloads, but retain the flexibility to decide when to install them.
Notify me but don’t automati- Select this option provides for the most flexibility. Be aware, howcally download or install them. ever, that this may make your network more vulnerable to attack if you neglect to retrieve and install the updates on a regular basis. Turn off Automatic Updates
Select this option if you are using the KBOX 1000 Series Patching feature to manage Microsoft patch updates.
Remove Admin Policy. User allowed to configure.
Select this option to provide users with control over the update process. Be aware, however, that this may make end-users, and therefore your network, more vulnerable to attack.
4. Select the interval (in minutes) to wait to reschedule an update if the update fails from the Reschedule Wait Time drop-down list. 5. Specify whether or not to reboot while a user is logged in. 6. Enter the details for the SUS Server and SUS Server Statistics. 7. Click Save. After clicking Save you will be taken to the Script: Edit Detail page, where you will need to enable and set a schedule for this policy to take effect. See “Adding Scripts,” on page 106 for more information.
Administrator Guide for KBOX 1000 Series, version 3.3
122
C H A P T E R 9
Patching The KBOX 1000 Series Patching feature enables you to quickly and easily deploy Microsoft patches to your network. This feature is available only for computers that run on the Windows operating system. “Overview of Patching feature,” on page 124 “Bulletin Management workflow,” on page 126 “Updating Patch definitions,” on page 131
Overview of Patching feature The KBOX 1000 Series patching feature provides access to the latest Microsoft Security bulletin updates for Windows platforms including Microsoft Office programs. Microsoft updates its list of Security bulletins nightly, and new patches are available for download from the KBOX 1000 Series daily beginning at 3 AM. The KBOX 1000 Series automatically downloads patch software and creates managed installations based on the configured patch settings. You can view the list of available bulletins, see which bulletins require attention, and access other patching functions from the Distribution | Patches tab. The Bulletin Management view of the Patches tab provides a central interface where you can easily review, approve, or decline patches, as well as access all other patch functions. From the Distribution | Patches tab you can: Filter and search patch bulletins Approve or decline bulletins Configure and troubleshoot patch deployment Create a new Replication Share Create a new Windows update policy See a list of computers currently patching Run patch reports View patch status. To sort the bulletin list view by status, importance, or bulletin year, click one of the links at the top of the page under Bulletin Lists. The Patch Listing page appears. The Patch Listing page provides a list of all available bulletins, which you can further sort based on status, bulletin year, importance, bulletin year, or affected operating system. You can also view only those bulletins that encountered errors during deployment. To view details about a specific patch, click the linked name of the bulletin. The Patch Listing page uses the following icons to convey the status of a bulletin: Icon No icon
Description Bulletin needs review. The bulletin is approved for distribution. The bulletin is under review. The bulletin is declined and will not be distributed.
Table 9-1: Patch List icons
The Patch Listing page also contains the following information: Importance - The severity rating of the patch: Unrated, Low, Moderate, Important, or Critical Expected - The number of computers to which the patch will be deployed
Administrator Guide for KBOX 1000 Series, version 3.3
124
ToDo - The number of computers still to be patched Error - The number of errors encountered during the patch process. To return to the Bulletin Management page from the Patch Listing page, click the Patches tab again.
Administrator Guide for KBOX 1000 Series, version 3.3
125
Bulletin Management workflow The process for deploying patches on your network follows these basic steps: Downloading, Reviewing/ Approving, Deploying, and Reporting. The sections that follow describe each of these steps in detail along with associated tasks and settings. The Bulletin Management page provides a dashboard from which you can access all the necessary patch deployment tasks. The Bulletin Lists offer a filtered view of the bulletins so you can scale the list to specific bulletins by year, importance (critical), or status (approved or declined).
Downloading patch bulletins As mentioned previously, the KBOX 1000 Series automatically downloads all new patches available from Microsoft every day. However, you can modify the patch configuration settings to only download bulletins from a certain year, invoke an immediate patch download, or delete all software associated with previously downloaded patches. To configure patch download settings: 1. Select Distribution |Patches. 2. Under Associated Activities, click the Change Patch Settings link. The Patch Settings page appears. 3. Scroll down and click the [Edit Mode] link. 4. Under Download Patches from, select the bulletin year. 5. To update patch definitions immediately, click Update Patches Now. 6. To delete all software associated with previously download patches, click Delete Patches ( ). The number of Managed Installations that will be deleted is in parenthesis.
Reviewing & approving bulletins When new bulletins appear in the KBOX 1000 Series, they appear under the Need Review Bulletins section of the Bulletin Management page so that you can easily see which bulletins need your attention. You should review items listed here and move them to the appropriate category (Approved, Reviewing, or Declined) as soon as possible. You can review and approve bulletins in several ways: from the Needs Review Bulletin list, from the Patch List page, or from the individual bulletin detail page. Both the Needs Review Bulletin and Patch List offer the option of modifying multiple bulletins at once. Additionally, you can sort the bulletin view by the most Critical bulletins to ensure that you approve and deploy the most sensitive bulletins as quickly as possible. To review bulletins from the Needs Review Bulletin list: 1. Select Distribution | Patches. 2. Under the Needs Review Bulletins, select the check box beside the bulletin(s) you want to modify. 3. Select the check box beside the bulletin(s) you want to modify. 4. Select the check box next to the check mark in the header to select all bulletins.
Administrator Guide for KBOX 1000 Series, version 3.3
126
5. Select one of the following options from the Choose action drop-down list: Needs review
The default option on this page. Bulletin will remain on the Needs Review list. Bulletin will not be distributed.
Reviewing
The bulletin is moved out of the Needs Review list, but still requires an Approved status before it will be deployed.
Approved
The bulletin will be deployed according to the patch settings you specify.
Declined
The bulletin will be removed from the Needs Review list.
6. Click Save. To review patches from the Patch listing: 1. Select Distribution | Patches. 2. Under To Do Lists, click the Need Review Bulletins link. The Patch Listing page appears. 3. Select the check box beside the bulletin(s) you want to modify. 4. From the Choose action drop-down list, select the desired status. You can change the status of bulletins in batches or individually. There are several ways to change the status of a bulletin: From the Bulletin Management page From the Patch List page From the Bulletin Detail page. To change the status of all open bulletins at once: 1. From the Bulletin Management Page, under Need Review Bulletins, click the + Bulletins link to expand the list. 2. Scroll down and select the Check All Bulletins check box. 3. Select the desired status: Reviewing Approved Declined. 4. Click Save. To change bulletin status individually: 1. From the Bulletin Management Page, under Need Review Bulletins, click the + Bulletins link to expand the list. 2. Click the linked bulletin number. The Bulletin: Detail page appears in a new browser window. 3. Select the desired status: Needs review Reviewing Approved Declined.
Administrator Guide for KBOX 1000 Series, version 3.3
127
4. Click Save. If you see the word WARNING on this page, it means that the settings for the various Managed Installations listed are different from each other. Clicking Save under these circumstances will overwrite those different settings with the values you specify on this page. To see a list of software titles affected by this bulletin, scroll down to the bottom of the page.
Deploying bulletins When you approve a bulletin, you will see the Bulletin: Detail page where you will see the bulletin details, such as the computers to which you want to deploy bulletins be deployed to, operating systems affected, and links to access the Managed Installation details for the bulletin. By default, approved bulletins are set to execute the next time a machine checks in to the KBOX 1000 Series. You can configure this and other settings, such as installation behavior, user interaction, and deployment window from the Patch Settings page. To configure bulletin deployment settings: 1. Select Distribution |Patches. 2. Under Associated Activities, click the Change Patch Settings link. The Patch Settings page appears. 3. Click the [Edit Mode] link to modify settings. 4. Enter Patch Download Maintenance information as follows: Download Patches From
Select a year from the drop-down list.
Update Patches Now
Click Update Patches Now to update your list of patches.
Delete all Patch Software
Click Delete Patches to delete all downloaded patches.
5. Specify the following Default Patch Settings: Managed Action
Select a Managed Action from the drop-down list. This dictates deployment behavior. Options include: Execute anytime (next available) Execute before logon (at machine bootup) Execute after logon (before desktop loads) Execute while user logged on Execute while user logged off.
Quiet Install
Select this check box to install the patch without notifying the user.
Suppress Reboot
Select this check box to install the patch without requiring the users machine to reboot.
Deployment Window
By default, the KBOX 1000 Series will attempt to deploy this patch for 24 hrs. Select a time on a 24-hour clock to open the deployment window and a time to close the deployment window.
Administrator Guide for KBOX 1000 Series, version 3.3
128
Limit Deployment To
Specify the label(s) to which you want to deploy the patch. KACE recommends deploying patches to a test label with a small number of machines before deploying more widely on your network. Press CTRL and click to select multiple labels.
Max Attempts
Specify the maximum number of times (between 1 and 99) the KBOX 1000 Series will attempt to install the patch before giving up.
Allow Snooze
Select this check box to allow users to delay patch installation until a later time.
Pre-Install Message
Select this check box to display a message to users before installing the patch. Additional Pre-Install Message fields appear.
Pre-Install User Message
Enter the message text that will displayed to users before installing the patch.
Pre-Install Message Timeout
Enter a timeout duration for the message in minutes.
Pre-Install Message Timeout Action
Select one of the following options from the drop-down list. This action will be taken if the time duration is reached. Options include: Install Now Install Later
Post-Install Message
Select this check box to display a message to users after installing the patch. Type message in space provided.
Post-Install User Message
Enter the message text that will displayed to users after the patch is installed.
Post-Install Message Timeout
Enter a timeout duration for the message in minutes.
Delete Downloaded Files
Select to download all the files after the patch is installed.
6. To apply these changes across all patches, select the Apply changes to existing patches check box. 7. Click Save.
Administrator Guide for KBOX 1000 Series, version 3.3
129
Reporting patching results There are several ways you can access patching results. To see which patches were unsuccessful, for example, you could select Bulletins with deployment errors from the To Do Lists section of the Bulletin Management page, or sort the Patch Listing page by Bulletins with Errors. For more details about patching status and results, you can refer to the Computer Information, Patch Reports, and Patch System Status sections of the Bulletin Management page. Computer Information includes the Machine name, IP Address, Last Sync, Last User Logged In, and the Number of Patches for each machine to which patches were deployed. The Patch Reports section provides quick links for viewing reports on: Critical Bulletin List For each Machine, what patches are installed For each Patch, what machines have it installed How many computers have each Patch installed Installation Status of each enabled Patch Needs Review Bulletin List Patches waiting to be deployed. The Patch System Status gives an overview of the number of bulletins that have been downloaded from Microsoft, the status of the last update, and the date and time of the last attempted and successful downloads.
Creating a Replication Share for patches A Replication Share allows a KBOX Agent to replicate software installers to a share for use by other KBOX Agents. This allows KBOX Agent machines to download patch software from the share instead of directly from the KBOX 1000 Series. This is useful if you have machines in a remote office where downloading the software once for each machine would impact the network. For more information about creating Replication Shares, see Chapter 6,“Replication,” starting on page 91.
Create new Windows Update Policy The KBOX 1000 Series provides a way for you to control the behavior of the Windows Update feature. This feature allows you to specify how and when Windows updates are downloaded so that you can control the update process for the computers on your network. Although this functionality is accessible from the Bulletin Management page, the configuration settings reside under the Scripting | Configuration Policy tab. For more information about this policy, see “Windows Automatic Update Settings policy,” on page 111.
Administrator Guide for KBOX 1000 Series, version 3.3
130
Updating Patch definitions Although the definitions for Microsoft patches are updated automatically on a scheduled basis, you can retrieve the latest files manually from the Server Maintenance page. To update the Patch definitions:
1. Select Distribution | Patches. 2. To update Microsoft patches, click Change Patch Setting.
Administrator Guide for KBOX 1000 Series, version 3.3
131
C H A P T E R 10
Security The optional KBOX 1000 Series Security Enforcement and Audit Module allows you to run vulnerability tests on your network using Open Vulnerability and Assessment Language (OVAL). This feature is available only for computers that run on the Windows operating system. “Security Module Overview,” on page 133 “OVAL Tests,” on page 134 “OVAL Reports,” on page 138 “Creating Security Policies,” on page 139
Security Module Overview If you purchased the optional KBOX 1000 Series Security Enforcement and Audit Module, you can ensure the health of your network by running vulnerability tests on the computers in your network, then, based on testing results, you can determine how to bring the computers back into compliance. You can customize security policies to enforce certain rules, schedule tests to run automatically, and run reports based on testing results. The KBOX 1000 Series Security Enforcement and Audit Module uses Open Vulnerability and Assessment Language (OVAL), an internationally recognized standard for detecting security vulnerabilities and configuration issues on computer systems. OVAL is compatible with the Common Vulnerabilities and Exposures (CVE) list, which provides common names used to describe known vulnerabilities and exposures. The ability to describe vulnerabilities and exposures in a common language makes it easier to share security data with other CVE-compatible databases and tools. Note that the OVAL tests available with your KBOX 1000 Series when it is first installed might be out of date. After installation, the KBOX 1000 Series will automatically check for updates nightly. You can see the current OVAL version on the KBOX Summary Info page (Reporting | Summary).
About OVAL and CVE OVAL relies on definitions submitted by members of the security community on the Community Forum, by MITRE Corporation, or by the OVAL Board, to detect vulnerabilities on your network. OVAL uses the vulnerabilities on the CVE List as the basis for most of its definitions. CVE content is determined by the CVE Editorial Board, which is composed of experts from the international information security community. Any new information about a vulnerability that is uncovered as a result of discussions on the Community Forum are sent to the CVE Initiative for possible addition to the list. For more information about CVE visit http://cve.mitre.org. OVAL definitions pass through a series of phases before being released. Depending on where a definition is in this process, it will likely be assigned a status of DRAFT, INTERIM, or ACCEPTED. Other possible values for status are Initial Submission and Deprecated. For more information about the stages of OVAL definitions, visit http://oval.mitre.org/about/stages.html. Status
Description
Draft
Definitions with this status have been assigned an OVAL ID number and are under discussion on the Community Forum and by the OVAL Board.
Interim
Definitions with this status are under review by the OVAL Board and available for discussion on the Community Forum. Definitions are generally assigned this status for two weeks, unless further changes or discussion are required.
Accepted
Definitions with this status have passed the Interim stage and are posted on the OVAL Definition pages. All history of discussions surrounding Accepted definitions are linked from the OVAL definition.
Table 10-1: OVAL status definition descriptions
Administrator Guide for KBOX 1000 Series, version 3.3
133
OVAL Tests The KBOX 1000 Series checks nightly for updates to the list of available OVAL definitions. Definitions are displayed on the OVAL Tests tab, along with their associated OVAL ID and CVE Number. Search for a specific OVAL test by operating system, vulnerability, or by OVAL ID or CVE Number. To view the list of OVAL definitions, click the Security button, then select the OVAL Tests tab. To view the details of a test, click the linked definition to view the OVAL Test Detail page. When OVAL tests are enabled, all of the available OVAL tests are run on the target machines. Click the OVAL-ID or CVE-ID for more details about a vulnerability
Definition status
The steps used to test for the vulnerability
The computers detected to have this vulnerability along with the IP address and operating systems of the affected computers Figure 10-2: OVAL Test Definition page OVAL Test details do not indicate the severity of the vulnerability. Use your own judgement when determining whether to test your network for the presence of a particular vulnerability.
Administrator Guide for KBOX 1000 Series, version 3.3
134
The table below contains an explanation of the fields found on the OVAL Tests Definition page. Field
Description
OVAL-ID
Click the OVAL-ID to visit an external Web site with more details about the vulnerability. The status of the vulnerability follows the OVAL-ID. Possible values are DRAFT, INTERIM, or ACCEPTED.
Class
Indicates the nature of the vulnerability. Possible values are: compliance, deprecated, patch, and vulnerability.
Ref-ID
Click the Ref-ID to visit an external Web site for more details about the vulnerability.
Description
The common definition of the vulnerability as found on the CVE list.
Definition
Specifies the testing steps used to determine whether or not the vulnerability exists.
Table 10-3: OVAL Test Definition page fields
The table at the bottom of the page displays the list of computers in your network that contain this vulnerability. For convenience, a printer-friendly version of this data is available.
Running OVAL Tests The KBOX 1000 Series runs OVAL tests automatically based on the schedule specified in OVAL Settings. Because OVAL Tests take up a considerable amount of memory and CPU, they will impact the performance of the target machines. OVAL Tests take between 5 and 20 minutes to run. Therefore, to minimize the disruption to your users, it is best to run OVAL Tests once a week, or once a month during off hours when your users are least likely to be inconvenienced. For example, you may want to schedule OVAL to run once a week on a Saturday. If you are only running OVAL Tests periodically, or if there are only select machines whose OVAL Test results you are concerned about, you could assign a label to those machines and use the Run Now Function to run OVAL Tests on those machines only. For more information about the Run Now Function, see “Using the Run Now Function,” on page 101.
OVAL Updates The KBOX 1000 Series checks www.kace.com for new OVAL definitions nightly, but you should expect new definitions weekly. If you have OVAL tests enabled, the KBOX 1000 Series will download new OVAL definitions to all client machines on the next scripting update interval whenever a new package becomes available, regardless of the OVAL schedule settings. The .zip file that contains the updates could be up to 2MB, so use caution when enabling OVAL Tests for the computers on your network, as the size of the package could impact the performance of users’ machines, particularly those on dialup connections. For this reason, a good rule to follow is to only enable OVAL Tests when you want to run them. For example, if you wanted to schedule OVAL Tests to run on January 1st, you could disable them on January 2nd, and not enable them again until close to the next time you want them to run. Any OVAL updates that are pulled down while the OVAL Tests are disabled will be stored on the KBOX 1000 Series and only pushed out to the target machines when enabled again.
Administrator Guide for KBOX 1000 Series, version 3.3
135
OVAL Settings and Schedule By default, OVAL is set to run on all machines, on all operating systems, and at 3AM. To specify OVAL settings: 1. Select Security | Oval Settings. The OVAL Settings & Schedule page is displayed. 2. Specify the Configuration settings: Enabled
Run OVAL on the target machines. Only enabled OVAL Tests will run when you want to run them.
Allow Run While Disconnected
Run OVAL on the target machines, but store test results on the target machine until they can be uploaded to the KBOX 1000 Series.
Allow Run While Logged Off
Run OVAL even if a user is not logged in. With this turned off, the script will only run when a user is logged into the machine.
3. Edit deployment settings as shown in the following table: Deploy to All Machines
Select this check box if you want to deploy to all the Machines. Click OK in the confirmation dialog box.
Limit Deploy To
You can limit deployment to one or more labels. Press CTRL and click to select more than one label.
Supported Operating Systems
Select the operating system to which you want to limit deployment. Press CTRL and click to select more than one operating system. Note: Leave blank to deploy to all operating systems.
4. In the Scheduling area, specify the time and frequency for running OVAL: Don’t Run on a schedule
Tests will run in combination with an event rather than on a specific date or at a specific time. Use this option in combination with one or more of the “Also” choices below. For example, use this option in conjunction with “Also Run at User Login” to run whenever the user logs in.
Run Every n minutes/hours
Test will run on every hour and minutes as specified.
Run Every day/specific day at ...
Test will run on the specified time on the specified day.
Run on the nst of every month/ specific month at...
Test will run on the specified time on the 1st, or 2nd, etc. of every month or only the selected month.
Custom Schedule
This option allows you to set an arbitrary schedule using standard cron format. For example, 1,2,3,5,20-25,30-35,59 23 31 12 * * means: On the last day of year, at 23:01, 23:02, 23:03, 23:05, 23:20, 23:21, 23:22, 23:23, 23:24, 23:25, 23:30, 23:31, 23:32, 23:33, 23:34, 23:35, 23:59. The KBOX 1000 Series doesn’t support the extended cron format.
Also Run Once at next Client Checkin
If this option is selected, test will run once at next client checkin. It is recommended to avoid this option because this option will run tests when the user’s machine is in use. Selecting this option could impact the machine’s performance.
Administrator Guide for KBOX 1000 Series, version 3.3
136
Also Run at Machine Boot Up
If this option is selected, test will run at machine boot up. It is recommended to avoid this option because this option will run tests when the user’s machine is in use. Selecting this option could impact the machine’s performance.
Also Run at User Login
If this option is selected, test will run at user login. It is recommended to avoid this option because this option will run tests when the user’s machine is in use. Selecting this option could impact the machine’s performance.
5. To run the script immediately, click Run Now. The Run Now button only runs tests on the machines selected in the Deployment area, specified in steps 3 and 4 above. For more information about Run Now, see “Using the Run Now Function,” on page 101.
Administrator Guide for KBOX 1000 Series, version 3.3
137
OVAL Reports The OVAL Reports tab displays a list of all of the OVAL Tests that have been run. At a glance, you can see which OVAL Tests failed and the number of computers that failed each OVAL test. From the test detail view, you can see all of the computers that failed that OVAL Test and you can assign a label to those machines so that you can patch them at a later time. In addition, the Computer Reports tab offers a list of machines with OVAL results where you can see a summary of tests run on specific computers. The label under the Machine column is the KBOX 1000 Series inventory ID assigned by the Inventory module. For more information about any of the computers on the report, click the linked machine name to go to the computer’s Inventory Detail page.
Administrator Guide for KBOX 1000 Series, version 3.3
138
Creating Security Policies The KBOX 1000 Series Security Module includes several wizards that can help you create security policies to manage the computers on your network. To view the list of available security policies you can create, Select Security | Security Policy. This section includes descriptions of the settings for each of the policies you can create. After you click Save on one of the policy wizard screens, the Scripting tab will appear where you can specify when to run the script and which machines will be targeted. If you want to modify a script that was created using one of these wizards, you can either re-edit it using the wizard or you can edit the script in the KBOX 1000 Series script editor. Opening the script in the regular KBOX 1000 Series script editor is also a useful way to determine exactly what actions the script performs. Available wizards include: Enforce Internet Explorer Settings Enforce XP SP2 Firewall Settings Enforce Disallowed Programs Settings Enforce McAfee AntiVirus Settings McAfee SuperDAT Updater Enforce Symantec AntiVirus Settings Quarantine Policy Lift Quarantine Action.
Enforce Internet Explorer Settings This policy allows you to control user’s Internet Explorer preferences. You can choose to control some preferences, while leaving others as user-defined. Policy settings enforced by you will overwrite the users’ corresponding Internet Explorer preferences. Because this script modifies user settings, you will need to schedule it to run when the user is logged in. To set the Internet Explorer settings policy: 1. Select Security | Security Policy. 2. Click Enforce Internet Explorer Settings. 3. In the User Home Page area, select Enforce User Home Page policy, then specify the URL to use as the home page. 4. In the Security area, select the Enforce Internet Zone settings policy check box, then choose the security level. 5. Select the Enforce Local Intranet Zone settings policy check box, then choose the security level. 6. Set the following options: Include all local (intranet) sites not listed in other zones Include all sites that bypass the proxy server Include all network paths (UNCs) 7. Select the Enforce Trusted Zone settings policy check box, then choose the security level. 8. Select the Enforce Zone Map check box, then specify the IP addresses or ranges for the following zones:
Administrator Guide for KBOX 1000 Series, version 3.3
139
Restricted sites Locale Intranet sites Trusted sites 9. Select the Enforce Privacy settings policy check box, then set the Cookie policy. 10. Select the Enforce pop-up settings policy check box, then set the following options: Pop-up filter level Web sites to allow 11. Click Save. After clicking Save you will be taken to the Script: Edit Detail page where you must enable and set a schedule for this policy to take effect.
Enforce XP SP2 Firewall Settings This policy enables you to enforce firewall settings on endpoint computers running Windows XP with Service Pack 2. You can enforce different policies based on whether the endpoint computer has authenticated with a domain controller, or is accessing the network remotely, from home or through a wireless hotspot. If your endpoint computer has authenticated with a domain controller, it uses the Domain Policy; otherwise, it uses the Standard Policy, so you might want to configure it to impose tighter restrictions. To set the XP SP2 Firewall settings policy: 1. Select Security | Security Policy. 2. Click Enforce XP SP2 Firewall settings. 3. In either the Domain Policy or Standard Policy areas, indicate whether Firewall is Enabled, Disabled, or if No Policy is in effect. 4. Select or clear the Enable logging check box, then specify a location and name for the log file. By default, the log is stored here: C:\Program Files\KACE\firewall.log. 5. Select or clear the check boxes for the following settings: Allow WMI traffic
Enables inbound TCP traffic on ports 135 and 445 to traverse the firewall. These ports are necessary for using remote administration tools such as the Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI).
Allow Remote Desktop
Enables inbound TCP traffic on port 3389 to traverse the firewall. This port is required for the computer to receive Remote Desktop requests.
Allow file and printer sharing
Enables inbound TCP traffic on ports 139 and 445, and inbound UDP traffic on ports 137 and 138. These ports are required for the machine to act as a file or printer sharing server.
Allow Universal Plug-and-Play (UPnP)
Enables inbound TCP traffic on port 2869 and inbound UDP traffic on port 1900. These ports are required for the computer to receive messages from Plug-and-Play network devices, such as routers with built-in firewalls.
Administrator Guide for KBOX 1000 Series, version 3.3
140
6. To specify Inbound Port Exceptions, click Add Port Exception. Inbound Port Exceptions enables additional ports to be opened in the firewall. These may be required for the computer to run other network services. An Inbound port exception is automatically added for port 52230 for the KACE Client Listener, which is required to use the Run Now functionality. 7. Specify a Name, Port, Protocol, and source for the exception. 8. Click Save. After clicking Save you will be taken to the Script: Edit Detail page, where you must enable and set a schedule for this policy to take effect.
Enforce Disallowed Programs Settings This policy allows you to quickly create a script that prevents certain programs from running on the endpoint machines. After the resulting script is executed on a target machine, these policies take effect only after the next reboot of that machine. On Windows XP or 2000, you can add a shutdown command as the last step of the script to force a reboot, which will enable the policy to take effect right away. The script created as a result of this wizard will overwrite any disallowed program settings on the target machines.
To set the Disallowed Programs settings policy: 1. Select Security | Security Policy. 2. Click Enforce Disallowed Programs Settings. 3. Specify a name for the policy. 4. Select or clear the Disallow programs check box. When checked, all disallowed programs will be prevented from running. When unchecked, all programs will be allowed to run. 5. Add disallowed programs. To prevent Notepad from running, for example, enter notepad.exe. 6. Click Save. After clicking Save you will be taken to the Script: Edit Detail page, where you must enable and set a schedule for this policy to take effect.
Administrator Guide for KBOX 1000 Series, version 3.3
141
Enforce McAfee AntiVirus Settings This policy allows you to configure which McAfee VirusScan features are installed. This policy works with McAfee VirusScan version 8.0i and verifies that the software is installed with the configuration you specify here. It also confirms that the OnAccessScan (McShield) is running. You will need to zip the McAfee VirusScan installation directory and upload it here. A Software Inventory item will be created automatically if it does not already exist. To set the McAfee AntiVirus settings policy: 1. Zip the McAfee VirusScan installation directory. 2. Select Security | Security Policy. 3. Click Enforce McAfee AntiVirus Setting. 4. Click Browse to search for the McAfee zip file. 5. Use the User Interaction drop-down list to specify how the installation should appear to your users. For a description of the available options, refer to the McAfee documentation. 6. Select the McAfee AntiVirus features to install. Press CTRL and click to select multiple features. To install the Alert Manager, use the McAfee tools to include the Alert Manager installation files in the deployment package. Please consult the McAfee documentation for specific information about the features available here. 7. Select or clear the following check boxes: Enable On Access Scanner Lockdown VirusScan Shortcuts Preserve earlier version settings Remove other anti-virus software. 8. Specify the location on the target machine where the following files will be installed: McAfee installation Alert Manager SITELIST.XML Desktop Firewall EXTRA.DAT. 9. Select the information you want to log. Press CTRL and click to select multiple log items. 10. Specify a filename for the log. 11. Enter any special arguments. 12. Specify the reboot behavior. 13. Specify the behavior following installation. 14. Click Save. After clicking Save you will be taken to the Script: Edit Detail page where you must enable and set a schedule for this policy to take effect.
Administrator Guide for KBOX 1000 Series, version 3.3
142
McAfee SuperDAT Updater This policy allows you to build a script for applying McAfee SuperDAT or XDAT updates. There are several steps involved in creating this script: Specifying the update files and reboot behavior on the target machines Selecting the software package(s) to push to target machines during update Verifying network scan status. To create the McAfee update script: 1. Select Security | Security Policy. 2. Click McAfee SuperDAT Updater. 3. Enter a file name and then click Browse to search for the SDAT or XDAT file. 4. Set update options: Install Silently
This option causes the update to be installed without showing a UI on the target computers.
Prompt for Reboot
Use this option to make the update prompt the user before rebooting. Use this option with the "Install Silently" option.
Reboot if Needed
This option causes the update to reboot the machine as needed. If this options is not used, a silent installation will not reboot the machine.
Force Update
Use this option to always update all file versions, even if the machine already appears to have the latest versions.
5. Click Save. After clicking Save you will be taken to the Script: Edit Detail page where you must enable and set a schedule for this policy to take effect.
Enforce Symantec AntiVirus Settings This policy allows you to configure which Symantec AntiVirus features are installed. It verifies that the software is installed with the configuration you specify here. This policy is intended to be run periodically to ensure that Symantec AntiVirus is installed, configured, and running properly, not only upon initial installation. You will need to create a Software inventory item and upload the Symantec AntiVirus.msi file to be distributed.
To set the Symantec AntiVirus settings policy: 1. Select Security | Security Policy. 2. Click Enforce Symantec AntiVirus Settings. 3. Specify the Action to perform. Install Uninstall Repair missing files
Administrator Guide for KBOX 1000 Series, version 3.3
143
Reinstall all files. 4. Select the software package to use for this script. 5. If the software package is zipped, specify the MSI file name. 6. Use the User Interaction drop-down list to specify how the installation should appear to your users. 7. Specify the install directory. 8. Specify any additional switches. 9. Specify any additional properties. 10. Specify behavior after installation. 11. Select the information you want to log. Press CTRL and click to select multiple items. 12. Specify a filename for the log. 13. Select a NETWORKTYPE from the Network Management drop-down list. 14. Specify the server name, if required. 15. Set the AutoProtect option. 16. Set the Disable SymProtect option. 17. Set the Live Update behavior. 18. Select the features you want to install. Press CTRL and click to select multiple items. Please consult the Symantec documentation for specific information about the options available here. You must include the SAVMain feature for this script to work properly, although this wizard does not enforce that.
19. Click Save. After clicking Save you will be taken to the Script: Edit Detail page where you must enable and set a schedule for this policy to take effect. You can/should look at the script that is generated by this wizard to make sure it is doing what you expect. You can view the raw script by clicking To edit the policy using this editor, click here on the Script detail page.
Quarantine Policy Use this wizard to create a script that you can use to quarantine computers that have failed OVAL tests for vulnerabilities. The script that is created as a result of this wizard is merely a template. Use the script editor to modify the template script and add the appropriate verification steps to decide which computers to quarantine. When a computer is under quarantine, all communication from it is blocked except for communication to the KBOX 1000 Series Server, therefore use care when performing this action. If you were to deploy this accidentally to all machines on your network, you could take your network down very quickly.
Administrator Guide for KBOX 1000 Series, version 3.3
144
After a user’s machine is in quarantine, it cannot be unquarantined without intervention by the KBOX 1000 Series administrator. The user will not be able to recover from this without you taking some action. Quarantined computers only have access to the KBOX 1000 Series Server in order to receive a Run Now event to lift the quarantine. To set the Quarantine policy: 1. Select Security | Security Policy. 2. Click Quarantine Policy. 3. Specify a Policy Name. This field is optional. It could be helpful to assign a meaningful name that relates to the vulnerability so that you can lift the quarantine later once that vulnerability is resolved. 4. Leave the KBOX SERVER IP unchanged. 5. Specify the DNS Server IP address. 6. Modify the Message dialog text as desired. This message is displayed to users prior to placing their computer in quarantine. 7. Modify the description text as desired. 8. Click Save. After clicking Save you will be taken to the Script: Edit Detail page where you must enable and set a schedule for this policy to take effect. Modify the Verify steps to determine the conditions under which you want the quarantine to take effect. Although it will not be enabled automatically, it will be configured to deploy to everyone. For more information on scripting, see Chapter 7,“Scripting,” starting on page 91.
Lift Quarantine Action Assuming you have a machine that has been quarantined from the network using the KBOX 1000 Series Quarantine application, you can use this to turn off the quarantine. To set the Lift Quarantine Action policy: 1. Select Security | Security Policy. 2. Click Lift Quarantine Action. 3. Select the label for the quarantined machines or select the specific machine to unquarantine. 4. Enter data in the Filter field to help narrow your search. 5. Click Send Lift Quarantine Now. If there are a lot of computers in quarantine, it will take some time for all of them to receive and process the request.
Administrator Guide for KBOX 1000 Series, version 3.3
145
C H A P T E R 11 User Portal and Help Desk The KBOX 1000 Series Help Desk provides an online area for you to upload software library, support documents, and other self-help tools. The optional KBOX 1000 Series Help Desk Module adds the ability to create, track, and manage Help Desk tickets. “Overview of the User Portal,” on page 147 “Understanding the Software Library feature,” on page 149 “Using the Knowledge Base,” on page 151 “Managing Users,” on page 153 “Overview of the Help Desk Module,” on page 159 “Configuring basic Help Desk settings,” on page 160 “Customizing Help Desk fields,” on page 162 “Creating and editing Help Desk Tickets,” on page 166 “Managing Help Desk tickets,” on page 169 “Running Help Desk Reports,” on page 171
Overview of the User Portal The User Portal provides the ability for users to download software, run scripts, have software installed for them automatically, track computer info, and view a record of what they have downloaded. You can log onto the User Portal by visiting the root URL of the KBOX 1000 Series machine name (for example, http://kbox/). Although users can access the User Portal even if they do not have KBOX Agent installed on their machine, they will not be able to run installations or scripts. The User Portal is administered from the User Portal tab. If you have purchased the optional KBOX 1000 Series Help Desk Module, additional tabs or options are added to the ones described below. For more information about using the features added by the Help Desk Module, see “Overview of the Help Desk Module,” on page 159.
End user view of the User Portal The end-user view of the User Portal displays the following tabs: Welcome - Users enter login credentials from this screen. Software Library - Displays available software for download or automatic install. My Computer - Displays status information about the user’s computer. License Keys - Lists license information for installed software, as available. Help Desk - Users create or edit a Help Desk ticket using this tab. Knowledge Base - Provides access to Knowledge Base articles authored by the administrator. Download Log - Displays a log of software downloaded and installed on the user’s computer. Users also can filter the software or Knowledge Base views by category, or use keywords to narrow their search.
Administrator Guide for KBOX 1000 Series, version 3.3
147
Administrator view of the User Portal As an administrator logged into the administrator UI, you can create and push packages, define Knowledge Base articles, and specify which users can connect. The User Portal tab displays the following tabs: Packages - Packages can be scripts, software packages, documentation, or other media. Knowledge Base - Knowledge Base articles include software notices, instructional content, IT reference documentation, self-help information, and any other specific content intended for the end users. Users - This user information is used to authenticate users of the KBOX 1000 Series Help Desk. Users can be "tagged" with labels in order to define which packages they can access through the portal. The sections that follow will focus on the administrator view of the User Portal and describe the process for creating packages and Knowledge Base articles, and describes managing user access to the User Portal.
Administrator Guide for KBOX 1000 Series, version 3.3
148
Understanding the Software Library feature Software Libraries are deployed to end users via the KBOX 1000 Series User Portal. This "self service" portal allows individuals to download and install software or documents on their own in a controlled environment. The software library you create from the Software Library tab are available for download on the Software Library tab of the User Portal. From the Software Library tab you can create or delete software library, sort software library by label or column header, and search for software library using keywords.
Creating a software library to deploy The Software Library tab allows you to specify the components of the software library you want to make available to your end users; it does not allow you to upload software or author scripts. Any software or script that you want to include in a software library must already exist on the KBOX 1000 Series Software Inventory or Scripting tabs. Along with the software library, you can choose to post cost information, documentation, or other instructions for your users. Any notifications that you have configured will be mailed at the time of user download. You can also restrict access to a software library by specifying a label. To create a package: 1. Select Help Desk | Software Library. 2. In the Choose action drop-down list, select Add New Item. The Portal Package: Edit Detail screen appears. 3. Select or clear the Enabled check box. Select this box to make the software library visible to users on the Help Desk. Clear this check box to hide a software library from users. 4. Specify the software library type: Download
Select this type to include documentation, files, or other software that does not automatically install.
Install
Select this type to select software that will install automatically on the user’s machine. The user must have the KBOX Agent installed to run installations.
Script
Select this type to select a script to include in the software library. The user must have the KBOX Agent installed to run scripts.
5. From the Download drop-down list, choose the software to install. You can filter the list by entering any filter options. 6. Specify the information to include with your package: Installation Instructions
Specify the installation instructions. Any defined instructions, legal policy, cost information, etc will be posted along with the portal package for user visibility.
Product Key
Select this check box to require users to enter a product key upon installation of the software library. The license key specified on the software license entry on the Inventory | Licensing tab.
Administrator Guide for KBOX 1000 Series, version 3.3
149
E-mail Product Key to User Select this option if you want to send download instructions at the time of user download. Request Mgr Notification
Select this option to require users to enter their manager’s mail address for notification prior to downloading or installing the software library.
7. If you selected the Install software library type, specify the command line to run the installation, including any necessary install switches or other parameters. Note that users must have the KBOX Agent installed on their machines in order to run the installations or scripts.
8. If you selected the Script software library type, choose the script from the Script drop-down list. 9. Type any notes in the Additional Notes field. 10. Specify the following informations, as necessary. Corporate License Text
Enter any text related to the Corporate License.
Vendor License Text
Enter any text related to Vendor License.
Unit Cost
Enter the cost per Unit.
Documentation File
Browse the desired documentation file.
11. If desired, select a label to limit software library deployment to specific users. 12. Select the check box to restrict software library deployment by machine label. 13. Click Save. A major benefit of the Help Desk is that it provides your users with the resources they need to solve many of the most common support issues on their own, thus alleviating some of the burden on your support staff. Be sure to provide adequate information to your users so that you, and they, can experience the full benefit of this feature.
Administrator Guide for KBOX 1000 Series, version 3.3
150
Using the Knowledge Base The Knowledge Base allows you to provide documentation, FAQs, or other self-help information for your users. If you purchased the optional Help Desk Module, the Knowledge Base integrates with the Tickets feature to enable users to resolve their own issues. For more information, see “Creating and editing Help Desk Tickets,” on page 166. Users can sort the articles by Article ID, Title, Category, Platform, or Importance, or search article contents by using keywords.
Adding Knowledge Base articles Knowledge base articles are published to the KBOX 1000 Series Help Desk where users can search and sort articles to locate the information they require. If you have the optional Help Desk Module installed, you can also create a new Knowledge Base article from the comments in a Ticket by clicking the Create KB article button on the Ticket Detail page. For more information, see “Creating and editing Help Desk Tickets,” on page 166. To add an article to the Knowledge Base: 1. Select Help Desk | Knowledge Base tab, or select Help Desk | Knowledge Base if you have the optional Help Desk Module installed. 2. Select Add New Item from the Choose action drop-down list. The Knowledge Base: Edit Article page appears. 3. Enter the following article information: Title
A specific description of the issue covered in the article. Make the title as descriptive as possible and use common terms so that it will be easy for an end-user to locate information about a problem.
Category
A general description of the type of issue. (For example, “printing” or “network access”).
Platform
The operating systems to which this article applies.
Importance
The relative weight of the article’s contents. (For example, “reference” or “low”; or “critical” or “high”.
Use Markdown
Markdown is a plain text formatting syntax, and a software tool, written in Perl, that converts the plain text formatting to HTML. See Figure 5-7 below, for an example of markdown syntax and HTML display. For more information about markdown, see http://daringfireball.net/projects/markdown/syntax.
Limit Access To User Labels
Select the labels you want to limit access to.
Article Text
Enter any text about the article.
Administrator Guide for KBOX 1000 Series, version 3.3
151
4. Click Save. The KBOX 1000 Series assigns the article an Article ID and displays it on the Knowledge Base Articles List page. To see how the article appears to your users on the Help Desk, click on the article’s title, and then click the User URL on the Edit Article page.
Editing and deleting Knowledge Base articles You can easily modify or remove existing Knowledge Base articles. There are two options for deleting articles: from the Articles List page and from the Edit Article page. To edit an existing Knowledge Base article: 1. Select Help Desk | Knowledge Base tab, or select Help Desk | Knowledge Base if you have the optional Help Desk Module installed. 2. Click the linked article title. The Knowledge Base: Edit Article page appears. 3. Click the [Edit] link to update the article details. 4. Modify article details, then click Save. To delete an article from the Articles List page: 1. Select Help Desk | Knowledge Base tab, or select Help Desk | Knowledge Base if you have the optional Help Desk Module installed. 2. To delete an article, select the check box beside the article and choose Delete Selected Item(s) from the Choose action drop-down list. 3. Click OK to confirm deletion. To delete an article from the Article Edit page: 1. Select Help Desk | Knowledge Base tab, or select Help Desk | Knowledge Base if you have the optional Help Desk Module installed. 2. Click the linked article title. The Knowledge Base: Edit Article page appears. 3. Click the [Edit] link, then click Delete. 4. Click OK to confirm deletion.
Administrator Guide for KBOX 1000 Series, version 3.3
152
Managing Users When logged in as an administrator, you can add users to the Help Desk either manually or automatically. Depending upon the permissions assigned to the user logged into the Help Desk, all or only a subset of Help Desk features may be available. When adding users to the Help Desk, be sure to specify the correct user permission level.
Adding users manually When adding users to the KBOX 1000 Series, you can tag them with a label, which determines which packages they will have access to in the Help Desk. The details that you enter below are used to authenticate users. To add users manually: 1. Select Help Desk | Users, or select Help Desk | Users if you have the optional Help Desk Module installed. 2. In the Choose action drop-down list, select Add New Item. The User : Edit User Detail page appears. 3. Enter the necessary user details. User Name
Required. This is the name the user types to enter the Help Desk.
Full Name
Required. The user’s full name.
Email
Required for Help Desk installations. The user’s email address. This is the address to which Help Desk messages, if enabled, will be sent.
Domain
Optional. An active directory domain.
Budget Code
Optional. The financial department code.
Location
Optional. The name of a site or building.
Work Phone
Optional. Enter the user’s work phone number.
Home Phone
Optional. Enter the user’s home phone number.
Mobile Phone
Optional. Enter the user’s mobile phone number.
Pager Phone
Optional. Enter the user’s pager phone number.
Custom 1 Custom 2
Optional. Enter the custom related information.
Custom 3 Custom 4 Password
Required. Blank or empty passwords are not valid for new users. The user will be created but the user cannot be activated without a valid password.
Confirm Password
Required. Retype the user’s password.
Assign To Label
Select the labels to assign.
Administrator Guide for KBOX 1000 Series, version 3.3
153
Permissions
Required. Specify the user’s logon permissions: Admin - This user can log on to and access all features of the administrator UI and Help Desk. ReadOnly Admin - This user can log on to the administrator UI, but cannot modify any settings and Help Desk. User - This user can log on to the Help Desk.
Lock user out of User Portal
Select this check box to lock the user out of User Portal.
Allowed to be assigned Help Desk Tickets
Required for Help Desk installations. Select this check box to permit any user (Admin, ReadOnlyAdmin, or User) to be assigned as owner of Help Desk tickets.
4. Click Save. The Users page appears.
Adding users automatically Rather than setting up users individually on the Users tab, you can configure the KBOX 1000 Series to access a directory service (such as LDAP) for user authentication. This allows users to log into the KBOX 1000 Series Administrator portal using their domain username and password, without requiring to add users individually from the Users tab. If the external server requires credentials for administrative login (aka non-anonymous login), you will need to specify those credentials. If you do not specify an LDAP user name, then an anonymous bind will be attempted. The LDAP user configured should have at least READ access to the "search base" area. To configure access to a directory service: 1. Select Settings | Authentication. The KBOX Settings: User Portal Authentication page appears. 2. Click the [Edit Mode] link. 3. Specify the Authentication method you want to use: KBOX (local Authentication)
Select this option if you want to use local passwords for authentication.
External LDAP Server Authentication for
Specify LDAP settings as necessary. Contact KACE customer support if you need assistance with this process.
4. Local authentication is the default setting for the KBOX. If you require external user authentication, for example against an LDAP server or Active Directory server, complete the external server definition by specifying the following information. Server Host Name ( or IP )
Specify IP or Host Name of the LDAP Server. Note: For LDAPS, use the IP or the Host Name, as ldaps:// HOSTNAME
LDAP Port Number
Specify the LDAP Port number which could be either 389 / 636 (LDAPS).
Administrator Guide for KBOX 1000 Series, version 3.3
154
Search Base DN
Specify the Search Base DN. For example: CN=Users,DC=hq,DC=corp,DC=kace,DC=com
Search Filter
Specify the Search Filter. For example: (samaccountname=admin)
LDAP Login
Specify the LDAP login. For example: LDAP Login: CN=Administrator,CN=Users,DC=hq,DC=corp,DC=kace,DC=co m
LDAP Password (if required)
Specify the password for the LDAP login.
5. Click Apply to save your changes. 6. To test LDAP settings, enter a password in the Test User password, then click Test LDAP Settings.
LDAP Browser Wizard If you are unable to fill in the information for Search Base DN and Search Filter, you can use the LDAP Browser Wizard. The LDAP Browser Wizard allows you to browse and search the data located on the LDAP Server. For example, Active Directory Server. You must have the Bind DN and the Password to log on to the LDAP Server. To use the LDAP Browser Wizard: 1. Click LDAP Browser. 2. Specify the LDAP Server Details LDAP Server
Specify IP or Host Name of the LDAP Server. Note: For LDAPS, use the IP or the Host Name, as ldaps:// HOSTNAME
LDAP Port
Specify the LDAP Port number which could be either 389 / 636 (LDAPS).
LDAP Login
Specify the Bind DN For example: CN=Administrator,CN=Users,DC=kace,DC=com
LDAP Password
Specify the password for the LDAP login.
3. Click test. 4. On a successful connection to the LDAP server, a list of possible base DNs (Distinguished Names) available on that directory is displayed. These base DNs can be used as a start point to browse and search the directory. If the connection was not established, the Operation Failed message appears, which could be due to one of the following reasons: The IP or Host Name provided is incorrect.
Administrator Guide for KBOX 1000 Series, version 3.3
155
The LDAP Server is not up. The login credentials provided are incorrect. 5. Click Next or one of the base DNs to advance to the next step. A new window displays the Search Base DN and the Search Filter. The Search Base DN is populated on the basis of the Base DN that you selected in the previous screen. You can modify the Search Base DN and the Search Filter. 6. You can also use the Filter Builder to create complex filters. Click Filter Builder. The Query Builder is displayed. Specify the following information. Attribute Name
Specify the Attribute Name. For example, samaccountname.
Relational Operator
Select the Relational Operator from the drop - down list. For example, =.
Attribute Value
Specify the Attribute Value. For example, admin.
7. To add more than one attribute: Conjunction Operator
Select the Conjunction Operator from the drop - down list. For example, AND. Note: This field is available for the previous attribute only when you add a new attribute.
Add
Click Add. You can add multiple attributes.
Search Scope
Click One level to search at the same level or click Sub-tree level to search at the sub tree level.
8. Click OK. The query appears in the Search Filter text area. For example, (samaccountname=admin). 9. Click Browse to display all the immediate child nodes for the given base DN and search filter or click Search to display all the direct and indirect child nodes for the given base DN and Search Filter. The search results are displayed in the left panel. 10. Click a child node to view its attributes. The attributes are displayed in the right panel. 11. Click Next to confirm the LDAP configuration. 12. Click Next to use the displayed settings.
Importing users You can import Users and Labels directly from your LDAP or Active Directory system into the KBOX. To import users: 1. Specify the LDAP Server Details. LDAP Server
Specify IP or Host Name of the LDAP Server. Note: For LDAPS, use the IP or the Host Name, as ldaps:// HOSTNAME
Administrator Guide for KBOX 1000 Series, version 3.3
156
LDAP Port
Specify the LDAP Port number which could be either 389 / 636 (LDAPS).
Search Base DN
Specify the Search Base DN. For example: CN=Users,DC=hq,DC=corp,DC=kace,DC=com
Search Filter
Specify the Search Filter. For example: (samaccountname=admin)
LDAP Login
Specify the LDAP login. For example: LDAP Login: CN=Administrator,CN=Users,DC=hq,DC=corp,DC=kace,DC=co m
LDAP Password
Specify the password for the LDAP login.
2. Specify the attributes to import. Attributes to retrieve
Specify the attributes to retrieve. For example, samaccountname Note: You can leave this field blank to retrieve all attributes, but this may be slow and is not recommended.
Label Attribute
Specify a label attribute. For example, memberof. Label Attribute is the attribute on a customer item that returns a list of groups this user is a member of. The union of all the label attributes will form the list of Labels you can import.
Label Prefix
Specify the label prefix. For example, ldap_ Label Prefix is a string that is appended to the front of all the labels.
Binary Attributes
Specify the Binary Attributes. For example, objectsid. Binary Attributes indicates which attributes should be treated as binary for purposes of storage.
Max # Rows
Specify the maximum rows. This will limit the result set that is returned in the next step
Debug Output
Select this check box to view the debug output in the next step.
3. If you are unable to fill in the information for Search Base DN and Search Filter, you can use the LDAP Browser Wizard. For more information on how to use the LDAP Browser Wizard, refer to “LDAP Browser Wizard,” on page 155. 4. Click Next. 5. Select the value from the drop-down list next to each LDAP attribute to map the values from your LDAP server into the User record on the KBOX. The fields in Red are mandatory. The LDAP Uid must be a unique identifier for the user record.
Administrator Guide for KBOX 1000 Series, version 3.3
157
6. Select a label to add to the KBOX. Press CTRL and click to select more than one label. This list displays a list of all the Label Attribute values that were discovered in the search results. 7. Click Next. 8. Review the information displayed in the tables below. The Users to be Imported table displays list of users reported and the Labels to be Imported table displays the list of labels reported. The Existing Users table and the Existing Labels table display the list of Users and Lables that are currently on the KBOX. Only users with a LDAP UID, User Name, and Email value will be imported. Any records that do not have these values are listed in the Users with invalid data table. 9. Click Next to start the import.
Administrator Guide for KBOX 1000 Series, version 3.3
158
Overview of the Help Desk Module The optional KBOX 1000 Series Help Desk Module provides a ticket submission, tracking, and management system that allows you to solve problems in real time. The KBOX 1000 Series Help Desk Module provides integrated access with KBOX 1000 Series capabilities for hardware and software inventory, software deployment, updates and patching, remote control, and alerting and reporting. After installation, you can customize the Help Desk settings according to the needs of your organization. The Help Desk Module adds the following tabs to the administrator view of the Help Desk: Tickets - Provides a list view of tickets submitted for users, and allows Help Desk users to assign, resolve, or escalate tickets based on user profile Configuration - Allows administrators to customize the Help Desk displayed to users. If you do not have the optional Help Desk module installed, you will not see these tabs. The Help Desk Module provides permissions-based access to the features and functions needed by a particular user. The Tickets tab of the Help Desk provides a way for end-users to submit and track desk tickets. In addition to creating new tickets, users can search for Knowledge Base articles that might help them to resolve support issues on their own. From the Tickets tab users can: Create Help Desk tickets View tickets that they have submitted Search for tickets using keywords and advanced methods. If the end-user also happens to be a support technician and you have given them permission to own Help Desk tickets (see “Managing Users,” on page 153), this user is known as a Help Desk user. Users who are also Help Desk users (i.e., they can be assigned Help Desk tickets), can perform these additional functions: Apply labels to tickets/remove labels from tickets Delete Help Desk tickets By default, view unassigned tickets and additions to tickets assigned to them, and view other tickets by using the View by owner drop-down list Change a ticket’s status, priority, or owner. Administrators can create, modify, and manage Help Desk tickets from the Tickets tab in the Administrator UI. Administrators also can use the security, scripting, and distribution features to resolve Help Desk tickets, then use the Knowledge Base to create the documentation that references the resolution for users. From the Tickets tab, administrators can: Create or delete Help Desk tickets Apply labels to tickets/Remove labels from tickets Sort the Ticket view by owner or submitter, summary, priority, or status Change a ticket’s status, priority, or owner.
Administrator Guide for KBOX 1000 Series, version 3.3
159
Configuring basic Help Desk settings From the Help Desk Configuration tab, you can configure a variety of settings including the support mail address, defaults for ticket submission fields, and which events trigger mail alerts and to whom they are sent. This section describes how to configure basic Help Desk Settings only. To customize the default values for the options here, see “Customizing Help Desk fields,” on page 162. Field(s)
Description
Name
Specify the name for the Help Desk.
Email Address
Specify the email address used to send email to and from the Help Desk.
Ticket Defaults
Determines the default ticket values for tickets. To customize these options, click Customize These Values. For more information see “Customizing Help Desk fields,” on page 162.
Email on Events
These check boxes determine who gets email when tickets are changed or escalated. Note that "Any Change" overlaps with the "Owner Change" and "Status Change" events, but it does not include ticket escalations.
Table 11-1: Help Desk Configuration fields To configure basic Help Desk settings: 1. Select Help Desk | Configuration. 2. Click the [Edit Mode] link. 3. In the Name field, specify the name that is displayed in the From field when users receive emails from the Help Desk. 4. In the Email Address field, specify the email address to which users can submit Help Desk tickets. 5. In the Alt. Email Address field, specify the alternate email address to which users can submit Help Desk tickets. 6. Select the Accept email from unknown users check box to accept emails from unknown users. 7. In the Ticket Defaults area, specify the following settings: Category
Specify the default category for tickets. Options include Software, Hardware, Network, and Other.
Status
Specify the default status for tickets. Options include New, Opened, Closed, and Need More Info.
Impact
Specify the default impact for tickets. Options include Many people can’t work, Many people inconvenienced, 1 person can’t work, and 1 person inconvenienced.
Priority
Specify the default priority for tickets. Options include Low, Medium, and High.
8. In the Email on Events area, specify to whom, and under what circumstances, emails should be sent: Recipients: Owner - The Help Desk user assigned to the ticket Submitter - The user who submitted the ticket Ticket CC - The email recipients listed in the CC area of the ticket
Administrator Guide for KBOX 1000 Series, version 3.3
160
Category CC - The email recipients listed in the CC List area for the Ticket Category. Events: Any Change - Any change to any field on the ticket. Owner Change - A change to the owner field on the ticket. By default, emails are sent to the old and new owners of the ticket. Status Change - A change to the status field on the ticket. Comment - A comment on the ticket. Resolution Change - A change to the Resolution field on the ticket. Escalation - The ticket enters escalation based on the configured settings. For more information, see “Understanding the escalation process,” on page 169. Satisfaction Survey - Indicate whether you want to send an mail requesting that the submitter complete a satisfaction survey when the ticket is closed. For more information, see “About the satisfaction survey,” on page 170. New Ticket Via Email - Select this check box for an email notification on a new ticket. 9. Click Save.
Administrator Guide for KBOX 1000 Series, version 3.3
161
Customizing Help Desk fields Where the basic Help Desk configuration page allowed you to set default values for the various drop-down lists in the Help Desk fields, the Customization page allows you to customize the values that appear in those drop-down lists, as well as add up to six custom fields. To access the Help Desk Customization page: 1. Select Help Desk | Configuration. 2. Click the Customize These Values link. The Help Desk Customization page appears. To customize default Category Values: 1. In the Category Values area, click the
icon beside a category value to modify it.
Editable fields appear for that value. 2. Edit the Category Values fields: Name
Specify the name for the value.
Default Owner Assign a default owner for tickets of this category. CC List
Enter the email address(es) to be copied when tickets of this category are submitted to the Help Desk.
User Settable
Indicates whether or not this category appears in the list of choices displayed to the end user. This setting allows you to present a simplified list of values to the user, and display more and create additional values that are only displayed to the administrator or Help Desk users.
3. Click the
icon beside a Category value to change its order in the drop-down list.
4. Click the
icon to add an option to the Category drop-down list.
5. Click the
icon to remove a Category value.
You cannot remove Category values that are in use.
6. Click Save to apply your changes.
Administrator Guide for KBOX 1000 Series, version 3.3
162
To customize default Status Values: 1. In the Status Values area, click the
icon beside a category value to modify it.
Editable fields appear for that value. 2. Edit the Status Values field: Name
Specify the name for the value.
State
Indicates whether the ticket is open, closed, or stalled. Open - The ticket is active Closed - The ticket has been resolved Stalled - The ticket is open past its due date, but is not in escalation.
3. Click the
icon beside a Status value to change its order in the drop-down list.
4. Click the
icon to add an option to the Status drop-down list.
5. Click the
icon to remove a Status value.
You cannot remove Status values to which tickets are currently assigned.
6. Click Save to apply your changes. To customize default Priority values: 1. In the Priority Values area, click the
icon beside a category value to modify it.
Editable fields appear for that value. Edit the Priority Values fields: Name
Specify a name for the custom field.
Color
The displayed color of this status on the ticket list pages.
Escalation Time
The interval after which an open ticket of this priority is escalated. Specify a time integer and a unit from the drop-down list.
2. Click the
icon beside a Priority value to change its order in the drop-down list.
3. Click the
icon to add an option to the Priority drop-down list.
4. Click the
icon to remove a Priority value.
You cannot remove Priority values to Tickets which are currently assigned.
5. Click Save to apply your changes.
Administrator Guide for KBOX 1000 Series, version 3.3
163
To customize default Impact values: 1. In the Impact Values area, click the
icon beside an Impact value to modify it.
Editable fields appear for that value. 2. Modify the Name field as desired. 3. Click the
icon beside an Impact value to change its order in the drop-down list.
4. Click the
icon to add an option to the Impact drop-down list.
5. Click the
icon to remove an Impact value.
You cannot remove Impact values to Tickets which are currently assigned.
6. Click Save to apply your changes. To add custom value fields: 1. In the Custom fields area, click the Edit item icon to modify the fields. 2. In the Name field, enter the names for the custom fields as you want them to be displayed on the Ticket Details page. The custom fields are added as text boxes that hold up to 255 characters. You can add up to six custom fields. 3. Enter the select values in the Select Values field. Select Values are used for custom fields with Field Type of Single Select or Multiple Select. These values should be entered as comma-separated strings. 4. Select the field type in the Field Type list. 5. Select the Only Editable By Owners check box to make this field editable by owners. 6. To remove a custom field, clear the name from the field value. When you remove the name of a field, values for that custom field will be removed from all tickets. When you rename a field, values for that custom field will be retained. 7. Click Save to apply your changes. 8. In the Ticket List View area, click the Edit item icon to modify the desired Ticket List View fields. 9. Select the name in the Name list. 10. Specify the width in the Width field and then click Save. 11. Click Save.
Administrator Guide for KBOX 1000 Series, version 3.3
164
To customize Ticket List View: 1. In the Ticket List View area, click the
icon beside an attribute to modify it.
Editable fields appear for that value. Edit the fields: Name
Select an attribute name from the drop-down list.
Width
Specify the column width.
2. Click the
icon beside an attribute to change its order in the drop-down list.
3. Click the
icon to add an attribute to the Ticket List View drop-down list.
4. Click the
icon to remove an attribute.
5. Click Save to apply your changes.
Administrator Guide for KBOX 1000 Series, version 3.3
165
Creating and editing Help Desk Tickets Depending on whether you are creating a ticket from mail, the Administrator UI, or from the Help Desk, you will have different options available to you. This section describes each of these methods. Regardless of the method used to submit a Help Desk ticket, all interested parties will receive a confirmation mail that includes a link to the submitted ticket. To create a new ticket from the Help Desk: 1. Log into the User Portal as user. Tickets page appears. 2. Select Add New Item in the Choose action drop-down list. The New Ticket page appears. To create a new ticket from the Administrator UI: 1. Select Help Desk | Tickets. 2. Select Add New Item in the Choose action drop-down list. The New Ticket page appears. 3. Specify ticket details. Title
Enter a title for the ticket.
Impact
Specify the severity of the issue.
Category
Indicate the issue type.
Status
Indicate the status of the issue.
Priority
Indicate the importance of the issue.
Owner
Select an owner from the drop-down list.
Machine
The machine affected by the issue. Defaults to submitter’s computer after Ticket is saved. Note: You can see help ticket submissions from the Computer’s inventory record. See “Help Tickets,” on page 34
Asset
Select an asset from the drop-down list.
Filter
Enter the filter criteria in the desired Filter field.
Due Date CC List Submitter
Specify a due date if desired. Click the
icon to select the Month, Day, and Year.
A comma-separated list of additional email addresses for users who might be interested in changes to this ticket. Click the
icon to select the submitter from the drop-down list.
See Also
Link(s) to related tickets. When editing this list, enter the Ticket IDs as comma-separated integers.
Referrers
If other tickets refer to this ticket in the see also field, those ticket IDs will appear here after this ticket is saved.
Owners only
Select this check box to have the comment you are entering visible only to users who are authorized to own tickets.
Comment
Provide comments about the support issue.
Attachment
Browse the desired attachment file.
Administrator Guide for KBOX 1000 Series, version 3.3
166
4. Click Save. After you create the new ticket, you can open the ticket record and view a print-friendly version of the ticket, email the ticket to someone, and click the Find Relevant Articles link to locate Knowledge Base articles related to the ticket.
Submitting Help Desk tickets through email In addition to submitting tickets via the Web-based User and Administrator interfaces, users also can submit Help Desk tickets by sending mail to the Help Desk mail configured in the Help Desk settings. Tickets created from mails will receive the default values for Impact, Category, and Priority, as set on the Help Desk | Configuration tab. The body of the mail message will be added as a comment. The submitter is determined by the sender’s mail address. For more information, see “Configuring basic Help Desk settings,” on page 160.
Editing Help Desk tickets After you create a Help Desk ticket, you can edit the tickets from the Tickets List page, or from the Ticket Detail page. Regardless of where the change is made, any change made to a ticket is reflected in the history log at the bottom of the Ticket Detail window. To edit a ticket from the Tickets List page: 1. Select the check box beside the ticket(s) you want to edit. 2. From the Choose action drop-down list, select the desired option: •
Delete Selected Item(s)
•
Set status to New, Opened, Closed, or Need More Info
•
Set priority to High, Medium, or Low
•
Reassign to another user.
To edit a ticket from the Ticket Detail page: When reassigning a ticket to a new owner using the Choose action drop-down list, the number in parentheses (), indicates the number of tickets currently assigned to that Help Desk user. 1. Select Help Desk | Tickets. 2. Click the Ticket ID or linked Issue Summary. The Ticket Detail page appears. 3. Edit Ticket details as desired. You can edit the Ticket details like Title, Impact, Category, Status, Priority, Owner, Machine, Asset, Due Date, CC List, Submitter, See Also, Referrers, and Resolution. 4. To provide additional information about your change, click Add Comment, and then perform the following steps: a Select the Owners only check box to have the comment you are entering visible only to users who are authorized to own tickets. b Enter comment about the changes in the Comment field.
Administrator Guide for KBOX 1000 Series, version 3.3
167
c Browse the desired attachment file. 5. To provide additional information about the work, click Add Work, and then perform the following steps: a Select the work date. b Select the start date of the work. c Select the end date of the work. d Enter the adjustment hours in the Adjustment field. e Enter work related details in the Work Note field. 6. To copy an existing ticket, click Clone. 7. To create a Knowledge Base article from the comments in the ticket, click the Create KB article button. 8. Click Save to apply your changes.
Searching Help Desk tickets From the Ticket List page, users can search tickets submitted by them, as well as view tickets by other owners. You can use Advanced Search options to locate tickets. Advanced search allows you to use operators such as contains, >, <, =, and Match RegEx. Match RegEx allows for wildcard and other search expressions standard to PERL users. “%” functions as the wildcard (similar to * in the DOS world). For additional information about RegEx searching, visit http:/ /www.regular-expressions.info/ and/or http://dev.mysql.com/doc/mysql/en/regexp.html.
Administrator Guide for KBOX 1000 Series, version 3.3
168
Managing Help Desk tickets After a ticket is submitted to the Help Desk, it is the responsibility of the ticket owner to resolve the ticket. The owner reviews the ticket, adjusts the impact if necessary, and assigns a priority. If the ticket issue is straightforward, the owner might resolve the issue quickly, enter a resolution in the ticket details, then close the ticket. In more complicated situations, however, a ticket may take more time to close, and be assigned to different owners over its lifetime. In some cases, the owner is unable to resolve the ticket by the due date and the ticket is then escalated to someone else to resolve. The process of escalation is determined by the settings configured in the Help Desk | Configuration tab. Depending on the Help Desk configuration, the submitter of a ticket might receive a satisfaction survey to gather feedback about the way the ticket was handled, after the ticket is closed. For more information about the satisfaction survey, see “About the satisfaction survey,” on page 170.
Understanding the escalation process The escalation process allows you to send out automatic emails when a ticket remains in an Open state longer than a specified time. This gives you a way to monitor service level agreements, and allows you to notify a large group when a ticket hasn’t been handled properly. There are three variables that control the escalation process: Which tickets can/should be escalated The length of time a ticket can be open before an escalation email is sent The recipient(s) of the escalation emails. Each ticket has a Priority, and each Priority has an Escalation Time associated with it. Tickets are escalated if they have been open longer than the time specified by their priority setting. Tickets also have a Status that can either be Open, Stalled, or Closed. Tickets with an Open status will trigger an escalation mail every n minutes, where n is the time specified by the Escalation Time assigned to the priority. For example, by default, the KBOX 1000 Series has a Priority value of High, with an Escalation Time of 30 minutes. This means that for each ticket that is marked as High Priority, an escalation mail will be sent every 30 minutes to notify people that the ticket is still Open. Tickets that are Stalled or Closed do not trigger escalation emails. Moving a ticket from Open to Stalled or Closed, and then back to Open will not change the creation time, so the escalation mails will continue to be processed based on the original time. For example, if you were to open a ticket, close it after 5 minutes, then reopen it after 35 minutes, an escalation email would be sent saying that the ticket is older than 30 minutes. After that email is sent, the next email would go out after an additional 30 minutes had elapsed. You determine who receives the escalation emails in the Email on Events area of the Help Desk Configuration settings. You could choose to send the escalation email to any of the following: The ticket owner The submitter The email address(es) listed in the Ticket CC area The email address(es) listed in the Category CC area. By specifying the recipient for escalation emails, you are routing open tickets to the right person or people who can help to resolve the issue.
Administrator Guide for KBOX 1000 Series, version 3.3
169
About the satisfaction survey After a ticket is Closed, if a user views the detail page for that ticket, he or she will be presented with the option to indicate their level of satisfaction with the way the ticket was handled. Users also can add comments to the ticket to further explain their assessment. In addition, you can configure the Help Desk to actively solicit feedback from users after a ticket is closed, by automatically sending them an email with a link to the survey. Select the Closed ticket in the Tickets list, click Email this Ticket, and enter an email address to which you want to send the survey. Score values assigned in the survey are stored in the ticket and are not editable by the Help Desk administrator, although you can run a variety of reports to display survey data. For more information about displaying survey data, please see, “Running Help Desk Reports,” on page 171.
Administrator Guide for KBOX 1000 Series, version 3.3
170
Running Help Desk Reports The KBOX 1000 Series provides several default reports you can run on the Help Desk. You can view these reports by selecting the Reporting tab and then selecting HelpDesk from the View by category drop-down list. By default, the KBOX 1000 Series includes the Help Desk reports shown in the table below. For convenience, each of these reports is available in a variety of formats: HTML, PDF, CSV, and TXT. Help Desk Report
Description
Closed Satisfaction Survey last 31 days by Owner
Lists by Owner all Closed Satisfaction Surveys in the last 31 days.
Closed Ticket Resolutions last 31 days by Owner
Lists by Owner all Closed Ticket Resolutions in the last 31 days.
Closed Ticket Resolutions last 7 days by Owner
Lists by Owner all Closed Ticket Resolutions in the last 7 days.
Closed Tickets last 31 days by Category
Lists by Category all Help Desk tickets that have been closed in the last 31 days.
Closed Tickets last 31 days by Owner
Lists by Owner all Help Desk tickets that have been closed in the last 31 days.
Closed Tickets last 7 days by Owner
Lists by Owner all Help Desk tickets that have been closed in the last 7 days.
Escalated/Open Tickets by Owner
Lists by Owner all escalated and open Help Desk tickets.
Open Tickets by Category
Lists by Category all open Help Desk tickets.
Open Tickets by Owner
Lists by Owner all open Help Desk tickets.
Open Tickets last 7 days by Owner
Lists by Owner all open Help Desk tickets opened in the last 7 days.
Stalled Tickets by Owner
Lists by Owner all tickets that are past their due date but not in escalation (stalled tickets).
Stalled/Open Tickets by Category
Lists by Category all stalled and open Help Desk tickets.
Stalled/Open Tickets by Impact
Lists by Impact all stalled and open Help Desk tickets.
Stalled/Open Tickets by Owner
Lists by Owner all stalled and open Help Desk tickets.
Stalled/Open Tickets by Priority
Lists by Priority all stalled and open Help Desk tickets.
Stalled/Open Tickets by Status
Lists by Status all stalled and open Help Desk tickets.
Stalled/Open Tickets with Due Date by Owner
Lists by Owner and due date all stalled and open Help Desk tickets.
Work Report Date Range - Long Notes Display
Displays date, ticket #, technician and hours worked as a header above the Notes for a Work entry for 2006-04-01 through 2006-07-01.
Table 11-2: Default Help Desk reports
Administrator Guide for KBOX 1000 Series, version 3.3
171
Help Desk Report
Description
Work Report last 31 days
Reports all tickets for which work has been logged for the last 31 days.
Work Report last 31 days Customize
Use this report if you want to build a customized report showing only select fields for all tickets for which work has been logged for the last 31 days.
Work Report last 31 days - Long Notes Display
Displays date, ticket #, technician, and hours worked as a header above the Notes for each Work entry.
Work Report last 31 days by Person
Displays all people who logged work during the last 31 days first by person, and then by ticket and time.
Table 11-2: Default Help Desk reports To run Help Desk reports: 1. Select Reporting. The KBOX Reports page appears. 2. From the View by category drop-down list, select HelpDesk. 3. Click the format type for the report you want to view. If you need to create custom reports, see “Creating and editing reports,” on page 190 for information on using the Report Wizard.
Administrator Guide for KBOX 1000 Series, version 3.3
172
C H A P T E R 12
Server Maintenance This chapter describes the most commonly used features and functions that the Administrator will use in administering and maintaining your KBOX 1000 Series appliance. “KBOX 1000 Series maintenance overview,” on page 174 “Backing up KBOX 1000 Series data,” on page 174 “Restoring KBOX 1000 Series Settings,” on page 176 “Updating KBOX 1000 Series software,” on page 177 “Updating OVAL definitions,” on page 179 “Troubleshooting the KBOX 1000 Series,” on page 180
KBOX 1000 Series maintenance overview The Settings | Server Maintenance page allows you to perform a variety of functions to maintain and update the KBOX 1000 Series appliance. You can access the most recent KBOX server backups, upgrade your KBOX 1000 Series server to newer server versions, retrieve updated OVAL definitions, as well restore to backed-up versions as creating a new backup of the KBOX 1000 Series at any time that you'd like. The Settings | Server Maintenance tab also enables you to reboot and shutdown the KBOX 1000 Series, as well as update KBOX 1000 Series license key information. From the Server Maintenance tab you can: Upgrade KBOX 1000 Series appliance Update OVAL vulnerability definitions Create a backup KBOX 1000 Series appliance Enter or update KBOX 1000 Series License Key Restore to most recent backup Restore to factory default settings Restore from uploaded backup files Reboot KBOX 1000 Series Shutdown KBOX 1000 Series. The following sections describe some of the most commonly used features of the Settings | Server Maintenance tab.
Backing up KBOX 1000 Series data By default, the KBOX 1000 Series automatically takes backup at 3 A.M. and creates two files on the backup drive: kbox_dbdata.gz, containing the database backup, and kbox_file.tgz, containing any files and packages you have uploaded to the KBOX 1000 Series alliance.
Backing up KBOX 1000 Series manually In some cases, you might want to invoke a KBOX 1000 Series backup before the nightly backup occurs. In such cases, you can create a KBOX 1000 Series backup manually. To create a KBOX 1000 Series backup manually: 1. Select Settings | Server Maintenance. 2. Scroll down and click the [Edit Mode] link. 3. Beside Run KBOX Backup, click Run Backup Now. After creating the backup, the Settings | Logs tab will appear.
Administrator Guide for KBOX 1000 Series, version 3.3
174
Downloading backup files to another location The backup files are used to restore your KBOX 1000 Series configuration in the event of a data loss or during an upgrade or migration to new hardware. The KBOX 1000 Series contains only the most recent full backup of the files. For a greater level of recoverability (for instance if you wanted to keep rolling backups), you can offload the backup files to another location so that they can be restored later if necessary. You can access the backup files for downloading from the Administrator UI as well as through ftp. To download backup files to another location: 1. Select Settings |Server Maintenance. 2. Click the backup links on the sidebar.
Contains the database backup Contains the files and packages you have uploaded to the KBOX 1000 Series Figure 12-1: Links to backup files 3. Click Save in the alert that appears, then specify a location for the files. 4. Browse to the location where you want to store the files, then click Save. To access the backup files through ftp: 1. Open a command prompt. 2. At the C:\ prompt, type: ftp kbox 3. Enter the login credentials: user: kbftp, password: getbxf 4. Type the following ftp commands:
Figure 12-2: FTP command for accessing backup files
Administrator Guide for KBOX 1000 Series, version 3.3
175
Restoring KBOX 1000 Series Settings The backup files are used to restore your KBOX 1000 Series configuration in the event of a data loss or during an upgrade or migration to new hardware. Restoring any type of backup file will destroy the data currently configured in the KBOX 1000 Series Server. KACE recommends off loading any backup files or data that you want to keep before performing a restore.
Restoring from most recent backup The KBOX 1000 Series has a built-in ability to restore files from the most recent backup directly from the backup drive. You can access the backup files from the KBOX 1000 Series Administrator UI or through ftp. To restore from the most recent backup: 1. Click Settings | Server Maintenance. 2. Scroll down and click the [Edit Mode] link. 3. Click the Restore from Backup button.
Uploading files to restore settings If you have off-loaded your backup files to another location, you can upload those files manually, rather than restoring from the backup files stored on the KBOX 1000 Series. To upload backup files: 1. Click Settings | Server Maintenance. 2. In the Database Backup Files field, click Browse and locate the backup file. 3. In the KBOX Backup Files field, click Browse and locate the backup file. 4. Click Restore from Upload Files.
Administrator Guide for KBOX 1000 Series, version 3.3
176
Updating KBOX 1000 Series software Part of maintaining your KBOX 1000 Series appliance involves updating the software that runs on the KBOX 1000 Series server. This process also involves verifying that you are using the minimum required version of the KBOX 1000 Series, as well as updating the license key in the KBOX 1000 Series to reflect the current product functionality.
Verifying minimum server version Before applying this update, verify your KBOX 1000 Series server version meets the minimum version requirement. To verify minimum server version: 1. Open your browser and go to the URL for the KBOX 1000 Series appliance (http://kbox/admin). 2. Click About KBOX in the upper right-hand corner of the screen.
The version of the server
Figure 12-3:
About KBOX
Updating the license key After installing an upgrade to the KBOX 1000 Series server, you may need to enter a new KACE license key to fully activate the KBOX 1000 Series. You should have the new license key to upgrade your KBOX 1000 Series appliance. Updating your KBOX 1000 Series license key: 1. Select Settings | Server Maintenance. 2. Scroll down and click the [Edit Mode] link. 3. Enter your new license key, then click Save.
Administrator Guide for KBOX 1000 Series, version 3.3
177
Applying the server update If you are using a previous version of the KBOX 1000 Series, you must apply the earlier updates separately before continuing. Refer to the release notes for your version of the KBOX 1000 Series to determine the minimum updates. To apply the server update: 1. Download the kbox_upgrade_server_XXXX.bin file and save it locally. 2. Open your browser to http://kbox/admin. 3. Select Settings | Server Maintenance. 4. Scroll down and click the [Edit Mode] link. 5. Under Update KBOX, click Browse, and locate the update file you just downloaded. 6. Click Update KBOX. When the file has completed uploading, your KBOX 1000 Series will reboot with the latest features.
Verifying the update After applying the upgrade, verify successful completion by reviewing the update log. To verify the upgrade: 1. Select Settings | Logs. 2. Click the Update link. 3. Review the Update log for any error messages or warnings. 4. Click About KBOX in the upper right corner to verify the current version.
Rebooting and shutting down KBOX 1000 Series appliance You may need to reboot the KBOX 1000 Series appliance from time to time when troubleshooting or possibly upgrading KBOX 1000 Series settings. When rebooting KBOX 1000 Series, you should always do so by clicking the Reboot KBOX button located on the Settings | Server Maintenance tab. Before performing hardware maintenance, you will need to shutdown the KBOX 1000 Series prior to unplugging appliance. You can shutdown the KBOX 1000 Series appliance either by pressing the power button ONCE, quickly, or by clicking the Shutdown KBOX button on the Settings | Server Maintenance tab. The Reboot and Shutdown buttons will only be clickable if you have already click the blue "Edit Mode" link at the bottom of the page.
Administrator Guide for KBOX 1000 Series, version 3.3
178
Updating OVAL definitions Although the definitions for OVAL vulnerabilities are updated automatically on a scheduled basis, you can retrieve the latest files manually from the Server Maintenance page. For more information about OVAL definitions, see “About OVAL and CVE,” on page 133 To update the OVAL & Patch definitions: 1. Select Settings | Server Maintenance. 2. To update OVAL definitions, click Update OVAL Now.
Administrator Guide for KBOX 1000 Series, version 3.3
179
Troubleshooting the KBOX 1000 Series The KBOX 1000 Series provides several log files that can help you detect and resolve errors. The log files are rotated automatically as each grows in size so no additional administrative log maintenance procedures are required. Log maintenance checks are performed daily. The KBOX 1000 Series maintains the last seven days of activity in the logs. KACE Technical Support may request that you send the KBOX 1000 Series Server logs if they need more information in troubleshooting an issue. To download the logs, click the Download Logs link. For more information, see “Downloading log files,” on page 180.
Accessing KBOX 1000 Series logs You can access the KBOX 1000 Series Server logs by going to the Settings | Logs tab. This area also provides a reference for any KBOX 1000 Series informational or exception notices. Log Type
Description
Disk Status
Displays the status of the KBOX 1000 Series disk array.
Application
Displays miscellaneous information about the application's operation and execution.
Access
Displays the HTTP Server's access information.
Server
Displays errors or server warnings regarding any of the onboard server processes.
Update
Displays details of any KBOX 1000 Series patches or upgrades applied using the Update KBOX function.
Client
Displays KBOX Agent exception logs.
Table 12-4: Types of Server Logs
Downloading log files The KBOX 1000 Series provides the ability to download the logs into one file directly from the Admin UI. You may be asked by KACE Technical support to submit KBOX 1000 Series logs in order to help diagnose a problem. To download KBOX 1000 Series logs: 1. Select Settings | Logs. 2. Click the Download logs link on the right of the Log page. The logs are downloaded in a file called kbox_logs.tgz. 3. Click Save.
Administrator Guide for KBOX 1000 Series, version 3.3
180
Understanding disk log status data The log you are likely to interact with most often when troubleshooting the KBOX 1000 Series is the Disk Status log. If there is a physical problem with the KBOX 1000 Series, that issue would be reflected here. KBOX 1000 Series Server and KBOX Agent exceptions are reported nightly to kace.com if you enabled crash reporting on the Settings | General tab.
Figure 12-5: Disk status without error
Error status listed here Figure 12-6: Disk status with error The figures above display the difference in the Disk status log when no error is found and when an error exists. Although this section does not describe every possible error message that could be displayed here, many of the errors that occur can be resolved by following the same set of steps:
Administrator Guide for KBOX 1000 Series, version 3.3
181
Step
Description
Step 1: Rebuild
If the disk status log error reads “Degraded” that is an indication that you need to rebuild the array. To do this, click the Rebuild Disk Array button. Rebuilding can take up to 2 hours. If an error state still exists after this, proceed to step 2.
Step 2: Power Down and Reseat the Drives
In some cases, the degraded array may be caused by a hard-drive that is no longer seated firmly in the drive-bay. In these cases, the disk status will usually show "disk missing" for that drive in the log. Power down the KBOX 1000 Series. Once the appliance is powered off, eject each of the hard-drives and then re-insert them, making sure that the drive is firmly in the bay. Power the machine back on and then look again at the disk status log to see if that has resolved the issue. If an error state still exists, try rebuilding again or proceed to Step 3.
Step: Call KACE Technical Support
If you have the previous steps and are still experiencing errors, please contact KACE Technical Support by email ([email protected]) or phone (888) 522-3638 option 2.
Table 12-7: Troubleshooting your KBOX 1000 appliances
Administrator Guide for KBOX 1000 Series, version 3.3
182
C H A P T E R 13 Reporting The KBOX 1000 Series provides a variety of alert and reporting features that enable you to communicate easily with users and to get a detailed view of the activity on your network. “KBOX 1000 Series Reports overview,” on page 184 “Alert Messages,” on page 193 “Email Alerts,” on page 194 “KBOX 1000 Series Summary,” on page 195 “LDAP Browser,” on page 201
KBOX 1000 Series Reports overview The KBOX 1000 Series ships with many included stock reports. The reporting engine utilizes XML-based report layouts to output report types of HTML, PDF, CSV, and TXT. By default, the KBOX 1000 Series provides reports in the following general categories: Compliance Hardware Help Desk KBOX Network Patching Security Software Template
Administrator Guide for KBOX 1000 Series, version 3.3
184
Types of Reports Within each of the general categories mentioned above, there are various reports you can run to display information about the computers on your network. Descriptions of each type of report you can run are provided below. Help desk reports are discussed in Chapter 11,“User Portal and Help Desk,” starting on page 146. Category
Report
Description
Compliance
Hotfix Compliance
Shows which computers have the specified hotfix installed.
Compliance
Software Compliance Simple
Lists the licenses and counts like the License list page with details such as vendor, PO#, and Notes.
Compliance
Software License Compliance Complete
Lists software and computers that are impacted by each license record.
Compliance
Unapproved Software Installation
Lists software found on computers that do not have approved licenses.
Hardware
C drives less than 2G free
Shows which computers less than 2 gigabytes of free space.
Hardware
Computer - Video/Ram/Proc by Label
Lists all computers and their video, ram and processor information sorted by label and name.
Hardware
Computer Export
This report is intended to generate a CSV listing for data export to other programs.
Hardware
Computer Inventory Detail
Detail listing of all computers on the KBOX 1000 Series network with full field detail.
Hardware
Computer Listing by Free Disk Space
Lists computer disk drives in order of total free disk space.
Hardware
Computer Listing by Label
Lists all computers by all KBOX 1000 Series labels.
Hardware
Computer Listing by Memory
Lists computer RAM in order of total memory size.
Hardware
Computer Listing by Operating System
Sorts all computers by Operating System type and sums OS Types.
Hardware
Computer Uptime Report
Reports the uptime of the computers.
Help Desk
Closed Satisfaction Survey last 31 days by Owner
Lists by Owner all Closed Satisfaction Surveys in the last 31 days.
Help Desk
Closed Ticket Resolutions last 31 days by Owner
Lists by Owner all Closed Ticket Resolutions in the last 31 days.
Help Desk
Closed Ticket Resolutions last 7 days by Owner
Lists by Owner all Closed Ticket Resolutions in the last 7 days.
Help Desk
Closed Tickets last 31 days by Category
Lists by Category all Help Desk tickets that have been closed in the last 31 days.
Table 1: Default reports
Administrator Guide for KBOX 1000 Series, version 3.3
185
Category
Report
Description
Help Desk
Closed Tickets last 31 days by Owner
Lists by Owner all Help Desk tickets that have been closed in the last 31 days.
Help Desk
Closed Tickets last 7 days by Owner
Lists by Owner all Help Desk tickets that have been closed in the last 7 days.
Help Desk
Escalated/Open Tickets by Owner
Lists by Owner all escalated and open Help Desk tickets.
Help Desk
Open Tickets by Category
Lists by Category all open Help Desk tickets.
Help Desk
Open Tickets by Owner
Lists by Owner all open Help Desk tickets.
Help Desk
Open Tickets last 7 days by Owner
Lists by Owner all open Help Desk tickets opened in the last 7 days.
Help Desk
Stalled Tickets by Owner
Lists by Owner all tickets that are past their due date but not in escalation (stalled tickets).
Help Desk
Stalled/Open Tickets by Category
Lists by Category all stalled and open Help Desk tickets.
Help Desk
Stalled/Open Tickets by Impact
Lists by Impact all stalled and open Help Desk tickets.
Help Desk
Stalled/Open Tickets by Owner
Lists by Owner all stalled and open Help Desk tickets.
Help Desk
Stalled/Open Tickets by Priority
Lists by Priority all stalled and open Help Desk tickets.
Help Desk
Stalled/Open Tickets by Status
Lists by Status all stalled and open Help Desk tickets.
Help Desk
Stalled/Open Tickets with Due Date by Owner
Lists by Owner and due date all stalled and open Help Desk tickets.
Help Desk
Work Report Date Range - Long Notes Display
Displays date, ticket #, technician and hours worked as a header above the Notes for a Work entry for 2006-04-01 through 2006-07-01.
Help Desk
Work Report last 31 days
Reports all tickets for which work has been logged for the last 31 days.
Help Desk
Work Report last 31 days Customize
Use this report if you want to build a customized report showing only select fields for all tickets for which work has been logged for the last 31 days.
Help Desk
Work Report last 31 days - Long Notes Display
Displays date, ticket #, technician, and hours worked as a header above the Notes for each Work entry.
Help Desk
Work Report last 31 days by Person
Displays all people who logged work during the last 31 days first by person, and then by ticket and time.
Table 1: Default reports
Administrator Guide for KBOX 1000 Series, version 3.3
186
Category
Report
Description
KBOX
Boot/Login Policies
Lists all the activities that could happen at machine boot time or after the user logs in.
KBOX
KBOX Agent Roll Out Log
Reports when a computer record was first created.
KBOX
KBOX Communication
Lists by day the latest communication from computers on the network.
KBOX
MI's enabled on all machines
Lists all the managed installations that are enabled on all machines.
KBOX
Scripts enabled on all machines This report lists the scripts that are enabled on all machines.
Network
Network Info - Domain Listing
This report lists computers groups computers by domain/workgroup.
Network
Network Info - IP Address Listing
Lists computers in order of IP Address (ascending).
Network
Network Scan Report
Displays the results of the nightly Network Scan.
Patching
Critical Bulletin List
Lists all critical bulletins.
Patching
For each Machine, what patches are installed
Lists of all patches on each computer in the KBOX network.
Patching
For each Patch, what machines have it installed
Lists the computers having each software patch in inventory.
Patching
How many computers have each Patch installed
Software Inventory listing sorted by software title showing number of seats deployed.
Patching
Installation Status of each enabled Patch
Lists the installation status of each enabled patch.
Patching
Needs Review Bulletin List
List of all the Bulletins that need review.
Patching
Patches waiting to be deployed
Lists all patches waiting to be deployed.
Security
Number of machines with OVAL vulnerabilities
Lists, for each OVAL test, how many machines failed the test and are therefore vulnerable.
Security
OVAL Machine Report
Reports all the machines and how many OVAL tests that each of them failed.
Security
SANS Top 10 - Q2 2005
Reports all OVAL results from vulnerabilities reported by SANS.
Security
Threating Items
Displays all items o threat level 4 or 5 and the computers which have them.
Security
Top 10 OVAL Vulnerabilities
Displays a Pie graph of the top 10 OVAL vulnerabilities that have been reported by the OVAL scan.
Software
Software Export
Generates a CSV listing for data export to other programs.
Table 1: Default reports Administrator Guide for KBOX 1000 Series, version 3.3
187
Category
Report
Description
Software
Software Installed But Not Used Last 6 Months
Lists, by software item, where software has been installed but not used according to software metering. This will only work when you have attached the metering to a particular software item which will limit you to a particular version of software.
Software
Software Inventory By Vendor
Software Inventory listing grouped by vendor showing number of seats deployed.
Software
Software Listing By Label
Lists all software titles organized by all KBOX 1000 Series labels.
Software
Software not on any computer
Listing of all software titles that are not currently installed on any computers.
Software
Software on Computer
Listing of all software on each computer in the KBOX 1000 Series network.
Software
Software OS Report - Graph
Pie graph showing the list and count of Operating Systems currently deployed on your network.
Software
Software Title & Version - Com- This report lists the computers having each softputer List ware title in inventory.
Software
Software Title - Computer List (MS Only)
This report lists computers having each Microsoft software title in inventory.
Software
Software Title Deployed Count
Software Inventory sorted by software title showing number of seats deployed.
Template
Computer Listing - XP SP2 installed?
Lists all computers, reporting if XP SP2 is installed or not. Change 'Windows XP Service Pack 2' to any other Software title you are interested in. Sorted by installation status.
Template
Computer Listing with Software Template
Computer Listing sorted by LABEL with computers having software names like "Microsoft Office Professional%".
Template
Custom Inventory Template
Reports the values returned by a custom inventory rule that you can setup in the Software Item page. Change 'McAfeeDATFile' to be the name of the Software item with the Custom Inventory Rule in it.
Template
Log File Information Template
This is a template that lists the values returned from a 'Log File Information' action in a script. Replace 'AccessedDate: ' with the actual attribute that you returned.
Template
Log Registry Value Template
This template lists the values returned from a script using the 'Log Registry Value' action. Replace the value '!doc =' with the appropriate value name that you entered in the script.
Table 1: Default reports Administrator Guide for KBOX 1000 Series, version 3.3
188
Category Template
Report
Description
Machines By Label X with Software Y Installed
Reports all the machines in label(s) and indicates if they have a particular software product installed. Replace KBOX with the name of the software you are looking for and QA_LABEL and KBOX_LABEL with the labels of the machines you want included.
Table 1: Default reports
Administrator Guide for KBOX 1000 Series, version 3.3
189
Running Reports To run any of the KBOX 1000 Series reports, you simply need to click the desired format type (HTML, PDF, CSV, or TXT). For HTML or PDF formats, the report will be displayed in a new window. If you select CSV or TXT format, you will be prompted to open the file or save it to your computer. For example, the KBOX server build at your end is 3.1.6474. On clicking the Reporting | Summary tab, the KBOX Summary Information page appears, and on clicking the Settings | Server Maintenance tab, the KBOX Settings : Server Maintenance page appears. Let’s say KACE comes up with a new patch for the server build by the name 3.1.6748 and pushes it to the corporate server. If you click on the Check for upgrade button in the Settings| Server Maintenance page, the An upgrade is now available link appears on the KBOX Summary Information page and the latest build is available in the Upgrade KBOX field on the KBOX Settings : Server Maintenance page. The An upgrade to 3.1.6748 is now available link also appears in the Reporting | Summary page. Clicking on this link will take you to the Settings | Server Maintenance page. Click Upgrade now to upgrade your KBOX Server to the build 3.1.6748 build.
Creating and editing reports If you have other reporting needs not covered by the reports previously mentioned, you can either create a new report from scratch, or you can modify one of the templates provided in the KBOX 1000 Series Template category. You can create a report in the following ways: Duplicate an existing report - Another way to create a report is to open an existing report and create a copy of it, which you can then modify to suit your needs. Create a new report using the Report Wizard. Create a new report from scratch To duplicate an existing report: 1. Select Reporting | Reports. 2. Click the linked Report Title. The KBOX Report: Edit Detail page appears. 3. Click the Duplicate button. 4. Modify the report details as necessary, then click Save. Consult the list of database table names in Appendix B,“Database tables,” starting on page 209.
Administrator Guide for KBOX 1000 Series, version 3.3
190
To create a new report using the Report tab: 1. Select Reporting | Reports. The KBOX Report page appears. 2. Select Add New Report from the Choose action drop-down list. 3. Enter the report details as shown below: Report Title
Enter a display name for the report. Make this as descriptive as possible, so you can distinguish this report from others.
Report Category
Enter the category for the report. If the category does not already exist, it will be added to the drop-down list on the Reports list page.
Description
Describe the information that the report will provide.
Report Type
Select a report type from the list. The fields that you will be able to include on the report vary depending on the report type you choose.
4. Click Next. 5. The next step is to select fields you want to include on the report. Click Select All to select all fields or Deselect All to deselect all fields. 6. Click Next. 7. The next step is to arrange the fields you selected in the order in which you want the columns to appear on the report. Highlight and drag a column block to change the order. Rearrange the fields until the columns are in the order you want to display them on the report. 8. Click Next. 9. The next step is to sort the fields you selected for the report and to decide where you want the report to break. You can sort first by one field, then further sort by one or two more fields. a. Select a field or fields by which you want to sort from the Order By drop-down list or lists. b. Select either Ascending or Descending from the Sequence drop-down list or lists. c. Check Break Header? if you want to break the report with a new header and do subtotals. 10. Click Next. 11. The next step is to specify filter criteria for the report: a. Select a field or fields by which you want to filter from the field drop-down list or lists. b. Select an operator or operators from the operator drop-down list or lists. c. Enter a value by which you want to search and filter. You can combine individual field filter searches (create a compound filter search) by selecting an AND or an OR operator. The example above will search for and filter users who have “kace” or “kacepartner” in their mail address. 12. Click Save to save your report. The KBOX Reports page is displayed with the new report in the list. To run the new report, click the desired format type (HTML, PDF, CSV, or TXT). For HTML or PDF formats, the report will be displayed in a new window. If you select CSV or TXT format, you will be prompted to open the file or save it to your computer.
Administrator Guide for KBOX 1000 Series, version 3.3
191
To create a new report from scratch: 1. Select Reporting | Reports. 2. Select Add New SQL Report from the Choose action drop-down list. The KBOX Report: Edit Detail page appears. 3. Specify the following report details: Title
Enter a display name for the report. Make this as descriptive as possible, so you can distinguish this report from others.
Report Category
Enter the category for the report. If the category does not already exist, it will be added to the drop-down list on the Reports list page.
Output File Name
Specify the name for the file generate when this report is run.
Description
Describe the information that the report will provide.
Output Types
Specify the formats that should be available for this report.
SQL Select Statement
Enter the query statement that will generate the report data. For reference, consult the MYSQL documentation.
Break on Columns
A comma-separated list of SQL column names. The report will generate break headers and sub totals for these columns. This setting refers to the auto-generated layout.
XML Report Layout
When checked, this option will create the XML layout based on the SQL you enter. Select this check box if you have changed the columns that are being returned by the query so that the XML Report Layout is regenerated using the new columns.
4. Click Save. For assistance with formatting the report XML, refer to the rlib documentation found here: http://rlib.sicompos.com/.
Administrator Guide for KBOX 1000 Series, version 3.3
192
Alert Messages Alert messages provide a way for you to interact with your users by displaying a message in a pop-up window. The Alerts List page displays the messages you have distributed to users. From the Alerts list page you can open existing alerts, create new alerts, or delete alerts. You can also search messages using keywords.
Creating alert messages If you have information you want to distribute to your network, you can review and modify previous messages you have deployed, or you can create a new message. To create an alert message: 1. Select Reporting | Alerts. 2. Select Add New Item from the Choose action drop-down list. The Alerts: Edit Detail page appears. 3. In the Message Content field, type the text of your message. 4. In the Keep Alive field, specify the length of time the message will be valid. Messages will be broadcast to users until either the user's desktop has received the message or the specified time interval has elapsed. This is based on the Run Interval set on the Distribution | KBOX Agent | KBOX Agent Setting. 5. In the Limit Broadcast To area, select the recipient label(s) to which this message will be sent. Press CTRL and click to select multiple labels. 6. Click Save.
Administrator Guide for KBOX 1000 Series, version 3.3
193
Email Alerts Mail alerts differ from Alerts (broadcast messages) in that they allow you to send messages out to administrators based on more detailed criteria. The Mail Alert feature relies on the Inventory | Computers engine to create a notification that will be sent to administrators when computers meet the criteria you specify. The KBOX 1000 Series checks the computers in inventory against the criteria in the Mail Alert once an hour until one or more computers meet the criteria, then a message is sent to the administrator(s) specified in the alert details.
Creating Email Alerts Notifications are processed every 60 minutes. Should a notification query result in 1 or more machine records, then a notification email is automatically sent to the specified recipient. To create an Email Alert: 1. Select Reporting | Email Alerts. The Email Alerts page appears. 2. Select Add New Computer Notification in the Choose action drop-down list. The Inventory | Computers tab appears with the Create Email Notification fields exposed. 3. Enter the search criteria. 4. In the Title field, enter a title for the alert. The Title will appear in the Subject field. 5. In the Recipient field, enter the email address(es) of the message recipient. Email addresses must be fully qualified email addresses. The recipient address may be a single email address or a list of addresses separated by commas.
Administrator Guide for KBOX 1000 Series, version 3.3
194
KBOX 1000 Series Summary The KBOX 1000 Series Summary page provides information about the configuration and operation of your KBOX 1000 Series appliance. When you log on to the KBOX Administrator Console, the Summary tab appears by default. To view KBOX Summary: 1. Select Reporting | Summary. The KBOX Summary page appears. 2. The sections that follow provide a description of the summary information displayed. 3. Click Refresh to refresh the information displayed.
Client Check-In Rate Displays the total number of clients that have checked in to the server in an hour.
The counter automatically adjusts if the number increases beyond one hundred.
Administrator Guide for KBOX 1000 Series, version 3.3
195
Distributions Displays the number of managed installations, scripts, and file synchronizations that are enabled. This also displays the number of alerts that you have configured.
The counter automatically adjusts if the number increases beyond thirty.
Administrator Guide for KBOX 1000 Series, version 3.3
196
Software Threat Level Displays the number of machines on various software threat levels.
The number of machines displayed on the Y axis automatically adjusts if the number of machines found on a particular threat level increases beyond twelve.
License Compliance Displays the number of machines that use a particular licensed software. For example, the following figure displays a licensed software named Adobe flash player 9, which can be used on one thousand machines. In this example, this software is used by twelve machines.
Administrator Guide for KBOX 1000 Series, version 3.3
197
KBOX Network Load Displays the number of sockets connected to the server.
The counter automatically adjusts if the number of sockets connected increases beyond one hundred.
Managed Operating Systems Displays the number, in percentage, of various operating systems present in the inventory.
Administrator Guide for KBOX 1000 Series, version 3.3
198
To view KBOX Summary Details: 1. Select Reporting | Summary. The KBOX Summary page appears. 2. Scroll down, and then click View Details. The KBOX Summary Details page appears. 3. The sections that follow provide a description of the summary details provided.
As this page is refreshed, the record count information is refreshed. New KBOX 1000 Series installations will mostly contain zero or no record counts.
Computer statistics Provides a summary of the computers on your network, including a breakdown of the operating systems in use. In addition, if the number of computers on your network exceeds the number allowed by your KBOX 1000 Series license key, a notification to that effect will be displayed here.
Software statistics Provides a summary of the software in KBOX 1000 Series Inventory. Includes the number of software titles that have been uploaded to the KBOX 1000 Series.
Software Distribution Summary Provides a summary of the packages that have been distributed to the computers on your network, separated out by distribution method. Also indicates the number of packages that are enabled vs. disabled.
Alert Summary Provides a summary of the alerts that have been distributed to the computers on your network, separated by message type. This also indicates the number of alerts that are active vs. expired. The IT Advisory refers to the number of Knowledge Base Articles in Help Desk.
Administrator Guide for KBOX 1000 Series, version 3.3
199
Patch Bulletin Information Provides a summary of the patches received from Microsoft. Includes the date and time of the last patch download (successful and attempted) and the number of bulletins in the KBOX 1000 Series.
OVAL Information Provides a summary of the OVAL definitions received and the number of vulnerabilities detected on your network. Includes the date and time of the last OVAL download (successful and attempted) and the number of OVAL tests in the KBOX 1000 Series, in addition to the numbers of computers that have been scanned.
Network Scan Summary Provides a summary of the results of Network Scans run on the network. Includes the number of IP addresses scanned, the number of services discovered, the number of devices discovered, as well as the number of detected devices that are SNMP-enabled.
Administrator Guide for KBOX 1000 Series, version 3.3
200
LDAP Browser The LDAP Browser allows you to browse and search the data located on the LDAP Server. For example, Active Directory Server. You must have the Bind DN and the Password to log on to the LDAP Server. To use the LDAP Browser: 1. Select Reporting | LDAP Browser. 2. Specify the LDAP Server Details LDAP Server
Specify the IP or the Host Name of the LDAP Server. Note: For LDAPS, use the IP or the Host Name, as ldaps:// HOSTNAME
LDAP Port
Specify the LDAP Port number, which could be either 389/636 (LDAPS).
LDAP Login
Specify the Bind DN For example: CN=Administrator,CN=Users,DC=kace,DC=com
LDAP Password
Specify the password for the LDAP login.
3. Click test. 4. On a successful connection to the LDAP server, a list of possible base DNs (Distinguished Names) available on that directory is displayed. These base DNs can be used as a start point to browse and search the directory. If the connection was not established, the Operation Failed message appears, which could be due to one of the following reasons: The IP or Host Name provided is incorrect. The LDAP server is not up. The login credentials provided are incorrect. 5. Click a Base DN or click next. A new window displays the Search Base DN and the Search Filter. The Search Base DN is populated on the basis of the Base DN that you selected in the previous screen. You can modify the Search Base DN and the Search Filter. 6. You can also use the Filter Builder to create complex filters. Click Filter Builder. The Query Builder is displayed. Specify the following information. Attribute Name
Specify the Attribute Name. For example, samaccountname.
Relational Operator
Select the relational operator from the drop-down list. For example, =.
Attribute Value
Specify the attribute value. For example, admin.
Administrator Guide for KBOX 1000 Series, version 3.3
201
7. To add more than one attribute: Conjunction Operator
Select the conjunction operator from the drop - down list. For example, AND. Note: This field is available for the previous attribute only when you add a new attribute.
Add
Click Add. You can add multiple attributes.
Search Scope
Click One level to search at the same level or click Sub-tree level to search at the sub-tree level.
8. Click OK. The query appears in the Search Filter text area. For example, (samaccountname=admin). 9. Click Browse to display all the immediate child nodes for the given base DN and search filter. Click Search to display all the direct and indirect child nodes for the given base DN and search filter. The search results are displayed in the left panel. 10. Click a child node to view its attributes. The attributes are displayed in the right panel.
Administrator Guide for KBOX 1000 Series, version 3.3
202
A P P E N D I X A
Adding steps to a Task This appendix documents steps for tasks of a script. The steps documented here are available on the Scripting tab. For more information, see “Scripting,” on page 91. “Steps for Task sections,” on page 204
Steps for Task sections Refer to the following table when adding steps to a Policy or Job Task. These are the steps available in the step drop-down lists in the Verify, On Success, Remediation, On Remediation Success, and On Remediation Failure sections of a task. The Column headings V, OS, R, ORS, and ORF indicate whether a particular step is available in the corresponding Task sections. Step
Explanation
Always Fail
V
OS
R
X
ORF
X
Call a Custom DLL Function
Call function "%{procName}" from "%{path}\%{file}"
X
X
X
Create a Custom DLL Object
Create object "%{className}" from "%{path}\%{file}"
X
X
X
Create a message window
Create a message window named "%{name}" with title "%{title}", message "%{message}" and timeout "%{timeout}" seconds.
X
X
X
Delete a registry key
Delete "%{key}" from the registry.
X
X
Delete a registry value
Delete "%{key}!%{name}" from the registry.
X
X
Destroy a message window
Destroy the message window named "%{name}".
Install a software package
Install "%{name}" with arguments "%{install_cmd}". Note: This step requires you to choose from a list of software packages already uploaded using the functionality in the Inventory/Software tab. For more information, see “Adding Software to Inventory,” on page 39.
Kill a process
Kill the process "%{name}".
Launch a program
Launch "%{path}\%{program}" with params "%{parms}".
Log a registry value
Log “%{key}!%{name}”.
X
Log file information
Log “%{attrib}”from “%{path}\%{file}”
X
Log message
Log “%{message}”to “%{type}”
X
Restart a service
Restart service “%{name}”
X
ORS
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Table A-1: Steps for Tasks in Policy & Job scripts
Administrator Guide for KBOX 1000 Series, version 3.3
204
Step Run a batch file
Explanation
V
OS
Run the batch file "%{_fake_name}" with params "%{parms}".
X
X
R
ORS
ORF
X
Note: In this step, you do not need to upload the batch file. You create the batch file by pasting the script in the space provided. Search the file system
Search for "%{name}" in "%{startingDirectory}" on "%{drives}" and "%{action}".
X
Set a registry key
Set "%{key}".
X
X
Set a registry value
Set "%{key}!%{name}" to "%{newValue}".
X
X
Start a service
Restart service “%{name}”
X
Stop a service
Stop service “%{name}”
X
Unzip a file
Unzip "%{path}\%{file}" to "%{target}".
X
X
X
X
Update message window text
Set the text in the message window named "%{name}" to "%{text}".
X
X
X
X
Update Policy and Job schedule
Update policy and job schedule from KBOX 1000 Series
X
Upload a file
Upload "%{path}\%{file}" to the server.
Upload \ logs
Upload KBOX Agent logs to KBOX 1000 Series
X
X
Verify a directory exists
Verify that the directory "%{path}" exists.
X
Verify a file exists
Verify that the file "%{path}\%{file}" exists.
X
Verify a file version is exactly
Verify that the file "%{path}\%{file}" has version "%{expectedValue}".
X
Verify a file version is greater than
Verify that the file "%{path}\%{file}" has version greater than "%{expectedValue}".
X
Verify a file version is greater than or equal to...
Verify that the file "%{path}\%{file}" has version greater than or equal to "%{expectedValue}”
X
Verify a file version is less than
Verify that the file "%{path}\%{file}" has version less than "%{expectedValue}".
Verify a file version is less than or equal to
Verify that the file "%{path}\%{file}" has version less than or equal to "%{expectedValue}
X X
X X
X X
Table A-1: Steps for Tasks in Policy & Job scripts
Administrator Guide for KBOX 1000 Series, version 3.3
205
Step
Explanation
V
Verify a file version is not
Verify that the file "%{path}\%{file}" does not have version "%{expectedValue}".
X
Verify a file was modified since
Verify that the file "%{path}\%{file}" was modified since "%{expectedValue}".
X
Verify a process is not running
Verify the process "%{name}" is not running.
X
Verify a process is running
Verify the process "%{name}" is running.
X
Verify a product ver- Verify that the product "%{path}\%{file}" sion is exactly.. has version "%{expectedValue}"
X
Verify a product ver- Verify that the product "%{path}\%{file}" sion is greater than has version greater than "%{expectedValue}".
X
Verify a product ver- Verify that the product "%{path}\%{file}" sion is greater than has version greater than or equal to "%{expected-Value}” or equal to...
X
Verify a product ver- Verify that the product "%{path}\%{file}" sion is less than has version less than "%{expectedValue}".
X
Verify a product ver- Verify that the product "%{path}\%{file}" sion is less than or has version less than or equal to "%{expectedValue}” equal to
X
Verify a product ver- Verify that the product "%{path}\%{file}" sion is not does not hav version "%{expectedValue}"
X
Verify a registry key does not exist
Verify that "%{key}" does not exist.
X
Verify a registry key exists
Verify that "%{key}" exists.
X
Verify a registry key’s subkey count is exactly
Verify that "%{key}" has exactly "%{expectedValue}" subkeys.
X
Verify a registry key’s subkey count is greater than
Verify that "%{key}" has greater than "%{expectedValue}" subkeys.
X
Verify a registry key’s subkey count is greater than or equal to
Verify that "%{key}" has greater than or equal to "%{expectedValue}" subkeys.
X
Verify a registry key’s subkey count is less than
Verify that "%{key}" has less than "%{expectedValue}" subkeys.
X
OS
R
ORS
ORF
Table A-1: Steps for Tasks in Policy & Job scripts
Administrator Guide for KBOX 1000 Series, version 3.3
206
Step
Explanation
V
Verify a registry key’s subkey count is less than or equal to
Verify that "%{key}" has less than or equal to "%{expectedValue}" subkeys.
Verify a registry key’s subkey count is not
Verify that "%{key}" does not have exactly "%{expectedValue}" subkeys.
X
Verify a registry key’s value count is exactly
Verify that "%{key}" has exactly "%{expectedValue}" values.
X
Verify a registry key’s value count is greater than
Verify that "%{key}" has greater than "%{expectedValue}" values.
X
Verify a registry key’s value count is greater than or equal to
Verify that "%{key}" has greater than or equal to "%{expectedValue}" values.
X
Verify a registry key’s value count is less than
Verify that "%{key}" has less than "%{expectedValue}" values.
X
OS
R
ORS
ORF
X
Verify a registry Verify that "%{key}" has less than or key’s value count is equal to "%{expectedValue}" values. less than or equal to
X
Verify a registry key’s value count is not
Verify that "%{key}" does not have exactly "%{expectedValue}" values.
X
Verify a registry pat- Verify that "%{key}!%{name}=%{expecttern doesn’t match edValue}" doesn't match.
X
Verify a registry pat- Verify that "%{key}!%{name}=%{expecttern matches edValue}" matches.
X
Verify a registry Verify that "%{key}!%{name}" does not value does not exist exist
X
Verify a registry value exists
Verify that "%{key}!%{name}" exists
X
Verify a registry value is exactly
Verify that "%{key}!%{name}" is equal to "%{expectedValue}"
X
Verify a registry value is greater than
Verify that "%{key}!%{name}" is greater than "%{expectedValue}"
X
Verify a registry value is greater than or equal to
Verify that "%{key}!%{name}" is greater than or equal to "%{expectedValue}"
X
Table A-1: Steps for Tasks in Policy & Job scripts
Administrator Guide for KBOX 1000 Series, version 3.3
207
Step
Explanation
V
Verify a registry value is less than
Verify that "%{key}!%{name}" is less than "%{expectedValue}"
X
Verify a registry value is less than or equal to
Verify that "%{key}!%{name}" is less than or equal to "%{expectedValue}"
X
Verify a registry value is not
Verify that "%{key}!%{name}" is not equal to "%{expectedValue}"
X
Verify a service exists
Verify the service "%{name}" exists
X
Verify a service is running
Verify the service "%{name}" is running
OS
R
ORS
ORF
X
Table A-1: Steps for Tasks in Policy & Job scripts
Administrator Guide for KBOX 1000 Series, version 3.3
208
A P P E N D I X B
Database tables This appendix contains a list of the table names used in the KBOX 1000 Series database. Use this as a reference when creating custom reports. “KBOX 1000 Series database tables,” on page 210
KBOX 1000 Series database tables Refer to the following table when creating custom reports. For more information, see Chapter 13,“Reporting,” starting on page 183. Table
Used In
ADVISORY
HelpDesk
ADVISORY_LABEL_JT
HelpDesk
AUTHENTICATION
KBOX
CLIENTDIST_LABEL_JT
KBOX
CLIENT_DISTRIBUTION
KBOX
CR_CLIENT_CRASH
KBOX
CR_SERVER_CRASH
KBOX
CUSTOM_FIELD_DEFINITION
Custom Fields
FILTER
Labeling
FS
File Synchronization
FS_LABEL_JT
File Synchronization
FS_MACHINE_JT
File Synchronization
GLOBAL_OPTIONS
KBOX
HD_ATTACHMENT
Help Desk
HD_CATEGORY
Help Desk
HD_EMAIL_EVENT
Help Desk
HD_IMPACT
Help Desk
HD_MAIL_TEMPLATE
Help Desk
HD_PRIORITY
Help Desk
HD_QUEUE
Help Desk
HD_QUEUE_PRIORITY
Help Desk
HD_QUEUE_STATUS
Help Desk
HD_STATUS
Help Desk
HD_TICKET
Help Desk
HD_TICKET_CHANGE
Help Desk
HD_TICKET_RELATED
Help Desk
HD_WORK
Help Desk
KBOT
Scripting
Table B-1: KBOX 1000 Series database table names
Administrator Guide for KBOX 1000 Series, version 3.3
210
Table
Used In
KBOT_CRON_SCHEDULE
Scripting
KBOT_DEPENDENCY
Scripting
KBOT_EVENT_SCHEDULE
Scripting
KBOT_FORM
Scripting
KBOT_FORM_DATA
Scripting
KBOT_GRAMMAR
Scripting
KBOT_GRAMMAR_ATTRIBUTE
Scripting
KBOT_LABEL_JT
Scripting
KBOT_LOG
Scripting
KBOT_LOG_DETAIL
Scripting
KBOT_LOG_LATEST
Scripting
KBOT_OS_JT
Scripting
KBOT_RUN
Scripting
KBOT_RUN_MACHINE
Scripting
KBOT_RUN_TOKEN
Scripting
KBOT_UPLOAD
Scripting
KBOT_UPLOAD_TOKEN
Scripting
KBOT_VERIFY
Scripting
KBOT_VERIFY_STEPS
Scripting
KBOX_VERSION
KBOX
LABEL
Labeling
LDAP_FILTER
Labeling
LDAP_IMPORT_USER
User
LICENSE
Inventory
LICENSE_MODE
Inventory
MACHINE
Inventory
MACHINE_CUSTOM_INVENTORY
Inventory
MACHINE_DISKS
Inventory
MACHINE_KUID
Inventory
MACHINE_LABEL_JT
Inventory
MACHINE_NICS
Inventory
Table B-1: KBOX 1000 Series database table names
Administrator Guide for KBOX 1000 Series, version 3.3
211
Table
Used In
MACHINE_NTSERVICE_JT
Inventory
MACHINE_PROCESS
Inventory
MACHINE_PROCESS_JT
Inventory
MACHINE_SOFTWARE_JT
Inventory
MACHINE_STARTUP_PROGRAMS
Inventory
MACHINE_STARTUPPROGRAM_JT
Inventory
MESSAGE
Alerts
MESSAGE_LABEL_JT
Alerts
MI
Managed Installs
MI_ATTEMPT
Managed Installs
MI_LABEL_JT
Managed Installs
METER
Software Metering
METER_COUNTER
Software Metering
MSP_AFFECTEDPRODUCT
Patching
MSP_AFFECTEDSERVICEPACK
Patching
MSP_BULLETIN
Patching
MSP_BULLETIN_STATUS
Patching
MSP_LOCATION
Patching
MSP_MI_TEMPLATE
Patching
MSP_MI_TEMPLATE_LABEL_JT
Patching
MSP_PATCH
Patching
MSP_PATCH_OS_VERSION
Patching
MSP_PRODUCT
Patching
MSP_SERVICEPACK
Patching
MSP_SERVICEPACK_MACHINE_JT
Patching
MSP_SEVERITY
Patching
MSP_UPDATE_STATUS
Patching
NETWORK_SETTINGS
KBOX
NODE
Network Scan
NODE_LABEL_JT
Network Scan
NODE_PORTS
Network Scan
Table B-1: KBOX 1000 Series database table names
Administrator Guide for KBOX 1000 Series, version 3.3
212
Table
Used In
NODE_SNMP_IF
Network Scan
NODE_SNMP_SYSTEM
Network Scan
NOTIFICATION
Alerts
NTSERVICE
Inventory
OPERATING_SYSTEMS
Inventory
OVAL_DEFINITION
OVAL
OVAL_STATUS
OVAL
OVAL_UPDATE_STATUS
OVAL
PORTAL
User Portal
PORTAL_LABEL_JT
User Portal
PROCESS
Inventory
PORT_SERVICES
KBOX
REPLICATION_SHARE
Replication
REPORT
Reporting
REPORT_FIELD
Reporting
REPORT_FIELD_GROUP
Reporting
REPORT_JOIN
Reporting
REPORT_OBJECT
Reporting
SCAN_FILTER
Labeling
SCAN_SETTINGS
Network Scan
SERVER_LOG
KBOX
SOFTWARE
Inventory
SOFTWARE_LABEL_JT
Inventory
SOFTWARE_OS_JT
Inventory
STARTUPPROGRAM
Inventory
THROTTLE
KBOX
TIME_SETTINGS
KBOX
TIME_ZONE
KBOX
USER
User
USER_HISTORY
User Portal
USER_KEYS
User Portal
Table B-1: KBOX 1000 Series database table names
Administrator Guide for KBOX 1000 Series, version 3.3
213
Table USER_LABEL_JT
Used In User
Table B-1: KBOX 1000 Series database table names
Administrator Guide for KBOX 1000 Series, version 3.3
214
Administrator Guide for KBOX 1000 Series, version 3.3
215
A P P E N D I X C
Manual Deployment of KBOX Agent This appendix contains a list of tasks and commands that you can carry out using the command line interface. “Manual Deployment of KBOX Agent on Linux,” on page 217 “Manual Deployment of KBOX Agent on Solaris,” on page 219 “Manual Deployment of KBOX Agent on Macintosh,” on page 221
Manual Deployment of KBOX Agent on Linux Installing and Configuring the KBOX Agent 1. Ensure that you have kboxagent-buildnumber.i386.rpm on your computer. 2. Open the command line interface. 3. Type rpm -ivh kboxagent-buildnumber.i386.rpm, and then press ENTER. The installer creates the following directories on your computer: /KACE /KACE/bin /KACE/lib /KACE/data /var/KACE/kagentd. This directory contains the kbot_config.yaml file. 4. Type cd KACE/bin, and then press ENTER. 5. Set the name of the KBOX server by typing ./setkbox name_of_kbox_server. 6. Restart all KBOX Agent services and connect to the KBOX server by typing ./runallkbots.
Upgrading the KBOX Agent 1. Ensure that you have kboxagent-buildnumber.i386.rpm on your computer. 2. Open the command line interface. 3. Type rpm -uvh kboxagent-linux_buildnumber.rpm, and then press ENTER.
Removing the KBOX Agent 1. Open the command line interface. 2. Type rpm -e kboxagent-buildnumber.i386, and then press ENTER.
Verifying Deployment of the KBOX Agent This section describes the various tasks you can perform to manage the KBOX agent using the command line interface.
Starting and Stopping the KBOX Agent 1. Open the command line interface. 2. Type cd KACE/bin, and then press ENTER. 3. To start the KBOX agent, type ./kagentctl start, and then press ENTER. To stop the KBOX agent, type ./kagentctl stop, and then press ENTER.
Checking Whether the Agent is Running 1. Open the command line interface. 2. Type ps aux | grep kagentd, and then press ENTER.
Administrator Guide for KBOX 1000 Series, version 3.3
217
Checking the Version of the KBOX Agent 1. Open the command line interface. 2. Type cat /KACE/data/version, and then press ENTER.
Performing an Inventory 1. Open the command line interface. 2. Type sudo /KACE/bin/inventory, and then press ENTER. If you want to save the inventory results to a file, type sudo /KACE/bin/inventory > 'uname n'.txt, and then press ENTER. This command saves the inventory results to a file named yourcomputer.txt, where yourcomputer is the name of your computer.
Enabling Debugging 1. Open the command line interface. 2. Type sudo touch /var/kace/kagentd/debug_agent.tag, and then press ENTER. 3. Type sudo /etc/rc.d/init.d/kagentctl stop, and then press ENTER. 4. Type sudo /etc/rc.d/init.d/kagentctl start, and then press ENTER. The debug_agent.log file contains debug logs.
Administrator Guide for KBOX 1000 Series, version 3.3
218
Manual Deployment of KBOX Agent on Solaris Installing and Configuring the KBOX Agent 1. Ensure that you have KBOX-agent-all-buildnumber.pkg.gz on your computer. 2. Open the command line interface. 3. Type /usr/bin/gunzip KBOX-agent-all-buildnumber.pkg.gz, and then press ENTER. 4. Type /usr/sbin/pkgadd -n -d KBOX-agent-all-buildnumber.pkg all, and then press ENTER. The installer creates the following directories on your computer: /KACE /KACE/bin /KACE/lib /KACE/data /var/KACE/kagentd. This directory contains the kbot_config.yaml file. 5. Type cd KACE/bin, and then press ENTER. 6. Set the name of the KBOX server by typing ./setkbox name_of_kbox_server. 7. Restart all KBOX Agent services and connect to the KBOX server by typing ./runallkbots.
Upgrading the KBOX Agent 1. Ensure that you have KBOX-agent-all-buildnumber.pkg.gz on your computer. 2. Open the command line interface. 3. Type /etc/init.d/kagentctl stop, and press ENTER. 4. Type /usr/sbin/pkgrm -A -n KBOX-agent, and press ENTER. 5. Type /usr/bin/rm -rf /KACE/, and press ENTER. 6. Type /usr/bin/gunzip -v KBOX-agent-all*.pkg.gz, and press ENTER. 7. Type /usr/sbin/pkgadd -n -d KBOX-agent-all*.pkg all, and press ENTER. 8. Type /etc/init.d/kagentctl start, and press ENTER.
Removing the KBOX Agent 1. Open the command line interface. 2. Type /etc/init.d/kagentctl stop, and press ENTER. 3. Type /usr/sbin/pkgrm -A -n KBOX-agent, and press ENTER. 4. Type /usr/bin/rm -rf /KACE/, and press ENTER.
Administrator Guide for KBOX 1000 Series, version 3.3
219
Verifying Deployment of the KBOX Agent This section describes the various tasks you can perform to manage the KBOX agent using the command line interface.
Starting and Stopping the KBOX Agent 1. Open the command line interface. 2. Type cd KACE/bin, and then press ENTER. 3. To start the KBOX agent, type ./kagentctl start, and then press ENTER. To stop the KBOX agent, type ./kagentctl stop, and then press ENTER.
Checking Whether the Agent is Running 1. Open the command line interface. 2. Type ps ef | grep kagentd, and then press ENTER.
Checking the Version of the KBOX Agent 1. Open the command line interface. 2. Type cat /KACE/data/version, and then press ENTER.
Performing an Inventory 1. Open the command line interface. 2. Type sudo /KACE/bin/inventory, and then press ENTER. If you want to save the inventory results to a file, type sudo /KACE/bin/inventory > 'uname n'.txt, and then press ENTER. This command saves the inventory results to a file named yourcomputer.txt, where yourcomputer is the name of your computer.
Enabling Debugging 1. Open the command line interface. 2. Type sudo touch /var/kace/kagentd/debug_agent.tag, and then press ENTER. 3. Type sudo /etc/init.d/kagentctl stop, and then press ENTER. 4. Type sudo /etc/init.d/kagentctl start, and then press ENTER. The debug_agent.log file contains debug logs.
Administrator Guide for KBOX 1000 Series, version 3.3
220
Manual Deployment of KBOX Agent on Macintosh To run the commands the user must be logged in as root.
Installing and Configuring the KBOX Agent 1. Double-click KBOX Agent 3.1.buildnumber.dmg. 2. Double-click KBOX Agent.pkg. 3. In the Introduction page, and then click Continue. 4. In the Read Me page, click Continue. 5. In the Select Destination page, select the destination volume where you want to install the KBOX agent, and then click Continue. 6. In the Installation Type page, click Install. 7. In the Finish Up page, click Close. The installer creates the following directories on your computer: /Library/KBOXAgent/Home/bin /Library/KBOXAgent/Home/data /Library/KBOXAgent/Home/lib /var/kace/kagentd. This directory contains the kbot_config.yaml file. 8. Type cd Library/KBOXAgent/Home/bin, and then press ENTER. 9. Set the name of the KBOX server by typing ./setkbox name_of_kbox_server. 10. Restart all KBOX Agent services and connect to the KBOX server by typing ./runallkbots.
Upgrading the KBOX Agent 1. Double-click KBOX Agent 3.1.buildnumber.dmg. 2. Double-click KBOX Agent.pkg. 3. In the Introduction page, and then click Continue. 4. In the Read Me page, click Continue. 5. In the Select Destination page, select the destination volume where you want to install the KBOX agent, and then click Continue. 6. In the Installation Type page, click Upgrade. 7. In the Finish Up page, click Close.
Administrator Guide for KBOX 1000 Series, version 3.3
221
Removing the KBOX Agent 1. Browse to /Library/KBOXAgent. 2. Removing the KBOX Agent, you first need to Drag the KBOXAgent folder to the Trash and then kill the process ID.
Verifying Deployment of the KBOX Agent This section describes the various tasks you can perform to manage the KBOX agent using the command line interface.
Starting and Stopping the KBOX Agent 1. Open Terminal from the Applications/Utilities folder. 2. Type cd Library/KBOXAgent/Home/bin, and then press ENTER. 3. To start the KBOX agent, type ./kagentctl start, and then press ENTER. To stop the KBOX agent, type ./kagentctl stop, and then press ENTER.
Checking Whether the Agent is Running 1. Open Terminal from the Applications/Utilities folder. 2. To check if the kagentd process is running enter the command ps aux | grep kagentd, and then press ENTER. The process is running if you see the following result: root 2159 0.0 1.1 94408 12044 p2 S 3:26PM 0:10.94 /Library/KBOXAgent/Home/bin/kagentd
Checking the Version of the KBOX Agent 1. Open Terminal from the Applications/Utilities folder. 2. Type cat Library/KBOXAgent/Home/data/version, and then press ENTER.
Performing an Inventory 1. Open Terminal from the Applications/Utilities folder. 2. Type sudo Library/KBOXAgent/Home/bin/inventory, and then press ENTER. If you want to save the inventory results to a file, type sudo Library/KBOXAgent/Home/bin/ inventory > computer_name.txt. Replace computer_name with the name of your computer, and then press ENTER. This command saves the inventory results to a file named computer_name.txt, where computer_name is the computer name that you specified.
Enabling Debugging 1. Open Terminal from the Applications/Utilities folder. 2. Type sudo touch /var/kace/kagentd/debug_agent.tag, and then press ENTER. 3. Type sudo /Library/KBOXAgent/Home/bin/kagentctl stop, and then press ENTER. 4. Type sudo /Library/KBOXAgent/Home/bin/kagentctl start, and then press ENTER. The debug_agent.log file contains debug logs.
Administrator Guide for KBOX 1000 Series, version 3.3
222
Administrator Guide for KBOX 1000 Series, version 3.3
223
A P P E N D I X D
Agent Customization This appendix explains the procedure to create a self-executing zip file that includes custom installation items like non-standard path or custom server name. “Agent Customization,” on page 225
Agent Customization You can create a self-executing zip file that includes custom installation items like non-standard path or custom server name.
To create a self-executing zip that includes custom installation: 1. Copy the necessary files for your customization. You will need the following files: 7zip-v442.exe, available at \\kdisk\kace_corporate\software\7-Zip\7zip-v442.exe 7zip-v442_extra.zip, available at \\kdisk\kace_corporate\software\7-Zip\7zip-v442_extra.zip The KInstallerSetup.exe, from the client version you want to customize. This file is available at the KACE Support Website. 2. Install 7-zip. 3. Unzip the 7zip_v442_extra.zip file into the directory where the 7-zip is installed. (by default the directory is C:\Program Files\7-Zip). Ensure that the file 7zS.sfx is in the top-level directory. 7-Zip-install path is used for this location. This file is important because it has the actual executable stub for a self-extracting installer executable. 4. Start the 7-Zip File Manager from the start menu. 5. Select the KInstallerSetup.exe executable for the client version to customize using the 7-Zip File Manager. 6. Click the extract button to extract it into a directory of your choice. Keep the Current Pathnames selected in the Path mode box. The Overwrite without prompt option can be selected for the Overwrite Mode. Do not specify a password. 7. Navigate to that folder and edit the kinstaller.exe.config file with a text editor to change any settings for customization. The display_mode can have the values interactive, quiet, and silent. server_name is the hostname of the server. 8. Save your changes. Execution of the kinstaller.exe file in this directory installs with the settings as specified in the .config file. 9. Open the 7-Zip File Manager and select kinstaller.exe, kinstaller.exe.config, es-ES and install_files. 10. Click the Add button. The archive format is 7z, Create SFX archive in the options box is cleared. 11. Save the .7z file and note down the path. I'll call my file "jkboxInstaller.7z" and the path to it will be <<jkbox-installpath>> 12. Create a text file - config.txt - which includes the settings for the self-executing zip. Ensure that the file is saved with UTF-8 encoding. The file should contain the following commands, which will indicate to 7-zip that the kinstaller should run when the self-executing zip runs: ;!@Install@!UTF-8! Progress="no" RunProgram="kinstaller.exe" Directory="" ;!@InstallEnd@! 13. Open a new command-line window. 14. Execute the following command to create a self-executing file from the .7z file.
Administrator Guide for KBOX 1000 Series, version 3.3
225
15. Copy /b "<<7-Zip-install>>\7zS.sfx" + "<>\config.txt" + "<<jkboxinstallpath>>\jkboxInstaller.7z" "<>.exe"
Administrator Guide for KBOX 1000 Series, version 3.3
226
A P P E N D I X E
Warranty, Licensing, and Support “Warranty and Support Information,” on page 228.
Warranty and Support Information Information concerning hardware and software warranty, hardware replacement, product returns, technical support terms and product licensing can be found in the KACE End User License agreement accessible at: HTTP://WWW.KACE.COM/LICENSE/STANDARD_EULA
Administrator Guide for KBOX 1000 Series, version 3.3
228
Administrator Guide for KBOX 1000 Series
Version 3.3
© 2004-2007 Kace Networks, Inc. All rights reserved. Welcome to KBOX 1000 ownership! Welcome to version 3.3 of the KBOX 1000 Series appliance. This Administrator Guide is designed to help you install, configure, use, and maintain your KBOX 1000 Series appliance. KACE is dedicated to customer success with our primary goal being your ability to quickly utilize your KBOX 1000 Series appliance to save time and eliminate the tedious task of manual inventory, software, and desktop management. If at any time you experience a problem, or have a question regarding your KBOX 1000 Series appliance, please contact one of our support representatives for assistance.
Support Contact: KACE Technical Support (888) 522-3638 for support select option 2 http://www.kace.com/support Company Contact: Kace Networks, Inc. 1616 North Shoreline Blvd. Mountain View, California 94043 (888) 522-3638 office for all inquiries (650) 649-1806 fax
Contents About this guide viii How this guide is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x Additional resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x Contacting Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x The KBOX 1000 Series JumpStart Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi KACE Professional Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Ch. 1
Getting Started with KBOX 1000 Series
........1
Introduction to KBOX 1000 Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Solution Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Organizational Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Software Deployment Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Setting Up Your New KBOX server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Setting up your first KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Alternative Deployment Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Key Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Configuring General settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Configuring KBOX Network settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Ch. 2
Agent Provisioning
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Single Machine Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Provisioning Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Provisioning Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 KBOX Agent Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 KBOX Agent Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Ch. 3
Inventory
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Overview of the Inventory Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Using Advanced Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Creating Search Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Creating Computer Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Filtering Computers by Organizational Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Understanding Computer Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Computer Identity Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Help Tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Operating System Info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 User Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Manufacturer and BIOS Info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Administrator Guide for KBOX 1000 Series, version 3.3
i
Processor and Computer Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Network Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Drive Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Motherboard and related Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Process List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Installed Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Installed Patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Startup Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Harmful Items (Threat Level 5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Printer List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Uploaded Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Custom Inventory Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Customer Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Asset Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Asset History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 KBOX Agent Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Portal Install Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Scripting Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 OVAL Vulnerability Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Failed Managed Installs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Failed Patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 To Install List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Adding computers to inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Adding computers automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Adding computers manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Software Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Adding Software to Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Adding Software Automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Adding Software Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Creating Software Asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Custom Data Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Attaching a Digital Asset to a Software Title . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Monitoring out-of-reach Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Creating Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Viewing Computer Details by Label . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Deleting labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Software Metering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Adding a Software Meter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Editing Software Meter Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Deleting a Software Meter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Configuring the Software Metering Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Software Lookup Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Enabling Software Lookup Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Viewing Software Lookup Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Administrator Guide for KBOX 1000 Series, version 3.3
ii
Ch. 4
Asset Management
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Overview of Asset Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Managing Asset Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Asset Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Managing Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Generating Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Importing Asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Ch. 5
IP Scan
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
IP Scan Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Viewing List of Scheduled Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Creating an IP Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Ch. 6
Distribution
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Distribution Feature Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Types of Distribution Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Distributing Packages through KBOX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Distributing Packages through an Alternate Location . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Managed Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Creating a Managed Installation for Windows Platform . . . . . . . . . . . . . . . . . . . . . . . . . 75 Sharing Managed Software Installation Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Examples of Common Deployments on Windows . . . . . . . . . . . . . . . . . . . . . . . . 79 Standard MSI Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Standard EXE Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Standard ZIP Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Examples of Common Deployments on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Standard RPM Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Standard TAR.GZ Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Examples of Common Deployments on Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Standard TAR.GZ Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Examples of Common Deployments on Macintosh(r) . . . . . . . . . . . . . . . . . . . . 91 File Synchronizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Creating a file synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Creating a Replication Share. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Viewing Replication Share Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Ch. 7
Wake-on-LAN
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Wake-on-LAN Feature Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Issuing a Wake-on-LAN Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Troubleshooting Wake-on-LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Administrator Guide for KBOX 1000 Series, version 3.3
iii
Ch. 8
Scripting
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Scripting Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Using Scripts that are Installed with KBOX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Creating and Editing Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Adding Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Editing Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Importing scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Duplicating scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Using the Run Now Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Run Scripts using the Run Now tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Run Now from the Script Detail page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Monitoring Run Now status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Run Now Detail Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Searching Scripting Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Configuration Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Enforce Registry Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Remote Desktop Control Troubleshooter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Enforce Desktop Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Desktop Shortcuts Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Event Log Reporter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 MSI Installer Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 UltraVNC Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Un-Installer Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Windows Automatic Update Settings policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Ch. 9
Patching
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Overview of Patching feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Bulletin Management workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Downloading patch bulletins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Reviewing & approving bulletins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Deploying bulletins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Reporting patching results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Creating a Replication Share for patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Create new Windows Update Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Updating Patch definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Ch. 10
Security
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Security Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 About OVAL and CVE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
OVAL Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Running OVAL Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 OVAL Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
OVAL Settings and Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 OVAL Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Creating Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Enforce Internet Explorer Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Enforce XP SP2 Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Administrator Guide for KBOX 1000 Series, version 3.3
iv
Enforce Disallowed Programs Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Enforce McAfee AntiVirus Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 McAfee SuperDAT Updater . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Enforce Symantec AntiVirus Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Quarantine Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Lift Quarantine Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Ch. 11
User Portal and Help Desk
. . . . . . . . . . . . . . . . . . . . . . . . . 146
Overview of the User Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 End user view of the User Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Administrator view of the User Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Understanding the Software Library feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Creating a software library to deploy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Using the Knowledge Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Adding Knowledge Base articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Editing and deleting Knowledge Base articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Managing Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Adding users manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Adding users automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 LDAP Browser Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Importing users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Overview of the Help Desk Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Configuring basic Help Desk settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Customizing Help Desk fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Creating and editing Help Desk Tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Submitting Help Desk tickets through email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Editing Help Desk tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Searching Help Desk tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Managing Help Desk tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Understanding the escalation process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 About the satisfaction survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Running Help Desk Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Ch. 12
Server Maintenance
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
KBOX 1000 Series maintenance overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Backing up KBOX 1000 Series data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Backing up KBOX 1000 Series manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Downloading backup files to another location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Restoring KBOX 1000 Series Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Restoring from most recent backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Uploading files to restore settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Updating KBOX 1000 Series software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Verifying minimum server version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Updating the license key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Applying the server update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Verifying the update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Rebooting and shutting down KBOX 1000 Series appliance . . . . . . . . . . . . . . . . . . . . . 178
Administrator Guide for KBOX 1000 Series, version 3.3
v
Updating OVAL definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Troubleshooting the KBOX 1000 Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Accessing KBOX 1000 Series logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Downloading log files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Understanding disk log status data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Ch. 13
Reporting
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
KBOX 1000 Series Reports overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Types of Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Running Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Creating and editing reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Alert Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Creating alert messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Email Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Creating Email Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
KBOX 1000 Series Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Client Check-In Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Distributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Software Threat Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 License Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 KBOX Network Load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 Managed Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 Computer statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Software statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Software Distribution Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Alert Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Patch Bulletin Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 OVAL Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Network Scan Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
LDAP Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Appendix A
Adding steps to a Task
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Steps for Task sections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Appendix B
Database tables
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
KBOX 1000 Series database tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Appendix C
Manual Deployment of KBOX Agent
. . . . . . . . . . . . . . . . . . . 216
Manual Deployment of KBOX Agent on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Installing and Configuring the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Upgrading the KBOX Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Removing the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Verifying Deployment of the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Manual Deployment of KBOX Agent on Solaris . . . . . . . . . . . . . . . . . . . . . . . . . 219 Installing and Configuring the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Upgrading the KBOX Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Administrator Guide for KBOX 1000 Series, version 3.3
vi
Removing the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Verifying Deployment of the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Manual Deployment of KBOX Agent on Macintosh . . . . . . . . . . . . . . . . . . . . . . 221 Installing and Configuring the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Upgrading the KBOX Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Removing the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Verifying Deployment of the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Appendix D
Agent Customization
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Agent Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Appendix E
Warranty, Licensing, and Support
. . . . . . . . . . . . . . . . . . . . . . 227
Warranty and Support Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Administrator Guide for KBOX 1000 Series, version 3.3
vii
P R E F A C E About this guide This chapter provides an overview of this Administrator Guide and provides links to other resources you might find helpful in administering your KBOX 1000 Series appliance. “How this guide is organized,” on page ix “Additional resources,” on page x “Contacting Support,” on page x
How this guide is organized This Administrator Guide is designed to provide all of the information that you’ll need to install configure and deploy the KBOX 1000 Series appliance. This guide is organized into the following top-level section: Orientation and Setup Chapter 1,“Getting Started with KBOX 1000 Series,” starting on page 1 Chapter 2,“Agent Provisioning,” starting on page 14 Chapter 3,“Inventory,” starting on page 26 Chapter 4,“Asset Management,” starting on page 56 Chapter 5,“IP Scan,” starting on page 66 Chapter 6,“Distribution,” starting on page 71 Configuration Chapter 7,“Wake-on-LAN,” starting on page 98 Chapter 9,“Patching,” starting on page 123 Chapter 8,“Scripting,” starting on page 102 Chapter 10,“Security,” starting on page 132 Maintenance and Support Chapter 11,“User Portal and Help Desk,” starting on page 146 Chapter 12,“Server Maintenance,” starting on page 173 Reference Chapter 13,“Reporting,” starting on page 183 Appendix A,“Adding steps to a Task,” starting on page 203 Appendix B,“Database tables,” starting on page 209 Appendix C,“Manual Deployment of KBOX Agent,” starting on page 216 Appendix D,“Agent Customization,” starting on page 224 Appendix E,“Warranty, Licensing, and Support,” starting on page 227
In addition, the symbol to the left denotes an item of interest. These include common configuration questions, specific KBOX behavior, or items that deserve particular attention.
Administrator Guide for KBOX 1000 Series, version 3.3
ix
Conventions This guide uses the following formatting conventions. Format
Description
Bold
Represents buttons, tab labels, and menu selections.
| (pipe)
Separates multiple selections. For example, Inventory | Software.
Table 1-1: Formatting Conventions
Additional resources In addition to this Administrator Guide, KACE also provides the following resources to assist you in installing, configuring, and maintaining the KBOX 1000 Series. A user name and password may be required to access these resources.
Silent Mode Installation Tips and Tricks - http://www.kace.com/support/customer/doc/ SilentInstallationWhitepaper.pdf Installation and Scripting resources - http://www.kace.com/support/customer/ additional_resources.php Tutorial Videos - http://www.kace.com/support/customer/training.php
Contacting Support At KACE, customers are our highest priority, and we structure our support policies and procedures accordingly. Your purchase of the KBOX 1000 Series includes software updates, telephone support, and access to an on-line support portal, which includes: The most up-to-date software and documentation Knowledge base of frequently asked questions Details on the most common software package installation switches Other IT management information. The KACE support team is dedicated to helping you make the most efficient use of your KBOX 1000 Series appliance for your organization. KACE and KACE Certified Partners can help you get the most out of your KBOX 1000 Series appliance with the KBOX™ JumpStart Program and KACE Professional Services.
Administrator Guide for KBOX 1000 Series, version 3.3
x
The KBOX 1000 Series JumpStart Program The KBOX 1000 Series JumpStart Program guarantees that your KBOX 1000 Series appliance will be properly installed and configured for your environment. With the JumpStart Program, you and your team will get custom-tailored, hands-on training to immediately get the maximum value from your investment, with the least amount of time committed from your team. The KBOX 1000 Series JumpStart Program includes: Installation Assistance - Install and configure your KBOX™ 1000 Series appliance; Network scan; learn best practices for use of the KBOX 1000 Series appliance in your environment. Deployment Assistance - Your custom rollout plan includes deployment up to 150 KBOX Agent agents on your network. SW Distribution & Patch Management Assistance - Customized training and one managed installation created. Advanced topics - LDAP or Active Directory integration; ODBC integration with your standard reporting tools. Additional Module training - additional set-up and training is provided for each KBOX 1000 Series module you purchase. To learn more about support services, contact KACE customer support.
KACE Professional Services Delivered by a KACE Partner or KACE engineers, professional services can help you improve your organization's IT efficiency, compliance and security. Professional services are custom tailored to meet your needs. Some common KBOX 1000 Series services include but are not limited to: Custom script development Custom software packaging Application integration Advanced training Security audit analysis Advanced installation and KBOX Agent deployment Managed services. To learn more about professional services, contact your Kace account manager.
Administrator Guide for KBOX 1000 Series, version 3.3
xi
C H A P T E R 1
Getting Started with KBOX 1000 Series The KBOX 1000 Series appliances are easy-to-deploy Systems Management Appliances that deliver all of the powerful features you would expect from a distribution management system and more. This chapter provides guidance on installing and setting up the KBOX 1000 Series appliance to work in your environment. “Introduction to KBOX 1000 Series,” on page 2 “Setting Up Your New KBOX server,” on page 4 “Setting up your first KBOX Agent,” on page 6 “Alternative Deployment Options,” on page 9 “Key Configuration Settings,” on page 10
Introduction to KBOX 1000 Series In general, the administrative operation of the KBOX 1000 Series system management appliance is intuitive and user friendly; however, a review of the basic procedures will likely help new users avoid common pitfalls and internalize KBOX 1000 Series best practices for software management. This section provides an introduction to the components and concepts of your KBOX 1000 Series appliance, and provides an overview of the KBOX 1000 Series workflow for total software management.
Solution Components The KBOX 1000 Series solution is comprised of four primary points of human interface: The Box - The KBOX 1000 Series Systems Management Appliance itself is a high-performance server including (depending on configuration) dual on-board Xeon processors, dual NIC controllers, 1 GB of memory (or more), 3 X 150 GB hard drives (or more) with on-board RAID I support and on-board nightly back up. Administrator Console - The administrator console is a web-based interface that systems administrators use to access and direct the functionality and capabilities within the KBOX 1000 Series. The administrator console supports five primary tasks: Inventory Management, Software Distribution, User Portal, Reporting and, KBOX Settings. Depending on your KBOX 1000 Series configuration you may also have Asset, Scripting, Security, and Help Desk tabs. These are add-on modules. For more information contact the KACE sales team at [email protected] or via phone at 1-888-522-3638. User Portal - The User Portal provides an innovative method for administrators to make software titles available to users on a self-service basis. The end-user portal is not intended to replace traditional push software distribution (as is handled by the Administrator Console and the KBOX Agent). However, the User Portal provides an elegant repository for software titles that are not required by all users. If you have installed the optional Help Desk module, the User Portal also provides a way for users to submit and track help desk tickets. KBOX Agent - The KBOX Agent is the KBOX 1000 Series technology that sits on each desktop that the KBOX 1000 Series manages. The KBOX Agent includes an application component that manages downloads, installations, and desktop inventory. The KBOX Agent also includes the KBOX Agent Management Service that initiates scheduled tasks such as inventory or software update tasks.
Organizational Components KACE Networks recognizes that a large part of IT management is tied into data management. As such, KBOX 1000 Series supports a flexible data model for managing computers, software, users and license keys: LDAP Support - The KBOX 1000 Series includes the ability to auto-discover information via the KBOX Agent or to interface with Active Directory or LDAP organizational units. Filters - Filters enable administrators to manage computers and users based on specified filter criteria. Labels - The KBOX 1000 Series offers advanced labeling capability that puts ad-hoc organizational capabilities in the hands of the software administrator.
Administrator Guide for KBOX 1000 Series, version 3.3
2
Software Deployment Components The KBOX 1000 Series supports several types of distribution packages including: Managed Installations can be configured by the administrator to run silently or in the forefront of the user’s desktop view. Within a “Managed Installation Definition” the administrator can define install, uninstall, or command-line parameters. See “Managed Installations,” on page 74 for detailed information on Managed Installations. File Synchronization is a different way to distribute content to computers with the KBOX agent software. Unlike Managed Installations, File Synchronization is used to distribute files that needs to be placed on a users’ machine without running an installer. See “File Synchronizations,” on page 89 for detailed information on File Synchronization. User Portal Packages are earmarked by administrators for user self-service. Many KACE customers use the portal for handling occasional use applications, print drivers and so on. You also can use the User Portal to resolve Help Desk issues by allowing users to download and install fixes. See “Overview of the User Portal,” on page 147 for detailed information on User Portal Packages. KBOX Agent is a special tab in the interface for managing the KBOX Agent. See the Chapter 2,“Agent Provisioning,” starting on page 14 for details on how to configure and carry out these tasks. The sections that follow describe how to configure the KBOX 1000 Series to meet the needs of your organization.
Administrator Guide for KBOX 1000 Series, version 3.3
3
Setting Up Your New KBOX server While setting up your new KBOX server, perform the following steps. 1. Unpacking the Appliance Make sure that the box in which the appliance was shipped is unpacked and is undamaged in any way. The box should include one set of inner and outer rail assemblies and the mounting screws that you need to install the system into the rack. 2. Updating DNS The KBOX requires its own static IP address. By default, the KBOX will have a hostname of “kbox.” It is highly recommended that you create a record for kbox in your domain corresponding to its static IP before starting the server and client configuration. 3. Setup Location Determine the placement of the appliance in the rack before you install the rails. The appliance should be situated in a clean, dust-free, and well ventilated area. Avoid areas where heat, electrical noise, and electromagnetic fields are generated. Place the appliance near a grounded power outlet. Use a regulating uninterruptible power supply (UPS) to protect the server from power surges, voltage spikes and to keep your system operational in power failures. Leave approximately 30 inches of clearance in the back of the rack for sufficient airflow and ease in servicing. 4. Server Network Configuration Attach a power cord, keyboard, and monitor, but do not connect a network cable at this time. Turn on the KBOX. The first time boot may require 5 to 10 minutes. At the login prompt enter: Login: konfig Password: konfig Using UP and DOWN arrows, modify the static IP address, subnet mask, default gateway, and DNS settings to match your network. Field
Suggested Value
Notes
KBOX Server (DNS) Hostname
Defaults to kbox
It is recommended that you add a static IP entry for “kbox” to your DNS, and use the default Hostname and Web Server Name. The fully-qualified domain name of the KBOX on your network is the value of Hostname concatenated with Domain (for example, kbox.kace.com). Clients will connect to KBOX using the Web Server Name, which can be the hostname, fullyqualified domain name, or IP address (for example, kbox).
Web Server Name
Defaults to kbox
Static IP Address
The IP address of the KBOX server
lDomain
The domain that the KBOX is on
Defaults to corp.kace.com
Subnet mask
Your subnet mask
Defaults to 255.255.255.0
Default gateway
The network gateway for the KBOX server
Administrator Guide for KBOX 1000 Series, version 3.3
4
Primary DNS
The primary DNS server the KBOX should use to resolve hostnames
5. After entering all values, click Apply. Then reboot the KBOX. Log in to confirm web access to the KBOX While the KBOX reboots, plug the Ethernet cable into the port closest to the KBOX power supply, and connect it to a router or hub on your network. Verify the KBOX is now online by browsing to http:// kbox/admin on another computer. If this URL doesn’t open KBOX, try http://defaultip/admin, where default ip is the static IP address that you have assigned to the KBOX. After accepting the EULA (End User License Agreement), log in using the credentials admin/admin. If you can access the KBOX Management Center successfully, it indicates that the KBOX network settings are entered correctly.
Administrator Guide for KBOX 1000 Series, version 3.3
5
Setting up your first KBOX Agent In order for workstations of servers in your environment to connect to the KBOX, they must have the KBOX agent software installed. In this section, you’ll learn how to use the KBOX to install the agent software on a machine in your environment through the KBOX interface.
1. To enable Agent Provisioning functionality: a To go to the KBOX Management Center Web page, go to http://kbox/admin in your web browser. On the KBOX Management Center Web page, click Settings | Network. b The KBOX Settings: Network page appears. Fields are grayed out. Click Edit Mode to edit the field values. c Under Optional File Share Settings at the bottom of the Web page, select the File Share Enabled check box for Agent Provisioning to work from the KBOX. d Click Apply. On clicking Apply, the KBOX will be restarted and you will lose connection to the KBOX. 2. To set up a Provisioning Configuration for a Windows PC: a To go to the KBOX Management Center Web page, go to http://kbox/admin in your web browser. On the KBOX Management Center Web page, click Distribution | KBOX Agent. b Click Provisioning Setup. The Provisioning Setup page appears. c In the Choose action box, select Add New Item. d Under Windows Platform Provisioning Settings, select the Provision this platform check box. e Enter the suggested values in the corresponding fields, as shown in the following table. For more detailed information on all of the options available and detailed instructions, refer to the chapter Agent Provisioning. Suggested Value
Notes
Config Friendly Name
My First KBOX agent installation
This is the identifying name that you will see in lists of available configurations.
Provision IP Range
Enter the IP of a Windows PC that you have access to
Your own PC would be a great example, but you can choose any machine that is accessible on the network and for which you have administrative credentials.
Field
Under “Windows Network Administrative Credentials” Domain (or workgroup)
The domain or workgroup associated with the credentials you are using
User name
An administrative account with access to the target machine
The installation requires an account with administrative privileges to work. Generally, this will be a domain administrator but it could also be a local administrator account.
Administrator Guide for KBOX 1000 Series, version 3.3
6
Password
The password for the account entered above
f Click Save to save the new configuration. 3. To set up a Provisioning Configuration for a Linux, Macintosh, or Solaris PC: a To go to the KBOX Management Center Web page, go to http://kbox/admin in your web browser. On the KBOX Management Center Web page, click Distribution | KBOX Agent. b Click Provisioning Setup. The Provisioning Setup page appears. c In the Choose action box, select Add New Item. d Under Unix (Linux, MacOSX, Solaris) Platform Provisioning Settings, select the Provision this platform check box. e Enter the suggested values in the corresponding fields, as shown in the following table. For more detailed information on all of the options available and detailed instructions, refer to the chapter Agent Provisioning.
Suggested Value
Notes
Config Friendly Name
My First KBOX agent installation
This is the identifying name that you will see in lists of available configurations.
Provision IP Range
Enter the IP of a Linux, Macintosh, or Solaris PC that you have access to
Your own PC would be a great example, but you can choose any machine that is accessible on the network and for which you have administrative credentials.
Field
Under “Network Root Credentials” User name
An administrative account with access to the target machine
Password
The password for the account entered above
The installation requires an account with administrative privileges to work. Generally, this will be a domain administrator but it could also be a local administrator account.
f Click Save to save the new configuration. 4. To Provision your machine: a On the resulting page, you can see the name of the Provisioning Configuration you just created and saved. Select the check box next to your Provisioning Configuration, and then select Run Select Configurations Now in the Choose action box. b The resulting page displays the machine that you have selected to receive the agent. On clicking the Refresh button at the bottom of the page, you can see the column under DNS Lookup update from (unknown) to In progress… to the IP or hostname when it has completed installing. 5. To verify your agent has checked in to the KBOX: a After the installation is completed, the new KBOX agent checks into the KBOX within two minutes, at which time it will provide inventory information about the machine and its software to the KBOX.
Administrator Guide for KBOX 1000 Series, version 3.3
7
b Click Inventory at the top of KBOX Management Center Web page to see a list of machines that have checked in to the KBOX. The most recent machine that has checked in will be at the top of the list, so you should see the hostname of your installed agent. 6. After following the steps above, you should now have one KBOX agent installed and checking in to the KBOX successfully. You could deploy multiple machines simultaneously by creating a configuration that identifies an IP range rather than a single IP. For more detailed information on different options and other platforms, refer to the Chapter 2,“Agent Provisioning,” starting on page 14.
Administrator Guide for KBOX 1000 Series, version 3.3
8
Alternative Deployment Options KBOX 1000 Series customers have successfully deployed the KBOX Agent using many different approaches. In addition to installing clients through KBOX Agent Provisioning as outlined above, other approaches are outlined below. For these options or to install manually on the local machine, you can find the installer files for all supported platforms on the KBOX (if you have enabled the file share) at \\kbox\client\agent_provisioning\. Email: An email notification may be sent to your users either containing the install file itself or pointing to the KBOX 1000 Series or other Web location to retrieve the required installation file. Users can click on the link and install the appropriate file. Log-in Script: Some companies use log-in scripts that provide a great mechanism for deploying the KBOX Agent at login time. If you use log-in scripts, simply post the appropriate file in an accessible directory and create the appropriate script for KBOX Agents to retrieve the file at log-in time. Below is a sample Windows login script which checks for the presence of Microsoft’s .NET framework on the client machine, and installs the appropriate components in order to deploy the KBOX Agent: ---------------------------------------------------------------------------------------------------@echo off if not exist "%windir%\microsoft.net" goto neednet echo .NET already installed. goto end :neednet start /wait \\location\ dotnetfx.exe /q:a /c:"install /l /q" :end if not exist "C:\Program Files\KACE\KBOX" goto needkbox echo KBOX Agent already installed. goto end :needkbox MsiExec.exe /qn /l* kbmsi.log /I \\location\KInstallerSetupSilent.msi ALLUSERS=2 :end -----------------------------------------------------------------------------------------------
Administrator Guide for KBOX 1000 Series, version 3.3
9
Key Configuration Settings Before you begin inventorying and actively managing the software on your network, it is important to properly configure the server. You may also want to look at the Agent Provisioning chapter for details on agent connection settings.
Configuring General settings This section covers the general server configuration settings you should modify before you begin using your KBOX 1000 Series appliance on your network. To configure General Server settings: 1. Select Settings | General. The KBOX Settings: General page appears. If fields are grayed out, you may need to click [Edit Mode] before you can edit the field values. 2. In the General Options area, specify the following settings: Company-Institution Name
Enter the name of your company.
This name appears in any pop-up windows or alerts displayed to your users.
Organization Name
Enter the name of your division or organization.
User Email Suffix
Enter the domain to which your users send email.
For example, kace.com.
Administrator Email
Enter the email address of the KBOX 1000 Series administrator.
This address will receive system-related alerts, including any critical messages.
Send crash report to KACE
Select this check box to send a report to KACE in the event of a KBOX 1000 Series crash.
This option is recommended, since it provides additional information to the Kace technical support team in case you need assistance.
Enable KACE Software Lookup Service (SLS)
Select this check box to be able to access online data about common software applications and how to deploy/ remove them and share anonymous information about the software on machines in your environment.
3. Click Set Options, to save your changes. 4. In the Clock Settings area, verify that the clock is set to the correct time, then click Set Date and Time. It is very important to keep the time of the KBOX 1000 Series accurate, as most time calculations are made on the server and is used in the Inventory tab to reflect when computers have checked into the KBOX 1000 Series. For more information, see Chapter 3,“Inventory,” starting on page 26. Note that changing the server time will require the Web server to re-initialize. This may disrupt KBOX 1000 Series operation for 10 to 15 seconds.
Administrator Guide for KBOX 1000 Series, version 3.3
10
5. Select the appropriate time zone from the drop-down list, then click Adjust Time Zone. When updating the time zone, the KBOX 1000 Series Web Server will be restarted in order for it to reflect the new zone information. Active connections may be dropped during the restart of the Web server. You may need to manually refresh this page in the browser in order to display the new zone settings. 6. In the Logo Overrides area, specify the images to display in the following areas, then click Upload Logos: User Portal
Appears at the top of the User Portal page.
Report
Appears at the top of reports generated by the KBOX 1000 Series.
KBOXClient
Appears in the KBOX Agent.
7. Machine Actions allow you to define one-click actions to carry out against KBOX Agent machines. To customize which action will be carried out, choose an action next to either Action #1 or Action #2, then click Set Actions to save the changes. You can run these Machine Actions by clicking either (Machine Action 1) or (Machine Action 2) next to the computer record on the Inventory | Computers tab. For more information, see “Overview of the Inventory Feature,” on page 27. 8. In the Network Scan Options, select the Show unreachable devices in scan inventory check box if desired, then click Set Scan Options. 9. In the Optional Ignore Client IP Setting, enter any IP addresses you would like ignored as the client IP and then click Save List. This might be appropriate in cases where multiple machines could report themselves with the same IP address, like a proxy address.
Configuring KBOX Network settings The key KBOX network settings were mostly configured when you first logged into the KBOX using the konfig/konfig credentials, but an administrator can verify or change the settings at any time on the KBOX 1000 Series. Any changes made to the Network settings on this page will force the KBOX to reboot after saving. Total reboot downtime should be 1 to 2 minutes provided that the changes result in a valid configuration.
Administrator Guide for KBOX 1000 Series, version 3.3
11
To configure KBOX network settings: 1. Select Settings | Network. The KBOX Settings: Network page appears. Fields are grayed out. Click [Edit Mode] to edit the field values. Field
Suggested Value
Notes
KBOX Server (DNS) Hostname
kbox
As noted above, we recommend adding a static IP entry for “kbox” to your DNS, and using the default Hostname and Web Server Name. The fully-qualified domain name of the KBOX on your network is the value of Hostname concatenated with Domain (for example, kbox.kace.com). Clients will connect to KBOX using the Web Server Name, which can be the hostname, fully-qualified domain name, or IP address (for example, kbox).
Static IP Address
The IP address of the KBOX server
Be extremely careful when changing this setting. If the IP is entered wrongly, the KBOX could become difficult to locate on the network.
Domain
The domain that the KBOX is on
Defaults to corp.kace.com
Subnet mask
Your subnet mask
Defaults to 255.255.255.0
Default gateway
Your default gateway
Primary DNS
The primary DNS server the KBOX should use to resolve hostnames
Secondary DNS
The secondary DNS server the KBOX should use to resolve hostnames
Network Speed
Your network speed
SMTP Server
To enable email notifications through an external SMTP server, set the server name here.
The server named here must allow anonymous (non-authenticated) outbound mail transport.
SSH enabled
Unchecked
It is more secure to leave this option turned off unless Kace technical support needs remote access to the KBOX.
KBOX Web Server Name
The secondary DNS server is optional.
2. Under the Optional Network Time settings, indicate whether the KBOX should consult a Network Time Server and what the server’s hostname is. 3. In the Optional Proxy Settings area, specify the following proxy settings, if necessary: Specify the proxy type, either HTTP or SOCKS5 in the Proxy Type list. Specify the name of the proxy server in the Proxy Server field. Specify the port for the proxy server, the default port is 8080 in the Proxy Port field. Select the Proxy (Basic) Auth check box to use the local credentials for accessing the proxy server.
Administrator Guide for KBOX 1000 Series, version 3.3
12
Specify the user name for accessing the proxy server in the Proxy Username field. Specify the password for accessing the proxy server in the Proxy Password field. 4. In the Optional SSL Settings area, specify the following SSL settings, if desired: a Select the SSL Enabled on port 443 check box to have clients check in to the KBOX server using https. A properly signed SSL Certificate is required to enable SSL. Certificates should be supported by a valid Certificate Authority. SSL settings should only be adjusted after you have properly deployed the KBOX 1000 Series on your LAN in non-SSL mode. If you are enabling SSL, you will need to identify the correct SSL Private Key File and SSL Certificate File. The files must be in Privacy Enhance Mail (PEM) format, similar to those used by Apache-based Web servers and not in the PCKS-12 format used by some Web servers. It is possible to convert a PCKS12 certificate into a PEM format using software like the OpenSSL toolkit. Please contact KACE Technical Support if you wish to enable SSL on you KBOX. b Clear the Enable port 80 access check box. When you activate SSL, port 80 will continue to be active, unless you uncheck this option. By default, the standard KBOX Agent installers will attempt to contact the KBOX via port 80, then switch to SSL over port 443, after getting the server configuration. If you disable port 80, you will need to contact KACE support to adjust the agent deployment scripts to handle SSL. For ease of agent deployment, leaving port 80 active is suggested. c In the Set SSL Private Key File field, browse for the SSL Private Key file. To enable SSL, you need to identify the correct SSL Private Key file. d In the Set SSL Certificate File field, browse for the signed SSL Certificate. To enable SSL, a signed SSL Certificate is required. 5. In the Optional File Sharing Settings area, turn on the server’s File Share by selecting the File Share Enabled check-box. The default password for this share is admin. Files in this share are available at \\kbox\client\. Typically, this is used to access agent provisioning files. If you are not provisioning clients, it is recommended that you leave this option disabled. 6. In the Optional Security Settings area, specify the following security settings: a Clear the Enable backup via ftp check box. Nightly the KBOX creates a backup of the database and the files stored on it. By default, the KBOX allows you to access these files via a read-only ftp server. This would allow you to create a process on another server that pulls this information off the physical KBOX. If you do not need this feature and would prefer to disable the FTP server, you can turn off this option. b Clear the Enable SNMP monitoring check box. SNMP is a network / appliance monitoring protocol that supported by many third party products. If you do not want to expose the KBOX SNMP data, turn off this option. c Clear the Enable database access check box. The KBOX database is accessible via port 3306, to allow you to run reports via an off board tool like Access or Excel. If you do not need to expose the database in this way, you can uncheck this option. 7. In the Network Utilities area, select the desired network utility option from the drop-down list, and then click Test. 8. Click Apply to save any settings on this page, at which time the KBOX will reboot.
Administrator Guide for KBOX 1000 Series, version 3.3
13
C H A P T E R 2
Agent Provisioning The Agent Provisioning feature enables you to install the KBOX agent on machines in your environment directly from the KBOX. You could deploy multiple machines simultaneously by creating a configuration that identifies an IP range rather than a single IP. The procedure for Agent Provisioning varies for Windows and non-Windows operating systems. This chapter contains the following sections: “Single Machine Provisioning,” on page 15 “Provisioning Setup,” on page 16 “Provisioning Results,” on page 21 “KBOX Agent Settings,” on page 22 “KBOX Agent Update,” on page 24
Single Machine Provisioning Single Machine Provisioning provides an easy way for first time deployment of KBOX Agent Technologies to target managed computers. It assumes some default values for settings such as TCP ports, Time outs, KBOX sever name, etc. To quickly deploy KBOX Agent Technologies on a single machine: 1. Select Distribution | KBOX Agent. The KBOX Agent Distribution & Management page appears. 2. Click Single Machine Provisioning. The Single Machine Provisioning page appears. 3. Enter the details as shown in the following table. Target IP
Enter the IP address of the target machine.
Action
Click Install Agent to install the Agent or click Remove Agent to remove the Agent.
Platform
Click the appropriate platform.
KBOX Agent Version
This field displays the KBOX Agent version number.
Domain (or Workgroup)
Enter the domain or workgroup name associated with the credentials you enter below. Note: This field is available only if the platform selected is Windows.
User Name (admin level)
Enter a username that will have the necessary privileges to install on the targeted machines.
Password
Enter the password for the account listed above.
4. Click Run Now to first save the current configuration with a default name as Simple configuration IP Address and immediately run the configuration against the targeted IP.
Administrator Guide for KBOX 1000 Series, version 3.3
15
Provisioning Setup KBOX Agent Provisioning provides a method for the first time deployment of KBOX Agent software to targeted computers. A provisioning configuration identifies one or more IP addresses for the first time deployment or removal of the KBOX Agent. The target IP address is tested for the existence of an agent and if none, will execute a remote install of the agent directly from the KBOX. The provisioning installers are located on the KBOX in the following network share: \\KBOX\client\agent_provisioning where "KBOX" is defined as the hostname of your KBOX (e.g. "kbox" by default); The provisioning files are located in their respective "platform" subdirectories (e.g. Windows files located in the "windows_platform" directory). IMPORTANT: To activate provisioning functionality you must enable the KBOX's file share via the Network Settings Page. Additionally, for the Windows target platform the following must be configured: On Windows XP, "Simple File Sharing" must be turned off. KBOX Provisioning requires standard file sharing with its associated security model. Having "Simple File Sharing" enabled could cause a "LOGON FAILURE" as simple file sharing does not support administrative file shares and associated access security. If Windows Firewall is turned ON, "File and Print Sharing" must be enabled in the Exceptions list of the Firewall Configuration. By default the KBOX will verify the availability of ports 139 and 445 on each target machine before attempting to execute any remote installation procedures. You can choose either Auto Provisioning or Manual Provisioning. Auto Provisioning allows you to provide target IP Range for Provisioning. Manual Provisioning allows you to enter IPs manually and also pick up machines from IP Scan and Inventory. To Add a New Item to Provisioning Setup using Auto Provisioning: 1. Select Distribution | KBOX Agent. The KBOX Agent Distribution & Management page appears. 2. Click Provisioning Setup. The Provisioning Setup page appears. 3. In the Choose action box, select Add New Item. The Provisioning Configuration page appears. 4. Under the General Settings area, select the Auto Provisioning option. 5. Enter the general settings details as shown in the following table. Config Friendly Name
Enter a name for your agent provisioning configuration. Make sure that your configuration names are very specific so that you can differentiate between different configurations.
Provisioning IP Range
Enter IP or IP range. Use hyphens to specify individual IP class ranges, for example, 192 168 2-5 1-200.
Configuration Enabled
Select this check box to enable the configuration.
KBOX Server Name
By default, this is the name of the KBOX you are provisioning agents from. Under normal circumstances, there would be no reason to change this value. If you have multiple KBOX servers, then you could enter another KBOX server name here.
DNS Lookup Enabled
Select this check box to enable DNS lookup.
Administrator Guide for KBOX 1000 Series, version 3.3
16
Name Server for Lookup
This field will default to the DNS server that the KBOX has entered as its primary DNS server under Network settings. Enter the name of another DNS server here, if needed.
Lookup Time Out
Enter the time period after which a DNS lookup will time out
6. If the targeted machine(s) are operating on the Windows platform, then enter details as shown in the following table. Provision this platform
Select this check box.
KBOX Agent Version
This field displays the KBOX Agent version number.
Agent Identification Port
The agent identification port is a port that installed agents would already have open and in use, indicating that we should not try to install the agent again. By default that port number is 52230. If you are using a different port number for this, you can change the port number listed here.
Required open TCP Ports
Enter the list of required open TCP ports. These are the ports the KBOX will use to access the target machine for installation of the KBOX Agent.
Port Scan Time Out
Enter a time period in seconds.
Bypass Port checks
Select this check box to avoid port checks. Selecting this indicates that the KBOX should simply try to install, without checking ports listed above.
Enable Debug Info
Select this check box to enable debug info. By enabling this check box more debug info will be displayed in the machine’s provisioning results.
Remove KBOX Agent
Selecting this check box reverses the logic of this provisioning config, indicating you will use it to remove the KBOX agent from machines rather than installing those agents.
Remove Config.xml file
Select this check box to remove the Config.xml file while removing the Agent.
Domain (or Workgroup)
Enter the domain or workgroup name associated with the credentials you enter below.
User Name (Admin level)
Enter a username that will have the necessary privileges to install on the targeted machines.
Password
Enter the password for the account listed above.
If the targeted machines are operating on the Linux, Macintosh, or Solaris platform, then enter details as shown in the following table. Provision this platform
Select this check box.
Required open TCP Ports
Enter the list of required open TCP ports. These are the ports the KBOX will use to access the target machine for installation of the KBOX Agent.
Port Scan Time Out
Enter a time period in seconds.
Administrator Guide for KBOX 1000 Series, version 3.3
17
Bypass Port Checks
Select this check box to avoid port checks. Selecting this indicates that the KBOX should simply try to install, without checking ports listed above.
Remove KBOX Agent
Selecting this check box reverses the logic of this provisioning config, indicating you will use it to remove the KBOX agent from machines rather than installing those agents.
User Name (admin level)
Enter a user name that will have the necessary privileges to install on the targeted machines.
Password
Enter the password for the account listed above.
7. Under Scheduling, select the appropriate check box and schedule to run the configuration. By choosing a regular schedule, the KBOX will periodically check machines in this IP range to make sure that they have the KBOX agent and install/reinstall as appropriate. 8. To save the Provisioning Configuration, click Save. On clicking Save, the Provisioning Results page appears. You can also click Run Now to save the current configuration and immediately run the configuration against the defined IP range. To cancel the configuration, click Cancel. Deleting a configuration will delete all associated target machines in the provisioning inventory list. Altering or updating a configuration will reset the data in the associated target machine list to the default settings until the subsequent provisioning run. You can also deploy the KBOX agent manually. For more information on the manual deployment of the KBOX agent on Linux, Solaris, and Macintosh, see Appendix C,“Manual Deployment of KBOX Agent,” starting on page 216. To Add a New Item to Provisioning Setup using Manual Provisioning: 1. Select Distribution | KBOX Agent. The KBOX Agent Distribution & Management page appears. 2. Click Provisioning Setup. The Provisioning Setup page appears. 3. In the Choose action box, select Add New Item. The Provisioning Configuration page appears. 4. Under the General Settings area, select the Manual Provisioning option. 5. Enter the general settings details as shown in the following table. Config Friendly Name
Enter a name for your agent provisioning configuration. Make sure that your configuration names are very specific so that you can differentiate between different configurations.
Target IPs
Enter the IP address of the target machine or click Help me pick machines.
Provisioning IP Range
Enter IP or IP range. Use hyphens to specify individual IP class ranges, for example, 192 168 2-5 1-200.Click Add All to add all machines in the specified range.
IP Scan Computers
From the IP Scan Computers drop-down list, select a machine to add to the Target IPs list. This drop-down list is populated from the Network Scan Results. You can filter the list by entering any filter options. Click Add All to add all machines displayed in the list.
Administrator Guide for KBOX 1000 Series, version 3.3
18
Inventory Computers
From the Inventory Computers drop-down list, select a machine to add to the Target IPs list. This drop-down list contains all the computers in the inventory. You can filter the list by entering any filter options. Click Add All to add all machines displayed in the list.
Configuration Enabled
Select this check box to enable the configuration.
KBOX Server Name
By default, this is the name of the KBOX you are provisioning agents from. Under normal circumstances, there would be no reason to change this value. If you have multiple KBOX servers, then you could enter another KBOX server name here.
DNS Lookup Enabled
Select this check box to enable DNS lookup.
Name Server for Lookup
This field will default to the DNS server that the KBOX has entered as its primary DNS server under Network settings. Enter the name of another DNS server here, if needed.
Lookup Time Out
Enter the time period after which a DNS lookup will time out.
6. If the targeted machine(s) are operating on the Windows platform, then enter details as shown in the following table. Provision this platform
Select this check box.
KBOX Agent Version
This field displays the KBOX Agent version number.
Agent Identification Port
The agent identification port is a port that installed agents would already have open and in use, indicating that we should not try to install the agent again. By default that port number is 52230. If you are using a different port number for this, you can change the port number listed here.
Required open TCP Ports
Enter the list of required open TCP ports. These are the ports the KBOX will use to access the target machine for installation of the KBOX Agent.
Port Scan Time Out
Enter a time period in seconds.
Bypass Port checks
Select this check box to avoid port checks. Selecting this indicates that the KBOX should simply try to install, without checking ports listed above.
Enable Debug Info
Select this check box to enable debug info. By enabling this check box more debug info will be displayed in the machine’s provisioning results.
Remove KBOX Agent
Selecting this check box reverses the logic of this provisioning config, indicating you will use it to remove the KBOX agent from machines rather than installing those agents.
Remove Config.xml file
Select this check box to remove the Config.xml file while removing the Agent.
Domain (or Workgroup)
Enter the domain or workgroup name associated with the credentials you enter below.
User Name (admin level)
Enter a username that will have the necessary privileges to install on the targeted machines.
Password
Enter the password for the account listed above.
Administrator Guide for KBOX 1000 Series, version 3.3
19
7. If the targeted machines are operating on the Linux, Macintosh, or Solaris platform, then enter details as shown in the following table. Provision this platform
Select this check box.
Required open TCP Ports
Enter the list of required open TCP ports. These are the ports the KBOX will use to access the target machine for installation of the KBOX Agent.
Port Scan Time Out
Enter a time period in seconds.
Bypass Port checks
Select this check box to avoid port checks. Selecting this indicates that the KBOX should simply try to install, without checking ports listed above.
Remove KBOX Agent
Selecting this check box reverses the logic of this provisioning config, indicating you will use it to remove the KBOX agent from machines rather than installing those agents.
User Name (admin level)
Enter a user name that will have the necessary privileges to install on the targeted machines.
Password
Enter the password for the account listed above.
8. Under Scheduling, select the appropriate check box and schedule to run the configuration. By choosing a regular schedule, the KBOX will periodically check machines in this IP range to make sure that they have the KBOX agent and install/reinstall as appropriate. 9. To save the provisioning configuration, click Save. On clicking Save, the Provisioning Results page appears. You can also click Run Now to save the current configuration and immediately run the configuration against the defined IP range. To cancel the configuration, click Cancel. Deleting a configuration will delete all associated target machines in the provisioning inventory list. Altering or updating a configuration will reset the data in the associated target machine list to the default settings until the subsequent provisioning run.
Administrator Guide for KBOX 1000 Series, version 3.3
20
Provisioning Results Provisioning Results shows you a list of computers which match Agent Provisioning Configurations that you currently have. This list could include machines that have had the Agent installed or which have been discovered by the Configuration. You can view target provisioning and configuration information. Target info results from the most recent provisioning configuration run or execution. Provisioning execution targets the various IP addresses and for each target (node) the execution evaluates the IP addresses availability, agent status, port configuration, etc. The results and logs of each provisioning step are displayed. To View Provisioning Results: 1. Select Distribution | KBOX Agent. The KBOX Agent Distribution & Management page appears. 2. Click Provisioning Results. The Provisioning Results page appears. 3. To view provisioning target information and provisioning configuration information, click the IP Address of the required machine. The KBOX Agent Provisioning page appears. You can take print outs of this page. Click Printer Friendly Version to see a print view of the page.
4. You can view computer inventory by clicking computer inventory under Provisioning Target Info. For more information on computer inventory, see “Adding computers to inventory,” on page 37. 5. To view the DNS lookup details, click the required DNS Lookup on the List Page. If selected, live addresses will be checked against the DNS server to see if they have agent provisioning configured.
Administrator Guide for KBOX 1000 Series, version 3.3
21
KBOX Agent Settings The KBOX Agent Settings options configure the KBOX to properly operate in your computing environment. These options specify how often the client runs on the user desktop and within that run how often a full desktop computer inventory is performed. The "KBOX Agent" options specify how often a KBOX Agent will check in to the KBOX and how often that agent will perform a full computer inventory. For example, a default Run Interval of 30 minutes means that those computers with KBOX Agents installed will check in to the KBOX 1000 Series appliance every 30 minutes. To Configure KBOX Agent: 1. Select Distribution | KBOX Agent. The KBOX Agent Distribution & Management page appears. 2. Click KBOX Agent Settings. The KBOX Agent Settings page appears showing your current agent setting details. These settings are what control the schedule and frequency of your KBOX agents checking in. 3. To edit agent settings, click [Edit Mode]. The KBOX Agent Settings page appears in edit mode. 4. Specify the following agent options Suggested Setting
Field
Notes
Communications Window
12:00 am to 12:00 am
The interval during which the KBOX Agent is allowed to communicate with the KBOX 1000 Series appliance. For example, to allow the KBOX Agent to connect between 1 AM and 6 AM only, select 1:00am from the first drop-down list, and 6:00am from the second.
Agent “Run interval”
1 hours
The interval that the KBOX Agent will check in to the KBOX 1000 Series. Each time a KBOX Agent connects, it will reset its connect interval based on this setting. The default setting is once per hour.
Agent “Inventory Interval”
0
The interval (in hours) that the client KBOX 1000 Series appliance will inventory the computers on your network. If set to zero, the KBOX 1000 Series will inventory clients at every Run Interval.
Agent “Download Throttle”
100
The maximum number of desktop clients that can be downloading packages at one point in time. Packages will not be deployed on machines after the Package Download Throttle has been reached. For example, if the throttle is set to 100 and 100 clients are connected and receiving a deployment, the 101st client will be deferred until another connection point.
Agent “Splash Page Text”
KBOX is verifying your PC Configuration and managing software updates. Please Wait...
The message that appears to users when communicating with the KBOX 1000 Series.
Administrator Guide for KBOX 1000 Series, version 3.3
22
Scripting Update Interval
15 minutes
How often the KBOX Agent should download new script definitions. The default interval is 15 minutes.
Scripting Ping Interval
600 seconds
How often the KBOX Agent should test the connection to the KBOX 1000 Series appliance. The default interval is 600 seconds.
Agent Log Retention
Agent Log Retention disallows the server to store the scripting result information that comes up from the agents. The default is to store all the results. This can have a performance impact on the KBOX. Turning this off, gives you less information about what each client is doing, but will allow the agent checkins to process faster.
5. Click Save to save the KBOX agent settings configuration. On clicking Save, the KBOX Agent Settings page appears in read only mode. These changes will be reflected by agents as of the next time they check into the KBOX.
Administrator Guide for KBOX 1000 Series, version 3.3
23
KBOX Agent Update The KBOX Agent Update feature allows you to automatically update the KBOX Agent software for some or all machines that are checking in your KBOX. KBOX Agent deployments are automatically updated as new agent updates are posted to this area. The KBOX Agent package that you post to the server from this page should be an official KBOX Agent Release received from KACE directly. Before updating KBOX Agent, make sure that you have downloaded and saved locally the following files: update_3.1.XXXX.bin for WINDOWS, where XXXX is the build number. update_mac_3.1.XXXX.bin for Macintosh, where XXXX is the build number. update_linux_3.1.XXXX.bin for Linux, where XXXX is the build number. update_solaris_3.1.XXXX.bin for Solaris, where XXXX is the build number. To Update KBOX Agent Automatically: 1. Select Distribution | KBOX Agent. The KBOX Agent Distribution & Management page appears. 2. Click KBOX Agent Update. The KBOX Agent Automatic Update page appears. 3. Specify the agent updates as shown in the following table. Notes & Version Info
Enter any release notices or version information about the agent.
Enabled
Select this check box to upgrade the Agent the next time the machines check in to KBOX.
Update broken clients
Select this check box to update those machines that are running checking in with the KBOX for new agent versions, but are unable to successfully report inventory information to KBOX. This setting overrides the Limit Update to: settings. From a broken client like this, you could force it to check for a new version of the Agent software by running kupdater.exe manually.
Limit Updates to
Specify a label for automatic upgrades. The upgrades will only be distributed to machines assigned to those labels, except if they are identified as a “broken client” above.
Microsoft Windows/ Apple Mac/Linux/ Solaris
Click Browse to upload the KBOX Client Patch. This file name should be something like update_3.3.8872.bin, although the exact name will depend on which operating system you are updating. Anything other than an official update bin file will fail to properly deploy. The Update Version ID appears on uploading the file.
4. To save the new agent updates, click Save. You can update agents on all platforms at once using a client bundle. To update agents using a client bundle: 1. Download the kbox_patch_agents_xxx.bin file and save it locally. 2. Select Settings | Server Maintenance. 3. Scroll down and click the [Edit Mode] link. 4. Under Update KBOX, click Browse, and locate the update file you just downloaded. 5. Click Update KBOX.
Administrator Guide for KBOX 1000 Series, version 3.3
24
Do not install the client bundle in the KBOX Agent Update link of the KBOX Agent tab. The client bundle must be installed in the Settings | Server Maintenance | Update KBOX section of the Administrator console.
Administrator Guide for KBOX 1000 Series, version 3.3
25
C H A P T E R 3
Inventory The KBOX 1000 Series Inventory feature lets you identify machines and software on your network and organize computers by using labels and filters. “Overview of the Inventory Feature,” on page 27 “Using Advanced Search,” on page 29 “Understanding Computer Details,” on page 34 “Adding computers to inventory,” on page 37 “Software Inventory,” on page 38 “Monitoring out-of-reach Computers,” on page 42 “Labels,” on page 43 “Software Metering,” on page 45 “Processes,” on page 48,” “Startup,” on page 50,” “Service,” on page 51” “Software Lookup Services,” on page 52
Overview of the Inventory Feature Inventory is collected by the KBOX Agent and reported when computers check in with the KBOX 1000 Series. The data is then listed on one of the Inventory tabs: Computers, Software, or MIA. The inventory data is collected automatically according to the schedule specified under the Distribution |KBOX Agent | Provisioning Results. Although it is presented under the Inventory tab, the IP Scan feature is discussed in its own chapter. For information about this feature, see Chapter 5,“IP Scan,” starting on page 66.
Click to run Machine Action
Click to create notification filter
Click to create search filter
The computer’s machine name and labels to which the computer
The last time the machine checked in
Use drop-down to filter view by label
Figure 3-1: Inventory - Computers tab The Computer Search & Filter page displays the computer’s IP address and the user connected to it. Clicking the blue icon beside the IP address invokes a remote desktop connection if the computer is online and if remote desktop is configured. From the Computers tab you can: Search by keyword or invoke an Advanced Search Create a Filter to apply labels to computers automatically Create Notifications based on computer attributes Add/delete new computers manually Filter the Computer Listing by label
Administrator Guide for KBOX 1000 Series, version 3.3
27
Apply or remove labels Show or hide labels To view details about a computer click the machine name.
Administrator Guide for KBOX 1000 Series, version 3.3
28
Using Advanced Search Although you can search computer inventory using keywords like Windows XP, or Acrobat, those types of searches might not give you the level of specificity you need. Advanced search, on the other hand, allows you to specify values for each field present in the inventory record and search the entire inventory listing for that value. This is useful, for example, if you needed to know which computers had a particular version of BIOS installed in order to upgrade only those affected machines. To specify advanced search criteria: 1. Click the Advanced Search tab. 2. Select a field from the drop-down list. 3. Specify the search parameters, then enter the value to search for. 4. Click Search.
Creating Search Filters Filtering provides a way to dynamically apply a label based on search criteria. It is often helpful to define filters by inventory attribute. For example, you could create a label called “San Francisco Office” and create a filter based on the IP range or subnet for machines in San Francisco. Whenever machines check in that meet that attribute, they would receive the San Francisco label. This is particularly useful if your network includes laptops that often travel to remote locations.
This feature assumes that you have already created labels to associate with a filter. For information about creating labels, see “Labels,” on page 43.
The table below lists some examples of useful filters that could be applied to a machine based on its inventory attributes: Filter Examples Sample Label Name
Sample Condition
XP_Low_Disk
Windows XP Machine with less than 1 GB of free hard disk at last connection
XP_No_HF182374
Windows XP Machine without Hotfix 18237 installed at last connection
Building 3
Machine connecting to the KBOX 1000 Series is detected in a specified IP range known to originate in building 3.
CN_sales
Computers connecting where computer name contains the letters “sales”.
Table 3-2: Filter Examples
Administrator Guide for KBOX 1000 Series, version 3.3
29
To create a filter: 1. Select Inventory | Computers, then click the Create Filter tab. The Filter criteria fields appear. 2. Specify the search criteria. 3. Choose the label to associate with the filter. 4. To see whether the filter produces the desired results, click Test Filter. 5. Click Create Filter to create the filter. Now, whenever machines that meet the specified filter criteria check into the KBOX 1000 Series, they will automatically be assigned to the associated label. You can modify or delete a filter after it has been created on the Reporting | Filters tab.
Administrator Guide for KBOX 1000 Series, version 3.3
30
Creating Computer Notifications You can also use the Notification feature to search the inventory for computers that meet certain criteria, such as disk capacity or OS version, and then send an E-mail automatically to an administrator. For example, if you wanted to know when computers had a critically low amount of disk space left, you could specify the search criteria to look for a value of 5MB or smaller in the Disk Free field, and then notify an administrator who can take appropriate action. To create a notification: 1. Select Inventory | Computers, and then click the Create Notification tab. 2. Specify the search criteria. 3. Specify a title for the search. 4. Enter the mail address of the recipient of the notification. 5. To see whether the filter produces the desired results, click Test Notification. 6. Click Create Notification to create the notification. Now, whenever machines that meet the specified notification criteria check into the KBOX 1000 Series, an mail will automatically be sent to the specified recipient. You can modify or delete a notification after it has been created on the Reporting | Email Alerts tab.
Filtering Computers by Organizational Unit If you want to filter computers based on an Organizational Unit found in LDAP or AD, you can create LDAP Filters to do this from the Reporting | LDAP Filters tab. LDAP Filters allow the automatic labeling of machine records based on LDAP or Active Directory interaction. The search filter will be applied to the external server and should any entries be returned then automatic labeling results. If the external server requires credentials for administrative login (aka non-anonymous login), supply those credentials. If no LDAP user name is given, then an anonymous bind will be attempted. Each LDAP filter may connect to a different LDAP/AD server. Figure 3-3: LDAP Filters tab You may bind to an LDAP query based on the following KBOX 1000 Series variables: Computer Name Computer Description Computer MAC IP Address User Name User Domain Domain User.
Administrator Guide for KBOX 1000 Series, version 3.3
31
To create an LDAP Filter: 1. Select Reporting |LDAP Filters. 2. Select Add New Item from the Choose action drop-down list. The LDAP Filter: Edit Detail page appears. 3. Enter the following information: Enabled
Select this check box to enable.
Filter Type
Select the filter type.
Associated Label Name
Select the label to associate with this filter.
Associated Label Notes
If any notes were entered in the label definition, those would appear here under Associated Label Notes.
Server Host Name
Specify the IP or the Host Name of the LDAP Server. Note: For LDAPS, use the IP or the Host Name, as ldaps:// HOSTNAME
LDAP Port Number
Specify the LDAP Port number which could be either 389 / 636 (LDAPS).
Search Base DN
Specify the Search Base DN. For example: CN=Users,DC=kace,DC=com
Search Filter
Specify the Search Filter. For example: (&(sAMAccountName=admin)(memberOf=CN=financial,DC=ka ce,DC=com))
LDAP Login
Specify the LDAP login. For example: LDAP Login: CN=Administrator, CN=Users,DC=kace=com
LDAP Password
Specify the password for the LDAP login.
If you are unable to fill in the information for Search Base DN and Search Filter, you can use the LDAP Browser Wizard. For more information on how to use the LDAP Browser Wizard, refer to “LDAP Browser Wizard,” on page 155. 4. Click Save. Each time a machine checks into the KBOX 1000 Series, this query will run against the LDAP server. The admin value in the 'Search Filter' will be replaced with the name of the user that is logged onto this machine. If a result is returned, then the machine gets the label specified in the Associated Label field. NOTE: To test your Filter, click the Test button and review the results.
Administrator Guide for KBOX 1000 Series, version 3.3
32
You can also create an LDAP Filter using the LDAP Browser. To create an LDAP Filter using the LDAP Browser: 1. Select Reporting |LDAP Filters. 2. Select Add New Item Using LDAP Browser from the Choose action drop-down list. The LDAP Filter: Edit Detail page appears. 3. Enter the following information: Enabled
Select this check box to enable.
Filter Type
Select the filter type.
Associated Label Name
Select the label to associate with this filter. This field is mandatory.
4. Click Next to configure the LDAP settings. The LDAP Browser Wizard is displayed. For more information on how to use the LDAP Browser Wizard, refer to “LDAP Browser Wizard,” on page 155.
Administrator Guide for KBOX 1000 Series, version 3.3
33
Understanding Computer Details From the Computers tab, you can select a computer in inventory and view its details. The Computer Detail page provides details about a computer’s hardware, software, install, patch, help desk, and OVAL vulnerability history, among other attributes. The following sections describe each of the detail areas on this page. To expand or collapse the sections, click the + sign next to the section headers.
Computer Identity Information This section provides information to help identify the computer on your network, including its name, description, IP address and KACE ID, among other attributes. You also can see the last time this computer checked in to the KBOX 1000 Series, and the last time the computer record was changed.
Help Tickets This section provides a list of the Help Desk Tickets associated with this machine. These can either be Tickets assigned to the machine owner or Tickets submitted by the machine owner. To view a Help Desk Ticket’s details, click the Ticket ID (for example, TICK:0032).
Operating System Info This section provides details about the computer’s operating system including installed OS and service packs, OS version number and build, and the date and time of OS installation. The Current Uptime and Last System Reboot fields tell you at a glance, whether the machine has been rebooted recently, which could indicate whether or not OS updates have been applied.
User Information Because many computers can be used by more than one individual, the User Information section provides details about the most recent user of this computer, including his or her user name and domain.
Manufacturer and BIOS Info This section displays the computer’s make and model, as well as its BIOS details, such as name, version, and serial number. If the computer is manufactured by Dell, there also is a hot button link directly to the Dell Web site where you can view the support record for this computer, including the days left on the support agreement, and also compare the original and current system configurations.
Processor and Computer Memory This section displays the processor type and speed, total and used RAM, and current and maximum registry size.
Network Interfaces This section displays the type and version of NIC card installed in the computer, as well as the computer’s MAC and IP addresses, and indicates whether or not DHCP is enabled.
Administrator Guide for KBOX 1000 Series, version 3.3
34
Drive Information This section specifies the configuration of drives installed on the computer (e.g., CD/DVD-ROM drive), and displays the total and used disk space amounts for each hard disk installed.
Motherboard and related Hardware This section displays information about the computer’s motherboard, as well as other hardware details like sound card and video controller(s).
Process List This section lists all of the processes that are currently running on this computer. This list is the same as would be displayed on the computer’s Task Manager | Processes tab.
Installed Programs This section displays the titles and versions of software programs installed on this computer. The programs listed here are the same as would be listed on the computer’s Add/Remove Programs List.
Installed Patches This section lists all of the Microsoft patches that have been installed on this computer.
Startup Programs This section displays all of the programs that are configured to launch when this computer starts up. These are the same programs listed in the computer’s Start | All Programs | Startup menu.
Services This section displays all of the services that are running on this machine. On clicking any of the services the service: edit service detail page is displayed. The fields on this page represent the service detail information that is automatically discovered and communicated from the KBOX Agent.
Harmful Items (Threat Level 5) This section displays the items that have threat level 5. Whenever you set threat level 5 – harmful to any software, process, startup item and service associated with this machine, it is displayed in this list.
Printer List This section displays all of the printers that this computer is configured to use. This is the same information that is located in the computer’s Start | Printers and Faxes window.
Uploaded Files This section displays a list of the files that have been uploaded to the KBOX 1000 Series from this machine using the “upload a file” script action.
Custom Inventory Fields This section lists any Custom Inventory fields that were created for this machine, along with the field name and value.
Administrator Guide for KBOX 1000 Series, version 3.3
35
Customer Information This section contains notes entered during the creation of the computer’s inventory record, and is the only editable section on this page. You can append or delete any notes in this field. Click Save after editing this field.
Asset Information This section displays the details of the Asset that is associated with that machine. Details such as the date and time when the Asset record was created, the date and time when it was last modified, type of the asset and name of the asset are displayed.
Asset History This section displays the changes done to the Asset of that machine. It lists all the changes along with the date and time when each change was done.
KBOX Agent Logs This section displays the logs for the KBOX Agent application, updates to scripts run on this machine, and the current status, if available, of any activity currently in progress. A question mark (?) in the status column indicates that the KBOX Agent hasn’t checked in yet, therefore its status is unknown.
Portal Install Logs This section provides details about User Portal packages installed on this machine.
Scripting Logs This section lists the Configuration Policy scripts that have been run on this computer, along with the status, if available, of any scripts in progress.
OVAL Vulnerability Results This section displays the results of OVAL Vulnerability tests run on this machine. Only tests which failed on this computer are listed by the OVAL ID and marked as Vulnerable. Tests which passed are grouped together and marked as Safe.
Failed Managed Installs This section displays a list of Managed Installations that failed to install on this machine. To access details about the Managed Installation, click the link to view the Managed Software Installation detail page.
Labels This section displays the label assigned to that machine. Labels are used to organize and categorize machines
Failed Patches This section displays a list of any patch bulletins that failed to install on this machine. To access more details about the patches click the link to view the bulletin detail page.
To Install List This section lists the Managed Installations that will be sent to the machine the next time it connects.
Administrator Guide for KBOX 1000 Series, version 3.3
36
Adding computers to inventory The KBOX 1000 Series provides the convenience of adding computers to inventory automatically, which is especially useful when you maintain a large number of computers on your network. However, the KBOX 1000 Series also provides the flexibility to add computers to inventory manually should you need to. For example, you can track computers that do not currently have KBOX Agent support or computers that are not available on your LAN.
Adding computers automatically To add computers automatically, you can perform a IP scan, which will gather data about all of the computers on your network, including software installed on them, and create inventory records for them. In addition, installing the KBOX Agent on the computers on your network will cause them to check in to the KBOX 1000 Series and upload all of the available inventory data. For more information about IP Scans, see Chapter 5,“IP Scan,” starting on page 66.
Adding computers manually If you have machines on your network that are not connected to your LAN, but you still want to be able to maintain inventory data in one central place, you can add those computers to the KBOX 1000 Series manually from the Inventory | Computer tab. To add a computer to inventory manually: 1. Select Inventory | Computers tab. 2. Select Add New Item from the Choose action drop-down list. The Computer: Edit Computer Detail page appears. 3. Specify the requested computer details. For an example of the requested information, view the computer record of a machine that is already listed in inventory. 4. If you prefer, you can import the machine.xml file for this computer. The KBOXClient.exe can take an optional command line parameter -inventory. To configure this, type: KBOX Agent/exe-inventory The KBOX Agent collects the inventory data and generates a file called machine.xml, which you can upload here. If you choose this option, the KBOX 1000 Series ignores all other field values on this screen.
Administrator Guide for KBOX 1000 Series, version 3.3
37
Software Inventory In addition to the computers on your network, the KBOX 1000 Series Inventory feature also keeps an inventory of the software titles installed on each of the computers in inventory. From the Inventory | Software tab you can see at a glance all of the software installed across your network. By default, the Software List shows only the first 100 (in alphabetical order) software titles detected. To view all software installed, click the Show All link. From the Software List page you can: Add or delete software Add or remove labels Sort the view by label. To view the details of a software title, click the linked name.
Administrator Guide for KBOX 1000 Series, version 3.3
38
Adding Software to Inventory As with computers, you can add software to inventory either automatically or manually. The KBOX 1000 Series provides the convenience of adding software titles to inventory automatically, which is especially useful when you maintain determine all of the titles installed on all of the machines in your network. However, the KBOX 1000 Series also provides the flexibility to add software titles to inventory manually should you need to. For example, you can add a title that is not yet installed on your network so that you can create a managed installation from it and deploy it to the computers on your network at one time.
Adding Software Automatically To add software automatically, you can perform a IP scan that gathers data about all of the software titles on your network and creates inventory records for them. In addition, installing the KBOX Agent on the computers on your network will cause them to check in to the KBOX 1000 Series appliance and upload all of the available software inventory data. For more information about IP Scans, see Chapter 5,“IP Scan,” starting on page 66.
Adding Software Manually Although the KBOX creates inventory records for the software titles found on your network, there might be applications you want to add to inventory manually. To add software to inventory manually: 1. Select Inventory | Software. 2. Select Add New Item in the Choose Action drop-down list. The Software : Edit Software Details page appears. 3. Enter the general software details. Be sure to create the Display Version, Vendor, and Software Title information consistently across software inventory in order to assure proper downstream reporting. 4. Upload or specify links to available information files associated with the software. 5. In the Assign To Label field, select the labels to assign. 6. Enter any other details in the Notes field. Specify the Custom Inventory ID (rule), for example, C:\RegistryValueGreaterThan(SOFTWARE\Network Associates\TVD\Shared Components\VirusScan Engine\4.0.xx,szDatVersion,4.0.44). Before sending any software to a remote client, KBOX verifies whether or not that file is present on the target machine. If it is detected, then it is not sent to the machine a second time. In some instances, installed programs do not register in add/remove programs or in standard areas of the registry. In such cases, KBOX may not be able to detect the presence of the application without additional information from the administrator and, therefore, KBOX may repeat the install each time the client connects. The Custom Inventory ID rule must have three values separated by commas, not include neither single nor double quotes, contain a key that exists under LocalMachine. Failure to follow these specifications will result in a FALSE test result, and the install would proceed. For more information, see “Custom Data Fields,” on page 38.
Administrator Guide for KBOX 1000 Series, version 3.3
39
7. Select the supported operating systems in the Supported Operating Systems field. 8. In the Custom Inventory ID (rule) field, enter the Custom Inventory ID. 9. Beside the Upload & Associate File, click Browse, and then click Open. 10. Under Metadata, specify the following information: Category
Select the desired category.
Threat Level
Select the threat level.
Hide from Software Lookup Service
Select this check box if you want to hide this information from the Software Lookup Services.
11. Click Save The software detail page displays license information for the software. You can also view the license asset detail by clicking on the license link.
Creating Software Asset You can create a software asset using the Inventory | Software tab. To create a software asset: 1. Select Inventory | Software. 2. Select the appropriate software and then select Create Asset from the Choose Action drop-down list. The Assets page appears.
Custom Data Fields You can create custom data fields in order to read information from a target machine and report it in the Computer Inventory manifest. This is useful for reading and reporting on information in the registry and elsewhere on the target machine. For example, DAT file version number from the registry, file created date, file publisher, or other data. To create a custom data field: 1. Select Inventory | Software. 2. Select Add New Item from the Choose action drop-down list. 3. Specify a Display Name for the field. 4. In the Custom Inventory (ID) rule area, enter the appropriate syntax according to the information you want to return: To return a Registry Value, enter RegistryValueReturn(string absPathToKey, string valueName, string valueType), replacing valueType with either “TEXT”, “NUMBER”, or “DATE”. Note that NUMBER is specifically an integer value. Example: RegistryValueReturn(HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\Virusscan Online,SourceDisk, TEXT) To return File Information, enter FileInfoReturn(string fullPath, string attributeToRetrieve, string valueType) Example: FileInfoReturn(C:\Program Files\Internet Explorer\iexplore.exe, Comments,TEXT)
Administrator Guide for KBOX 1000 Series, version 3.3
40
You can retrieve the following attributes from the FileInfoReport() function: Comments CompanyName FileBuildPart FileDescription FileMajorPart FileMinorPart FileName FilePrivatePart FileVersion InternalName IsDebug IsPatclhed IsPreRelease IsPrivateBuild IsSpecialBuild
Language LegalCopyright LegalTrademarks OriginalFilename PrivateBuild ProductBuildPart ProductMajorPart ProductMinorPart ProductName ProductPrivatePart ProductVersion SpecialBuild CreatedDate ModifiedDate AccessedDate.
5. Click Save.
Attaching a Digital Asset to a Software Title Whether you add the software to inventory automatically or manually, after a particular software title is in inventory, you will need to associate the files required to install the software before distributing a package to users for installation. To associate multiple files, create a .zip file and associate the resulting archive file. To attach digital asset to a software title: 1. Select Inventory | Software. 2. Click the linked name of the software title. The Software: Edit Software Detail page appears. 3. Beside Upload & Associate File, click Browse. 4. Locate the file to upload, then click Open. 5. Modify other details as necessary, then click Save. The Software-To-Computer Deployment Detail table at the bottom of the Software | Edit Software Detail page shows which computers have the software title installed.
Administrator Guide for KBOX 1000 Series, version 3.3
41
Monitoring out-of-reach Computers The KBOX 1000 Series MIA tab, gives you a way to view the machines that haven’t checked in to KBOX 1000 Series in some time. You can filter the MIA view by machines that have missed the last 1, 5, or 10 syncs, or which have not communicated with KBOX 1000 Series in the last 1-90 days. The MIA tab also displays the IP and MAC Addresses of the computers. From the MIA tab you can remove the computers from the KBOX 1000 Series inventory, as well as assign them to labels to group them for management action.
Administrator Guide for KBOX 1000 Series, version 3.3
42
Labels In many areas of the KBOX 1000 Series you will see a labels select list, which allows you to constrain the action to a specific label or group of labels. There are several ways to group machines with the KBOX 1000 Series. Once grouped by a label, software, scripts, reports, or software deployments can all be managed on a per label basis. The label functionality can be manually applied from the Inventory | Labels tab, or automatically, via LDAP or Active Directory, (Reporting | LDAP Filters tab), or even applied by machine attribute, as we saw earlier from the Computers | Create Filter functionality. On the Label Management page you can add or delete labels, search labels, as well as see how many computers belong to a particular label.
Creating Labels Labels can be used to organize and categorize software, people, and machines. Labels are intended to be used in a flexible manner and how you use labels is completely customizable. For example, Labels can reflect corporate structures, organizations, processes, or geographical locations like "Engineering", "Staging", "Building A", etc. Labels can be used to identify deployment groups and target machines for distribution packages. All items that support "labeling" can have none, one, or multiple labels. Deleting labels will remove any existing association of that label with any machine, login, or software.
To create a label: 1. Select Inventory | Labels. 2. Select Add New Item from the Choose action drop-down list. The Labels : Edit Detail page appears. 3. Enter a name for the label in the Label Name field. 4. Enter any relevant notes about the label in the Notes field. 5. If necessary, enter a value for KACE_ALT_LOCATION. This allows you to define what should replace the string in the KACE_ALT_LOCATION in the Alternate Download Location value in Managed Installs and File Synchronizations. You should not have a machine in two labels that both specify an alternate location value. 6. Specify the Username and Password for the KACE_ALT_LOCATION. 7. Click Save.
Viewing Computer Details by Label After you’ve created a label, you can view details about the computers on your network that belong to that label. From the Label Detail view you can see: The IP addresses and machine names of the computers in the label The number of Managed Installations and File Synchronizations deployed to the label The number of network scans and scripts run on the machines in the label The number of alerts, portal packages, and users associated with the label.
Administrator Guide for KBOX 1000 Series, version 3.3
43
To view label details: 1. Select Inventory | Labels. 2. Click the linked name of the label. The Labels: Edit Detail page appears. 3. Click the + sign beside the section headers to expand or collapse the view.
Deleting labels Deleting labels will remove any existing association of that label with any machine, login, or software. You can delete labels two ways: from the Label List view, or from the Label: Edit Detail page. To delete a label: 1. To delete labels, do one of the following: From the Labels List view, select the check box beside the label, then select Delete Selected Item(s) from the Choose action drop-down list. From the Labels: Edit detail page, click Delete. 2. Click OK to confirm deleting the selected label.
Administrator Guide for KBOX 1000 Series, version 3.3
44
Software Metering The KBOX 1000 Series Metering feature allows you to keep track of software use across your enterprise. The Metering feature records and reports the details on software use that can help you manage license compliance and better negotiate license renewals and upgrades.You can record and view software usage for the last 1, 2, 3, 6, or 12 months. Detail pages provide information on individual software processes, including the name of the computer that is using the software, the number of times the software was launched, the total minutes the software was used, and when the software was last used.
Adding a Software Meter You can add a software meter to monitor the specified process name on the agent machine. To add a Software Meter: 1. Select Inventory | Metering. The Software Metering page appears. 2. Select Add New Item in the Choose action drop-down list. The Software Metering: Edit Detail page appears. 3. Enter Software Meter details as follows: Enabled
Select this check box to enable software metering for this software.
Process Name
The specified process name will be monitored on the KBOX Agent machine.
Associated Software
To track usage only on machines with a specific software version deployed, choose the related software inventory item.
Notes
Enter any notes that further describe or explain this software meter.
Licenses
Displays license information for the software. To view the license asset details, click on the license link.
4. Click Save to save your changes or click Cancel to return to the Software Metering Listing page. Your Software Meter now appears in the Software Metering Listing page.
The results of the software metering can be seen at two places: On the Software Metering page On the Software Metering: Edit Detail page To view Software Metering results: 1. Select Inventory | Metering. The Software Metering page appears. The software metering page displays useful information such as the Process Name, Enabled, Installed, Licensed, In Use, etc. 2. Click the process name. The Software Metering: Edit Detail page appears. The Month-to-date usage Detail table displays information such as Computer Name, Times Launched, Minutes Used and Last Used.
Administrator Guide for KBOX 1000 Series, version 3.3
45
Editing Software Meter Details You can edit a software meter to monitor the specified process name on the agent machine. To edit Software Meter details: 1. Select Inventory | Metering. The Software Metering page appears. 2. Click the process name. The Software Metering: Edit Detail page appears. 3. Edit Software Meter details as shown in the following table: Enabled
Select this check box to enable software metering for a software process.
Process Name
The specified process name will be monitored on the KBOX Agent machine.
Associated Software
To track usage only on machines with a specific software version deployed, choose the related software inventory item.
Notes
Enter any notes that further describe or explain this software meter.
4. Click Save to save your changes or click Cancel to return to the Software Metering page.
Deleting a Software Meter You can delete a software meter. To delete a Software Meter: 1. Select Inventory | Metering. The Software Metering page is appears. 2. Select the processes of which software meter or meters you want to delete. 3. Select Delete Selected Item(s) from the Choose action drop-down list. 4. Click Yes to confirm deleting the software meter(s). Else, click Cancel to cancel deleting the software meter(s).
Configuring the Software Metering Settings You can configure the software metering settings. To configure Software Metering settings: 1. Select Inventory | Metering. The Software Metering page appears. 2. Select the process name. 3. Select Configure Settings in the Choose action drop-down list. The Software Metering Settings page appears. 4. Edit configuration settings as shown in the following table: Enabled
Select this check box for metering to run on the target machines.
Allow Run While Disconnected
Select this check box for metering to run even if the machine cannot contact the KBOX to report results. The results will be stored on the machine and will be uploaded once contact with the KBOX is established.
Allow Run While Logged Off
Select this check box for metering to run even if a user is not logged in. If you clear this check box, the script will run only when a user is logged into the machine.
Administrator Guide for KBOX 1000 Series, version 3.3
46
5. Edit deployment settings as shown in the following table: Deploy to All Machines
Select this check box if you want to deploy to all the Machines. Click OK in the confirmation dialog box.
Limit Deploy To
You can limit deployment to one or more labels. Press CTRL and click to select more than one label.
Supported Operating Systems
Select the operating system to which you want to limit deployment. Press CTRL and click to select more than one operating system. Note: Leave blank to deploy to all operating systems.
6. Click Save to save your changes or click Cancel to return to the Software Metering page.
Administrator Guide for KBOX 1000 Series, version 3.3
47
Processes The KBOX 1000 Series Processes feature allows you to keep track of processes that are running on all agent machines across your enterprise. The Processes feature records and reports the processes details information.You can record and view software usage for the last 1, 2, 3, 6, or 12 months. Detail pages provide information on individual processes, including the name of the computer running those processes, system description, and the last user. Using Processes feature, you can: View Process details Delete selected processes Disallow selected processes Meter selected processes Apply labels Remove labels The processes are categorized in: Audio / Video, Business, Desktop, Development, Driver, Games, Internet, Malware, Security, and System Tool. To View Process Details 1. Select Inventory | Processes. The Processes page appears. 2. Click on the process name to view details. The Process Details page appears. 3. Select labels to assign to process in the Assign To Label box. 4. Enter any notes that further describe this process in the Special Notes box. 5. Select the category of the process in the Category drop-down list. 6. Select the threat level of the process in the Threat Level drop-down list. 7. Click Save to save the processes details. You can read comments on the process submitted by other users by clicking [Read Comments] on the Process Details page. You can also ask for help from Kace about the processes by clicking [Ask For Help.] You need kace username and password to log in to the Kace database. You can also see computers with running the selected process. You can view a printer friendly version of this page and take print outs of the report. To delete process: 1. Select Inventory | Processes. The Processes page appears. 2. Select the processes to delete. 3. Select Delete Selected Item(s) in the Choose Action drop-down list. A confirmation message appears. 4. Click OK to confirm deleting the selected processes. Else, click Cancel to cancel the deletion operation.
Administrator Guide for KBOX 1000 Series, version 3.3
48
To disallow processes: 1. Select Inventory | Processes. The Processes page appears. 2. Select the processes to disallow. 3. Select Disallow Selected Item(s) in the Choose Action drop-down list. The Script : Edit Detail page appears. 4. Enter the script configuration details, and then click Run Now to run Disallowed Programs Policy. For more detailed information on scripting and Disallowed Programs Policy, refer to Chapter 8,“Scripting,” starting on page 102
Administrator Guide for KBOX 1000 Series, version 3.3
49
Startup The KBOX 1000 Series Startup feature allows you to keep track of startup programs on all agent machines across your enterprise. The Startup feature records and reports the startup program detail information. Detail pages provide information on startup programs, including the name of the computer running those startup programs, system description, and the last user. Using Startup feature, you can: View startup program details Delete selected startup programs Apply or remove labels The startup programs are categorized in: Audio / Video, Business, Desktop, Development, Driver, Games, Internet, Malware, Security, and System Tool. To View Startup detail information: 1. Select Inventory | Startup. The Startup Programs page appears. 2. Click on the startup program name to view details. The Startup Programs : Edit Startup Programs Detail page appears. 3. Select labels to assign to startup program in the Assign To Label box. 4. Enter any notes that further describe this startup program in the Notes box. 5. Select the category of the startup program in the Category drop-down list. 6. Select the threat level of the startup program in the Threat Level drop-down list. 7. Click Save to save the startup program details. You can read comments on the startup program submitted by other users by clicking [Read Comments]. You can also ask for help from Kace about the startup programs by clicking [Ask For Help.] You need kace username and password to log in to the Kace database. You can also see computers with running the selected startup program. You can view a printer friendly version of this page and take print outs of the report. To delete startup program details: 1. Select Inventory | Startup. The Startup Programs page appears. 2. Select the startup program to delete. 3. Select Delete Selected Item(s) in the Choose Action drop-down list. A confirmation message appears. 4. Click OK to confirm deleting the selected startup programs. Else, click Cancel to cancel the deletion operation.
Administrator Guide for KBOX 1000 Series, version 3.3
50
Service The KBOX 1000 Series Service feature allows you to keep track of services running on all agent machines across your enterprise. The Service feature records and reports the services detail information. Detail pages provide information on services, including the name of the computer running those services, system description, and the last user. Using Services feature, you can: View services details Delete selected services Apply or delete labels The services are categorized in: Audio / Video, Business, Desktop, Development, Driver, Games, Internet, Malware, Security, and System Tool. To view service detail information: 1. Select Inventory | Service. The Services page appears. 2. Click the service name to view details. The Service : Edit Service Detail page appears. 3. Select labels to assign to service in the Assign To Label box. 4. Enter any notes that further describe this service in the Notes box. 5. Select the category of the service in the Category drop-down list. 6. Select the threat level of the service in the Threat Level drop-down list. 7. Click Save to save the service details. You can read comments on the service submitted by other users by clicking [Read Comments]. You can also ask for help from Kace about the service by clicking [Ask For Help.] You need kace username and password to log in to the Kace database. You can also see computers with running the selected startup program. You can view a printer friendly version of this page and take print outs of the report. To delete services detail information: 1. Select Inventory | Service. The Services page appears. 2. Select the services to delete. 3. Select Delete Selected Item(s) in the Choose Action drop-down list. A confirmation message appears. 4. Click OK to confirm deleting the selected services. Else, click Cancel to cancel the deletion operation.
Administrator Guide for KBOX 1000 Series, version 3.3
51
Software Lookup Services The KBOX Software Lookup Services (SLS) automatically discovers and publishes information on software programs and processes. KBOX SLS provides information on software and process as they appear on KBOX management appliances systems across the globe. KBOX SLS is available for all major platforms including Windows, Mac, Red Hat Linux, and Solaris. KBOX SLS also includes software command line arguments, uninstall commands, and installation advice. To add/view any information on the SLS website, you need to establish a unique account for the SLS site. You would need to use these credentials to add any new comments.
Enabling Software Lookup Service You need to select the 'Enable KACE Software Lookup Service' check box in the General Settings tab to be able to access the data available with Kace about common software applications and how to deploy/ remove them and share anonymous information about the software on machines in your environment. You can integrate KACE and user submitted information directly from the Software Lookup Service. If the 'Enable KACE Software Lookup Service' check box in the General Settings tab is selected, you can share the information of the software in your KBOX with the SLS website. For more information on how to enable Software Lookup Service in your KBOX appliance, see “Configuring General settings,” on page 10. To Enable Software Lookup Service: 1. Select Settings | General. The KBOX Settings: General page appears. 2. Under General Options, click the Edit Mode link next to Set Options tab. 3. Select the Enable KACE Software Lookup Service check box to enable the Software Lookup Service. A confirmation message appears. 4. Click OK. 5. Click Set Options to set the options. The KBOX information will now be shared with the Kace SLS site.
Viewing Software Lookup Services You can view Software Lookup Services contents of your KBOX. From the Inventory tab, you can view SLS information on software, processes, startup programs, and services. Software Lookup Services can also be viewed from the Distribution | Managed Installations and Distribution | File Synchronization. To View Software Lookup Services information: 1. Select Inventory | Software. The Software page appears, which lists the software installed on client machines. 2. Select the software title in order to see the associated information from the Software Lookup Service. The Software:Edit Software Detail page appears.
Administrator Guide for KBOX 1000 Series, version 3.3
52
You can see more information of the application on the Kace SLS site.
Click Read Comments to view the comments and to add comments on the Kace SLS site.
Figure 3-4: Software: Edit Software Detail page
If you have not enabled Software Lookup Services at the Settings | General page, you will not be able to view SLS information and a note will appear asking you to enable the Software Lookup Services. Refer to “To Enable Software Lookup Service:,” on page 52.
3. To Update the software information on Kace SLS site, perform the following steps: a Under Metadata, select the software category in the Category list. b In the Threat Level list, select the threat level.
Administrator Guide for KBOX 1000 Series, version 3.3
53
c If you would prefer not to share information about this particular item, select the Hide from Software Lookup Service check box. In order to provide the best information to your fellow SLS users, we recommend not hiding items from the Software Lookup Service.The information shared doesn't include any personally identifiable information about your company or users. d Click Save to save the edited information. 4. You can view following SLS information on the Software:Edit Software Detail page. Field
Description
Average Threat Level
This value is an average of the threat levels assigned by SLS users who have assigned a threat level. This is intended as a guide for software you may not be familiar with. A threat level of 1 would be interpreted as safest.
User Submitted Comments
The information displayed on this page and the information presented on the Kace website is related to the particular software title you have selected from the KBOX. Click Read Comments to view the comments on the SLS site. You need to login on the Kace SLS site using login credentials to add comments.
Categories
Displays the software categories that have been assigned to this software title by SLS users and the percentage of those users who have assigned each.
Quiet Installation Switches
Displays known Quiet Installation Switches for the item you have selected.
Description
It displays information on product description, product URL, links to support and help, and lockdown information.
Install Command Line Help
It displays information on Standard MSI Commands, Standard Install Commands, and Uninstall Help.
Administrator Guide for KBOX 1000 Series, version 3.3
54
Administrator Guide for KBOX 1000 Series, version 3.3
55
C H A P T E R 4
Asset Management The KBOX 1000 Series allows you to manage and track assets in your environment in a flexible and customizable way. “Overview of Asset Management,” on page 57 “Managing Asset Types,” on page 58 “Managing Assets,” on page 61 “Licensing,” on page 63 “Importing Asset,” on page 65
Overview of Asset Management The KBOX 1000 Series allows you to manage and track assets in your environment in a flexible and customizable way. By establishing asset types and relationships to other asset types and other objects in the KBOX, you will be able to report on existing assets as well as track licensing and cost information in a way that works for you in your environment. In looking at asset management in the KBOX, it is important to understand that there are two types of assets, organizational assets (like Department, Location or Cost Center) and physical assets (like Computers, Users, Phones or Projectors). Commonly, the organizational assets are used as a way to collect similar sets of physical assets. Before you begin to use assets, you should establish the asset types that will make sense for you, both in terms of the organization elements you want to use as well as what physical asset types you are hoping to track. You can view the list of available assets from the Asset | Assets tab. With the Assets tab you can: Add or delete assets Configure Asset types Add or delete software licenses Import data
Administrator Guide for KBOX 1000 Series, version 3.3
57
Managing Asset Types There are two types of asset types: Organizational information (Cost Center, Department, Location) the organizational assets are used as a way to collect similar sets of physical assets. Actual physical assets (computers, users, phones, projectors) where the organizational ones are pointed to by the physical ones mainly There are several built-in Asset Types — Computer, Cost Center, Department, Location, Owner, Vendor. Built-in assets can not be deleted. If you delete an asset type, then all the assets using that asset type will get deleted. You can add an unlimited number of asset types and these types have a default attribute 'Name'. You can not create an asset type with the same name as the built-in asset type name. Asset types can be organized into logical groups or hierarchies to allow for roll up reporting. Asset types can have any number of attributes. Assets can point to other Assets and to Inventory records like Machine, User, and Software. Relationships can be either one - to - one or one - to - many. Asset fields have a default value that should be used when filling in a new asset. Changing the default value in the asset type does not change any existing records, but only affects newly created records.
Asset Association You can create an assets field and associate it to another asset using the field type. Associations are defined in asset types and are used in assets. Assets associations are of following types: User Parent Asset Computer Asset Cost Center Asset Department Asset License Asset Location
Computer Asset When a machine checks into the KBOX, an asset of type computer is automatically created. The Computer Asset is mapped to a machine automatically using following two fields: 1. Mapped Inventory field 2. Mapped Asset field The mapped inventory field enables you select a field that is checked against the inventory to verify if the machine just checked in is already an asset. For example: if the machine inventory field = IP address
Administrator Guide for KBOX 1000 Series, version 3.3
58
Matching asset field = Name and a machine with an IP address shows up, the IP is checked against IP of machines that are already assets. If no such asset, then a new asset with Name = IP address is created. If the mapped inventory field is by IP and the matching asset field is different, perhaps an asset field called IP, then an asset is created with the Name as system name, and the IP as IP. The matching asset field has to be of type text. To add new asset type: 1. Select Asset | Asset Types. The Asset Types page appears. 2. Select Add New Item from the Choose action drop-down list. The Asset Type Detail page appears. 3. Enter a name for the asset type in the Name field. You can not create a new asset type with the same name as a built-in asset type name.
4. You can add associations by adding an asset field. To add asset fields, click the Fields table.
button in the Asset
5. Enter following details depending on the asset type selected. Field
Value
Name
Type a relevant name for the custom asset field, such as Asset Code, Purchase Date, or Building Address Line 1. This name appears on the data entry page for the asset.
Select Values
This field is enabled when you select Single Select or Multiple Select from the Field Type list. Type the values that should appear in the custom asset field. You must type at least one value in this field. If you want to type multiple values, you must separate each value with a comma.
Default
Type the default value for this field. If you select Single Select or Multiple Select from the Field Type list, you must type one of the values given in the Select Values field.
Required
Select this check box to make this custom asset field a mandatory field. If you select this check box, you need to enter a value for this custom asset field before saving the Asset detail page.
Administrator Guide for KBOX 1000 Series, version 3.3
59
Field Type
Select the appropriate field type. Single select (single value length 255, list length 65k). Multiple select (single value length 255, list length 65k) Text field (length 255) Attachment (This field allows you to attach a file to the asset.) Note: You can create multiple fields of attachment type per asset type. Notes (length 65K) Date ('1000-01-01' to '9999-12-31') Number (-9223372036854775808 to 9223372036854775807) Parent. This field type allows this asset to point to the same type of asset in a parent-child relationship. For example, you might allow Location types to have a Parent connection, allowing 'New York' to point to a 'North America' Location. This can then be used in the reporting system to show all Assets in North America. This report will contain all the assets in New York and in North America. User. This field type allows you to associate an asset record with one of the User records from the Inventory system. Asset ASSET_TYPE. This field type is similar to the single select field type and the multiple select field type. However, you cannot specify the values for this custom field type. The values are retrieved from the current list of Assets in the system.
Allow Multiple
This check box is enabled when you select Asset ASSET_TYPE from the Field Type list. Select this check box to allow this custom field to point to multiple records. For example, the License Asset type can point to many computers that are approved for a particular License. A single relationship might have a printer pointing to a single Department record, indicating that this printer is used by only one department.
When you rename a custom asset field, the values for that custom field are retained. However, when you remove the custom asset field, values for that custom field are removed from all assets. When you change the Field Type of a custom asset field, the system tries to retain the previous values, but you may also lose some data. For instance, if you had a custom asset field named Model Number that is of type Text. Model Number has a value of 'A123'. If you were to change the Field Type from Text to Number, the system might not be able to convert that 'A123' to a valid number. In this case, the value for Model Number is set to zero. If you click Delete, the Asset Type definition and the assets of this type are removed from the system. If there are assets that point to the Asset Type definition that you deleted, the asset association is removed. 6. Click Save to save the entries in the Asset Fields table. 7. Click Save to save the added asset type.
Administrator Guide for KBOX 1000 Series, version 3.3
60
Managing Assets You can add a new asset, delete an existing asset, or view assets by using the Asset | Assets tab. You can not delete parent asset if that parent asset has child assets. Assets can be viewed by asset type or by the associations. You can view the related assets that are not part of any particular asset and can clone any existing asset. Changes done to the asset are recorded as part History. Asset History is displayed on the Asset Detail page. To add an asset: 1. Select Asset | Assets. The Assets page appears. 2. Select the asset type you want to add from the Choose action drop-down list. The Asset Detail page appears. 3. Enter the name of the selected asset type in the Name field, and then click Save. All the asset types have a standard field as Name. If you are adding asset of computer type, then you need to enter following information: a Select the machine from the Machine list, and then enter the filter criteria in the Filter box. Machine is a default field that comes with the asset type. b Enter the date of asset creation in the Date Created box. c Enter additional information on the asset in the notes box. d Enter the asset id in the id box. Date created, notes, and id are the asset fields created for asset of computer type.
4. If you want to add another asset, then click Save and New. Otherwise, click Save to save the asset. To view assets: 1. Select Asset | Assets. The Assets page appears. 2. To view assets by asset types or association, select the asset type or association from the View by asset type drop-down list. A list of filtered assets appears. The Assets page also shows the associated assets.
3. Select the asset title to see detailed information of that asset. The Asset Detail page appears. 4. If you want to clone the asset details, click Clone, and then click Save. 5. After editing the asset information, click Save.
Administrator Guide for KBOX 1000 Series, version 3.3
61
6. In the Related Assets table, you can view the related assets that are not parent of this asset. Click the asset name to view asset details of this related asset. For example, if computer A's Location is associated to computer X, then computer A will be listed as a related asset on computer X's page, but on computer A's page, you can not see computer X. Child assets are shown on the related assets list. If the asset you are viewing is associated to a software or machine, then on clicking that asset name will take you to the Inventory page.
7. In the History table, you can view changes done to the asset.
Administrator Guide for KBOX 1000 Series, version 3.3
62
Licensing With KBOX, you can create, edit, and delete license assets. You can assign licenses to software and computers, specify or view the number of licenses available, and keep track of the expiry date for each license. When you assign a license to a software, the license is linked with the software. You can view this license information in the software detail page, the metering page, and the software library admin and user pages. You can also navigate to the license asset detail page by clicking on the license link in the software detail page, the metering page, and the software library admin and user pages. To add new license: 1. Select Asset | Assets. The Assets page appears. 2. Select License from the Choose action drop-down list. The Asset Detail page appears. 3. Enter the following information: Name
Enter the name for this license.
Seats Licensed
Enter the number of licenses available.
Applies to Software
Select the software to which you want to assign this license.
Approved for Computer
Select the computer to which you want to assign this license.
License Mode
Select the appropriate license mode.
Product Key
Enter the license key for the product.
Unit Cost
Enter the cost of each license.
Expiration Date
Enter the expiration date for this license.
Vendor
Select the vendor name for this license.
Filter
Enter the filter criteria for the Vendor list.
Purchase Order #
Enter the purchase order number for this license.
Purchase Date
Enter the date when you purchased this license.
Notes
Enter notes about this license.
License Text
Enter license text, such as the end-user license agreement.
4. Click Save. To save and add another license asset, click Save and New.
Administrator Guide for KBOX 1000 Series, version 3.3
63
Generating Reports You can run various reports to display information about the licenses assigned to software and computers. Description of these reports is provided below. Category
Report
Description
Compliance
Software Compliance Simple
Lists the licenses and counts like the License list page with details such as vendor, PO#, and Notes.
Compliance
Software License Compliance Complete
Lists software and computers that are impacted by each license record.
Compliance
Unapproved Software Installation
Lists software found on computers that do not have approved licenses.
Table 4-1: License Reports
Administrator Guide for KBOX 1000 Series, version 3.3
64
Importing Asset The Asset Import feature allows you to import assets data from CSV file into the desired asset type. To import assets data: 1. Select Asset | Asset Import. The Kace Asset Import Wizard - Uploadfile page appears. 2. In the Select File box, specify CSV file path or click Browse to select CSV file. 3. Select Is header name in the file check box if the CSV file contains header. 4. Click Next. It will take you to Asset Type Selection page. 5. Select the asset type from the Asset Type list, to which data need to be imported from CSV file. 6. Click Next. It will take you to mapping page, which displays mapping of CSV fields against fields of selected Asset Type. 7. Under Standard Fields, perform the following steps: a Select the CSV field from the drop-down list box to match the corresponding standard field. b Select the PK check box to choose this field as the primary key. Mapping of Standard fields is Mandatory.
8. Under Asset Fields, perform the following steps: a Select the CSV field from the drop-down list box to match the corresponding Asset field. b Select the PK check box to choose this field as the primary key. You can select one or more fields as composite primary key.
If none of records for Asset Type match with value of CSV field chosen as primary key then record will be inserted. If only one records for Asset Type match with value of CSV field chosen as primary key then record will be updated. If more than one records for Asset Type match with value of CSV field chosen as primary key then record will be flagged as duplicate. 9. Click Preview. It will take you to the confirmation page. 10. Click Import Data. The Kace Asset Import Wizard - Result page appears. 11. To import more assets data, click More Import. Otherwise, click Done.
Administrator Guide for KBOX 1000 Series, version 3.3
65
C H A P T E R 5
IP Scan IP scan is an appliance-side KBOX 1000 Series technology that allows you to scan a range of IP addresses to detect the existence and attributes of various devices on a network. “IP Scan Overview,” on page 67 “Viewing List of Scheduled Scans,” on page 68 “Creating an IP Scan,” on page 69
IP Scan Overview The KBOX 1000 Series can scan a range of IP addresses for SNMP enabled machines, allowing you to retrieve information about machines connected to your network. Although IP Scans have their own serverside scheduling, you can invoke a scan on-demand, or schedule a IP scan to run at a specific time. IP scan reports a variety of inventory data that lets you monitor the availability and service level of a target machine. And because IP scan scans ports in addition to IP addresses, you can collect data even without knowing the IP addresses of the target machines. IP scan will scan any type of device (as long as it has an IP address on the network) including computers, printers, network devices, servers, wireless access points, routers and switches. You can create and view IP scans from the Inventory | IP Scan tab. From the Network Scan Results page you can: View scan schedules Schedule new scan Delete selected items Apply a label/delete a label Create a remote connection to the machine, if configured under Machine Action.
Administrator Guide for KBOX 1000 Series, version 3.3
67
Viewing List of Scheduled Scans By default, the IP Scan tab displays the results of configured Network Scans that have been run. You can modify this view to show the scans that are schedule to occur in the future. To view scheduled scans: 1. Select Inventory | IP Scan. 2. Select View Scan Schedules in the Choose action drop-down list.
Administrator Guide for KBOX 1000 Series, version 3.3
68
Creating an IP Scan You can create a network scan that will look for DNS, Socket, and SNMP across a subnet or subnets. You also define a network scan to look for devices listening on a particular port (for example, Port 80). This allows you to see devices that are connected to your network even when the KBOX Agent isn’t installed on those devices. When defining a network scan, it’s important to balance scope of the scan (number of IP addresses you’re scanning) with the depth of the probe (number of attributes you’re scanning for) so that you do not overwhelm your network or KBOX 1000 Series appliance itself. For example, if you needed to scan a large number of IP addresses frequently, you would want to keep the number of ports, TCPIP connections, etc., relatively small. As a general rule, KACE recommends scanning a particular subnet no more than once every few hours. The KBOX Agent listens to port 52230. To determine which machines on your network are running KBOX Agent, you could define a network scan to report which machines were listening on that port. To create an IP scan: 1. Select Inventory | IP Scan. The Network Scan Result page appears. 2. Select Schedule New Scan in the Choose action drop-down list. The Network Scan Setting page appears. 3. Enter a name for the scan in the Network Friendly Scan Name field. 4. Enter the IP range to scan in the Network Scan IP Range field. 5. Specify the DNS lookup test details: DNS Lookup Enabled
If selected, live addresses will be checked against the DNS server to see if they have a name associated with them. This can help you identify known nodes on your network.
Name Server for lookup
Specify hostname or IP address.
Lookup time out
Specify the time out interval (in seconds).
6. Select the Ping Test Enabled check box. The Ping test must be enabled in order to run other tests. The Ping or Socket tests determine if the address is alive. If it is, then a SNMP or a Port Scan can be run against it. If the Ping and Socket tests are disabled, then the other tests will not be run. 7. Specify the Connection test details: Connection Test Enabled
Select to allow Network scan do perform connection testing.
Connection Test Protocol
Specify the protocol to use.
Connection Test Port
Specify the port to use for testing the connection.
Connection Time Out
Specify the time out interval (in seconds).
Administrator Guide for KBOX 1000 Series, version 3.3
69
8. Specify SNMP test details: SNMP Enabled
Select to enable SNMP scanning.
SNMP Public String
Enter Public string.
9. Specify Port scan test details: Device Port Scan Enabled
Select to enable port scanning of device ports.
TCP Port List
A comma-separated list of TCP ports to scan.
UDP Port List
A comma-separated list of UDP ports to scan.
Port Scan Time Out
Specify the time out interval (in seconds).
10. Specify scan schedule: Don’t Run on a Schedule
Tests will run in combination with an event rather than on a specific date or at a specific time. Use this option in combination with one or more of the “Also” choices below. For example, use this option in conjunction with “Also Run at User Login” to run whenever the user logs in.
Run Every n minutes/hours
Runs at the specified time.
Run Every day/specific day at HH:MM AM/PM
Runs on specified day at the specified time.
Run on the nst of every month/ specific month at HH:MM AM/PM
Runs on the specified time on the 1st, or 2nd, etc. of every month or only the selected month.
11. Click Save or Scan Now to run scan immediately. Deleting a Scan Configuration will also delete all associated scan inventory items. If you wish to maintain the scan inventory but not "rescan" just set the schedule of the scan configuration to not run.
Administrator Guide for KBOX 1000 Series, version 3.3
70
C H A P T E R 6
Distribution The KBOX 1000 Series Distribution feature provides various methods for deploying software, updates, and files to computers on your network. “Distribution Feature Overview,” on page 72 “Types of Distribution Packages,” on page 73 “Managed Installations,” on page 75 “Examples of Common Deployments on Windows,” on page 79 “Examples of Common Deployments on Linux,” on page 83 “Examples of Common Deployments on Solaris,” on page 87 “Examples of Common Deployments on Macintosh(r),” on page 91 “File Synchronizations,” on page 94 “Replication,” on page 96
Distribution Feature Overview KACE recommends that customers follow a predefined set of procedures before deploying any software on their network. The following flow diagram represents a high-level example of common distribution procedures. You can modify this process to meet the needs of your organization. However, to avoid distribution problems, it is important to test various deployment scenarios prior to deployment. p y Inventory & Assess
Test
Target
Deploy
Report
Figure 6-1: Basic Deployment Procedure Perhaps the most important concept in the deployment procedure is to test each deployment before rolling it out to a large number of users. The KBOX 1000 Series verifies that a package is designated for a particular system, machine, or operating system; however, it cannot assess the likelihood that a particular package will behave well with existing applications on the target machine. Therefore, we strongly suggest that you establish procedures for testing each piece of software before deploying it on your network. One way to do this is to develop a test group of target machines. You can then deploy – via the KBOX 1000 Series – to the test group and verify compatibility with the operating system and other applications within your test group. You can do this by creating a test label and perform a test distribution before you go live in your environment. You can create a test label from the Inventory | Labels tab. For more information about creating labels, see “Labels,” on page 43. This chapter will focus primarily on the Test, Target, Deploy portions of this flow diagram. For more details on creating an inventory of computers and software packages in use on your network, see Chapter 3,“Inventory,” starting on page 26.
Administrator Guide for KBOX 1000 Series, version 3.3
72
Types of Distribution Packages There are three primary types of distribution packages you can deploy to the computers on your network: managed installations, file synchronizations, and KBOX Agent. Distribution packages (whether for managed installation, file synchronization, or user portal packages) CANNOT be created until a digital file is associated with an Inventory Item. This rule applies even if you are: Sending a command, rather than an installation or a digital file, to target machines. Redirecting the KBOX Agent to retrieve the digital asset (for example,.exe,.msi) from an alternate download location. To create a distribution: 1. Install the package manually on a machine. 2. Take an inventory of that machine. For more information on how to take an inventory, see “Software Inventory,” on page 38. 3. Use the item listed in the Software Inventory list for the Managed Installation. If you need to create packages with different settings, such as parameters, labels, or deployment definitions, you can create multiple distribution packages for a single Inventory item. However, the MI cannot be verified against more than one inventory item because the MI checks for the existence of one and only one inventory item. Although the KBOX Agent tab is listed under the Distribution tab, “Deploying KBOX Agent” is discussed as part of the installation and setup process in Chapter 1,“Getting Started with KBOX 1000 Series,” starting on page 1. For information about updating an existing version of KBOX Agent, please see Chapter 12,“Server Maintenance,” starting on page 173.
Distributing Packages through KBOX Packages distributed through KBOX are only deployed to target desktops if the Inventory Item is designated to run on the target operating system. For example, if the Inventory Item is defined for Windows XP Professional only, the Inventory Item will not deploy on Windows 2000. Similarly, the package will not deploy if it is designated for a target label for which the target machine is not a member. For example, if the Deployment Package is set to deploy to a Label called Office A, it will not deploy to machines that are not in Office A. When KBOX creates a software inventory item, it will only record the operating systems on which the item was installed, in the Inventory detail record.
Distributing Packages through an Alternate Location KBOX supports software distribution from remote file stores. The KBOX Agent can retrieve digital installation files from remote file stores, as opposed to KBOX, including a UNC address, a DFS source, or an HTTP location. The CIFS and SMB protocols are supported. KBOX also supports SAMBA servers and fileserver appliances. In order to activate this capability, you must enter an Alternate Checksum (MD5) that matches the MD5 checksum on the remote file share (for security purposes). You may use any tool to establish your checksum. For creating your MD5 hash, you can use the KBOX Admin Utilities tool, which is available on the KBOX Agent CD. There are other utilities that will work equally well.
Administrator Guide for KBOX 1000 Series, version 3.3
73
If no checksum is entered, then the digital asset on the file share must exactly match the digital asset associated with the Deployment Package on the KBOX 1000 appliance. Also, the target path must include the complete filename (for example, \\fileserver_one\software\adobe.exe). When KBOX is fetching files, the priority for fetching files is as follows: 1. Alternate download location 2. Replication point 3. KBOX If there is no replication point, the KBOX agent fails over to KBOX.
Administrator Guide for KBOX 1000 Series, version 3.3
74
Managed Installations Managed Installations enable you to deploy software to the computers on your network that require an installation file to run. You can create a Managed Installation package from the Distribution | Managed Installation page. From the Managed Installations tab you can: Create or delete Managed Installations Execute or disable Managed Installations Specify a Managed Action Apply or remove a label Search Managed Installations by keyword
Creating a Managed Installation for Windows Platform When creating a Managed Installation, you can specify whether you want to interact with users by showing a message before or after installation, indicate whether the package should be when the user is logged in or not, and limit deployment to a specific label. The following section provides general steps for creating a managed installation. For specific details on creating a managed installation for an .MSI, .EXE, or .ZIP file, please refer to the subsequent sections. To create a managed installation for Windows platform: 4. Click Distribution | Managed Installations. 5. Select Add New Item in the Choose action drop-down list. The Managed Software Installation: Edit Detail Page appears. 6. Select the software from the drop-down list. You can filter the list by entering any filter options. 7. Enter the following information: Run Parameters
Specify the installation behavior. The maximum field length is 256 characters. If your path exceeds this limit, on the command line, point to a BAT file that contains the path and the command. If your Parameters file path includes spaces (for example, \\kace_share\demo files\share these files\setup.bat), place quotes around the path (for example, “\\kace_share\demo files\share these files\setup.bat”.
Full Command Line
If desired, specify full command-line parameters. Please refer to the MSI Command Line documentation for available runtime options.
Un-Install using Full Command Line
Select this check box to uninstall software.
Run Command Only
Select this check box to run the command line only.
Administrator Guide for KBOX 1000 Series, version 3.3
75
Managed Actions
Managed Action allows you to select the most appropriate time for this package to be deployed. Available options are: Disabled Execute anytime (next available) Execute before logon (before machine boot) Execute after logon (before desktop loads) Execute while user logged on Execute while user is logged off
8. Specify the deployment details: Deploy to All Machines
Select this check box if you want to deploy to all machines.
Limit Deployment To Selected Labels
Select a label to limit deployment only to machines grouped by that label. Press CTRL and click labels to select more than one label.
Limit Deployment To Listed Machines
You can limit deployment to one or more machines. From the drop-down list, select a machine to add to the list. You can add more than one machine. You can filter the list by entering filter options.
Deploy Order
The order in which software should be installed. Lower deploy order will deploy first.
Max Attempts
Specify the maximum number of attempts, between 0 and 99, to indicate the number of times the KBOX 1000 Series appliance will try to install the package. If you specify 0, KBOX will enforce the installation forever.
Deployment Window(24H clock)
Specify the time (using a 24 hr. clock) to deploy the package. Deployment Window times will affect any of the Managed Action options. Also, the run intervals defined under the Server Settings>Options page will override and/or interact with the deployment window of a specific package.
9. Set user interaction details: Allow Snooze
Select this check box to allow snooze. When you select this check box, the following additional fields appear: Snooze Message: Enter a snooze message. Snooze Timeout: Specify a timeout, in minutes, for which the message will be displayed. Snooze Timeout Action: Select a timeout action that will take place at the end of the timeout period. For example, you might select Install now because you are installing at a time when you know that the users are away from their desktops. You might select Install later because the installer needs some user interaction and it would not work if the users were not at their desktops.
Administrator Guide for KBOX 1000 Series, version 3.3
76
Custom Pre-Install Message
Select this check box to display a message to users prior to installation. When you select this check box, additional fields appear: Pre-Install User Message: Enter a pre-install message. Pre-Install Message Timeout: Specify a timeout, in minutes, for which the message will be displayed. Pre-Install Timeout Action: Select a timeout action that will take place at the end of the timeout period from the drop-down list. Options include Install later or Install now. For example, you might select Install now because you may be installing at a time when you know that the user is away from his or her desktop, making it a good time to install. Or, you might select Install later if the installer needs some user interaction and it would not work if the user was not at his or her desktop.
Custom Post-Install Message
Select this check box to display a message to users after the installation completes. When you select this check box, message field and timeout options appear. Enter a message and a timeout value in minutes.
Delete Downloaded Files
Select this check box to delete the package files after installation.
Use Alternate Download
Select this check box to specify details for alternate download. When you select this check box, the following fields appear: Alternate Download Location: Specify the location where the KBOX Agent can retrieve digital installation files. Alternate Checksum: Specify an Alternate Checksum (MD5) that matches the MD5 checksum on the remote file share (for security purposes). Alternate Download User: Specify a user name that will have the necessary privileges to access the alternate download location. Alternate Download Password: Specify the password for the user name. Note: If the target machine is part of a replication label, then the KBOX will not fetch software from the alternate download location.
10. Click Save.
Sharing Managed Software Installation Information The Distribution | Managed Installation tab enables to share the managed software installation information on the Kace SLS site. To Share Managed Software Installation Information on Kace SLS: 1. Select Distribution | Managed Installation. The Managed Installations page appears. 2. Select the managed installation you want to share with Software Lookup Services. The Managed Software Installation : Edit Detail page appears.
Administrator Guide for KBOX 1000 Series, version 3.3
77
3. After editing managed installation information, click Share with Software Lookup Service to share managed installation information with SLS. 4. Click Save. You can view the SLS information on this page. For more information on Software Lookup Services, see “Software Lookup Services,” on page 52.
Administrator Guide for KBOX 1000 Series, version 3.3
78
Examples of Common Deployments on Windows Three of the most common package deployments contain .msi, .exe, and .zip files. This section provides examples for each type of deployment. For each of these examples, you must have already uploaded the file to KBOX prior to creating the Managed Installation package. We recommend installing the software on a QA machine, waiting a sufficient amount of time for the KBOX Agent to connect to the KBOX 1000 series appliance and create an inventory item for the software, and then creating the Managed Installation package. You also can run the file KBScriptRunner tool located in Program Files\KACE\KBOX to force the KBOX Agent to check in with the KBOX 1000 appliance.
Standard MSI Example Using .MSI files is an easy, self-contained way to deploy software on Windows-based machines. If you have a .MSI that requires no special transformation or customization, the deployment is simple. If you are not sure about the installation parameters for your MSI installation, you can open the command prompt, and then type msiexec to view available options.
To create a managed installation for a .MSI file: 1. Select Distribution | Managed Installations. The Managed Installations page appears. 2. Select Add New Item in the Choose action drop-down list. The Managed Installation: Edit Detail Page appears. 3. Select the software from the drop-down list. You can filter the list by entering any filter options. 4. Set the following installation details: Run Parameters
Specify the installation behavior. The maximum field length is 256 characters. If your path exceeds this limit, please point to a BAT file on the command line that contains the path and the command. If your Parameters file path includes spaces (for example, \\kace_share\demo files\share these files\setup.bat), place quotes around the path. For example, “\\kace_share\demo files\share these files\setup.bat”.
Full Command Line
If desired, specify full command-line parameters. Please refer to the MSI Command Line documentation for available runtime options.
Un-Install using Full Command Line
Select this check box to uninstall software.
Run Command Only
Select this check box to run the command line only.
Administrator Guide for KBOX 1000 Series, version 3.3
79
Managed Actions
Managed Actions allow you to select the most appropriate time for this package to be deployed. Available options are: Disabled Execute anytime (next available) Execute before logon (before machine boot) Execute after logon (before desktop loads) Execute while user logged on Execute while user logged off
5. Specify the deployment details: Deploy to All Machines
Select this check box if you want to deploy to all the Machines.
Limit Deployment To Selected Labels
Select a label to limit deployment only to machines grouped by that label. Press CTRL and click labels to select more than one label.
Limit Deployment To Listed Machines
You can limit deployment to one or more machines. From the dropdown list, select a machine to add to the list. You can add more than one machine. You can filter the list by entering filter options.
Deploy Order
The order in which software should be installed. Lower deploy order will deploy first.
Max Attempts
Specify the maximum number of attempts, between 0 and 99, to indicate the number of times the KBOX 1000 Series appliance will try to install the package. If you specify 0, KBOX will enforce the installation forever.
Deployment Window(24H clock)
Specify the time (using a 24 hr. clock) to deploy the package. Deployment Window times will affect any of the Managed Action options. Also, the run intervals defined under the Server Settings->Options page will override and/or interact with the deployment window of a specific package.
6. Set user interaction details: Allow Snooze
Select this check box to allow snooze. When you select this check box, the following additional fields appear: Snooze Message: Enter a snooze message. Snooze Timeout: Specify a timeout, in minutes, for which the message will be displayed. Snooze Timeout Action: Select a timeout action that will take place at the end of the timeout period. For example, you might select Install now because you are installing at a time when you know that the users are away from their desktops. You might select Install later because the installer needs some user interaction and it would not work if the users were not at their desktops.
Administrator Guide for KBOX 1000 Series, version 3.3
80
Custom Pre-Install Message
Select this check box to display a message to users prior to installation. When you select this check box, additional fields appear: Pre-Install User Message - Enter a pre-install message. Pre-Install Message Timeout - Specify a timeout in minutes for which the message will be displayed. Pre-Install Timeout Action - Select a timeout action that will take place at the end of the timeout period from the drop-down list. Options include Install later or Install now. For example, you might select Install now because you may be installing at a time when you know that the user is away from his or her desktop, making it a good time to install. Or, you might select Install later if the installer needs some user interaction and it would not work if the user was not at his or her desktop.
Custom Post-Install Message
Select this check box to display a message to users after the installation completes. When you select this check box, message field and timeout options appear. Enter a message and a timeout value in minutes.
Delete Downloaded Files
Select this check box to delete the package files after installation.
User Alternate Download
Select this check box to specify details for alternate download. When you select this check box, the following fields appear: Alternate Download Location - Specify the location from where the KBOX Agent can retrieve digital installation files. Alternate Checksum - Specify an Alternate Checksum (MD5) that matches the MD5 checksum on the remote file share (for security purposes). Alternate Download User - Specify a username that will have the necessary privileges to access the Alternate Download Location. Alternate Download Password - Specify the password for the username specified above. Note: If the target machine is part of a replication label, then the KBOX will not fetch software from the alternate download location.
7. Click Save.
Administrator Guide for KBOX 1000 Series, version 3.3
81
Standard EXE Example The standard EXE example is identical to the MSI example above with one exception: /I is not required in the “run parameters” line when using a .exe. When using an EXE it is often helpful to identify switch parameters for a quiet or silent installation. To do this, specify /? in the run parameters field.
Standard ZIP Example Deploying software using a .zip file, is a convenient way to package software when more than one file is required to deploy a particular software title (for example, setup.exe plus required configuration and data files). For example, if you have a CD-ROM containing a group of files required to install a particular application, you can package them together in a .zip file, and upload them to KBOX for deployment. The KBOX Agent will automatically run deployment packages with .MSI and .EXE extensions. However, KBOX 1000 Series also provides a capability for administrators to Zip many files together and direct the KBOX 1000 Series to unpack the Zip and run a specific file within. If you intend to deploy a .ZIP file, you must place the name of the file within the .zip that you would like to run in the Command (Executable) field within the Deployment Package (for example, runthis.exe). To create a managed installation for a .zip file: 1. Browse to the location that contains the necessary installation files. 2. Select all files, and create a .zip file using WinZip or other utility. 3. Create an inventory item for the target deployment. You can do this manually from the Inventory | Software tab, or by installing the package on a KBOX Agent machine that regularly connects to the KBOX 1000 Series appliance. 4. Associate the .zip file with the inventory item and upload it to the KBOX 1000 Series. 5. Select Distribution | Managed Installation. The Managed Installations page appears. 6. Select Add New Item in the Choose action drop-down list. The Managed Software Installation : Edit Detail page appears. 7. Select the software title with which the .zip file is associated from the software drop-down list. 8. In the Full Command Line field, please specify the complete command with arguments. Example: setup.exe /qn 9. Enter other package details as described in the Creating a Managed Installation procedures. 10. Click Save.
Administrator Guide for KBOX 1000 Series, version 3.3
82
Examples of Common Deployments on Linux The supported package deployments are .rpm, .zip, .bin, .tgz and tar.gz files. This section provides examples for each type of deployment. For each of these examples, you must have already uploaded the file to KBOX prior to creating the Managed Installation package. We recommend installing the software on a QA machine, waiting a sufficient amount of time for the KBOX Agent to connect to the KBOX 1000 series appliance and create an inventory item for the software, and then creating the Managed Installation package. You can also run the file runallkbots located in \KACE\KBOX to force the KBOX Agent to check in with the KBOX 1000 appliance.
Standard RPM Example You can deploy software on Linux-based machines using .rpm files. To create a managed installation for a .rpm file: 1. Select Distribution | Managed Installations. The Managed Installations page appears. 2. Select Add New Item in the Choose action drop-down list. The Managed Installation: Edit Detail Page appears. 3. Select the software from the drop-down list. You can filter the list by entering any filter options. 4. By default the kbox agent will attempt to install the .rpm file via the following command. In general, this should be sufficient to install a new package or update an existing one to a new version: rpm -U packagename.rpm 5. If you have selected a zip/tgz/tar.gz file, then the content will be unpacked and the root directory searched for all .rpm files. The installation command will be run against each of them. KBOX will find all rpm files at the top level of an archive automatically, so you can install more than one package at a time. You can also create an archive containing a shell script and then specify that script name as the full command. KBOX will run that command if it is found and log an error if is not. If you want to change the default parameters, you have to specify the Full Command Line. You may specify wildcards in the filenames you use. Enclose the filename in single or double quotation marks if it contains spaces. The files will the unarchived into a directory in "/tmp" and that will become the current working directory of the command. On Red Hat Linux, you do not need to include any other files in your archive other than your script if that's all you wish to execute.
If the PATH environment variable of your root account does not include the current working directory and you wish to execute a shell script or other executable that you've included inside an archive, specify the relative path to the executable in the Full Command Line field. The command will be executed inside a directory alongside the files which have been unarchived. For example, if you want to run a file called "installThis.sh", you would package it up alongside a .rpm file and then put the
Administrator Guide for KBOX 1000 Series, version 3.3
83
command "./installThis.sh" in the Full Command Line field. If you archived it inside another directory, like "foo", the Full Command Line field should be "./foo/installThis.sh". Both these examples, as well as some other KBOX functions, assume that "sh" is in root's PATH. If you're using another scripting language, you may need to specify the full path to the command processor you wish to run in the Full Command Line, like "/bin/sh ./installThis.sh". Include appropriate arguments for an unattended, batch script. If you select the uninstall check box in the MI detail, the KBOX agent will run the command //usr/sbin/rpm -e packagename.rpm on either your standalone rpm file or each rpm file it finds in the archive, removing the package(s) automatically. Uninstallation in this way will be performed only if the archive or package is downloaded to the client. If you select the check box for "Run Command Only", you should specify a Full Command Line to ensure the correct removal command is run on the correct package. Since no package is downloaded in this case, you should specify the path in the installation database where the package receipt is stored. 6. If your package requires additional options, you can enter the following installation details: Run Parameters
You don’t need to specify any parameters if you have a .rpm file. If no Run Parameters are filled in, -U will be used by default.Setting a value here will override the default “-U” option. For instance, if you set Run Parameters to: “–ivh --replacepkgs”, then the command that would run on the computer would be: rpm -ivh –replacepkgs package.rpm
Full Command Line
You don’t need to specify a full command line if you have a .rpm file. The server executes the installation command by itself. The Linux client will try to install this via: rpm [-U | Run Parameters] "packagename.tgz” If you don’t want to use the default command at all, you can replace it completely by specifying the complete command line here. Remember that if you have specified an archive file, this command will run against all of the .rpm files it can find.
Un-Install using Full Command Line
Select this check box to uninstall software. If the Full Command Line above is filled in, it will be run. Otherwise, by default the agent will attempt the command, which is generally expected to remove the package.
Run Command Only
Select this check box to run the command line only. This will not download the actual digital asset.
Managed Action
Managed Action allows you to select the most appropriate time for this package to be deployed. Execute anytime (next available) and Disabled are the only options available for Linux platform.
7. Specify the deployment details: Deploy to All Machines
Select this check box if you want to deploy to all the machines.
Limit Deployment To Selected Labels
Select a label to limit deployment only to machines grouped by that label. Press CTRL and click labels to select more than one label.
Limit Deployment To Listed Machines
You can limit deployment to one or more machines. From the drop-down list, select a machine to add to the list. You can add more than one machine. You can filter the list by entering filter options.
Administrator Guide for KBOX 1000 Series, version 3.3
84
Deploy Order
The order in which software should be installed. Lower deploy order will deploy first.
Max Attempts
Specify the maximum number of attempts, between 0 and 99, to indicate the number of times the KBOX 1000 Series appliance will try to install the package. If you specify 0, KBOX will enforce the installation forever.
Deployment Window(24H clock)
Specify the time (using a 24 hr. clock) to deploy the package. Deployment Window times will affect any of the Managed Action options. Also, the run intervals defined under the Server Settings->Options page will override and/or interact with the deployment window of a specific package.
8. Set user interaction details: Allow Snooze
This option is not available for Linux platform.
Custom Pre-Install Message
This option is not available for Linux platform.
Custom Post-Install Message
This option is not available for Linux platform.
Delete Downloaded Files
Select this check box to delete the package files after installation.
Use Alternate Download
Select this check box to specify details for alternate download. When you select this check box, the following fields appear: Alternate Download Location - Specify the location from where the KBOX Agent can retrieve digital installation files. Alternate Checksum - Specify an Alternate Checksum (MD5) that matches the MD5 checksum on the remote file share (for security purposes). Alternate Download User - Specify a username that will have the necessary privileges to access the Alternate Download Location. Alternate Download Password - Specify the password for the username specified above. Note: If the target machine is part of a replication label, then the KBOX will not fetch software from the alternate download location.
9. Click Save.
Administrator Guide for KBOX 1000 Series, version 3.3
85
Standard TAR.GZ Example Deploying software using a tar.gz file is a convenient way to package software when more than one file is required to deploy a particular software title (for example, packagename.rpm plus required configuration and data files). For example, if you have a CD-ROM containing a group of files required to install a particular application, you can package them together in a tar.gz file, and upload them to KBOX for deployment. To create a managed installation for a tar.gz file: 1. Use the following two commands to create tar.gz file: tar –cvf filename.tar packagename.rpm gzip filename.tar This will create filename.tar.gz 2. Create an inventory item for the target deployment. You can do this manually from the Inventory | Software tab, or by installing the package on a KBOX Agent machine that regularly connects to the KBOX 1000 Series appliance. 3. Associate the tar.gz file with the inventory item and upload it to the KBOX 1000 Series. 4. Select Distribution | Managed Installation. The Managed Installations page appears. 5. Select Add New Item in the Choose action drop-down list. The Managed Software Installation: Edit Detail page appears. 6. Select the software title with which the tar.gz file is associated from the software drop-down list. 7. This file will be uncompressed and searched for all .rpm files. The installation command will be run against each of them. 8. If no Run Parameters are filled in, -U will be used by default. 9. You don’t need to specify a full command line. The server executes the installation command by itself. The Linux client will try to install this via: rpm [-U | Run Parameters] "packagename.tgz” 10. Enter other package details as described in the Creating a Managed Installation procedures for .rpm file above. 11. Click Save.
The KBOX Agent will automatically run deployment packages with .rpm extensions. However, KBOX 1000 Series also provides a capability for administrators to Zip many files together and direct the KBOX 1000 Series to unpack the Zip and run a specific file within.
Administrator Guide for KBOX 1000 Series, version 3.3
86
Examples of Common Deployments on Solaris The supported package deployments are .pkg, pkg.gz, .zip, .bin and tar.gz. This section provides examples for each type of deployment. For each of these examples, you must have already uploaded the file to KBOX prior to creating the Managed Installation package. We recommend installing the software on a QA machine, waiting a sufficient amount of time for the KBOX Agent to connect to the KBOX 1000 series appliance and create an inventory item for the software, and then creating the Managed Installation package. You can also run the file runallkbots located in \KACE\KBOX to force the KBOX Agent to check in with the KBOX 1000 appliance.
To create a managed installation for a .pkg file: 1. Select Distribution | Managed Installations. The Managed Installations page appears. 2. Select Add New Item in the Choose action drop-down list. The Managed Installation: Edit Detail Page appears. 3. Select the software from the drop-down list. You can filter the list by entering any filter options. 4. By default the kbox agent will attempt to install the .pkg file via the following command. In general, this should be sufficient to install a new package or update an existing one to a new version: pkgadd -n -d "packagename.pkg" [Run Parameters] 5. If you have selected a zip/pkg.gz/tar.gz file, then the contents will be unpacked and the root directory searched for all .pkg files. The installation command will be run against each of them. KBOX will find all pkg files at the top level of an archive automatically, so you can install more than one package at a time. You can also create an archive containing a shell script and then specify that script name as the full command. KBOX will run that command if it is found and log an error if is not. If you want to change the default parameters, you have to specify the Full Command Line. You may specify wildcards in the filenames you use. Enclose the filename in single or double quotation marks if it contains spaces. The files will the unarchived into a directory in "/tmp" and that will become the current working directory of the command. You can put a zero-byte .pkg file in your archive if all you want to do is execute a shell command or some other executable.
If the PATH environment variable of your root account does not include the current working directory and you wish to execute a shell script or other executable that you've included inside an archive, specify the relative path to the executable in the Full Command Line field. The command will be executed inside a directory alongside the files which have been unarchived. For example, if you want to run a file called "installThis.sh", you would package it up alongside a .pkg file and then put the command "./installThis.sh" in the Full Command Line field. If you archived it inside another directory, like "foo", the Full Command Line field should be "./foo/installThis.sh". Both these examples, as well as some other KBOX functions, assume that "sh" is in root's PATH. If you're using another scripting language, you may need to specify the full path to the command
Administrator Guide for KBOX 1000 Series, version 3.3
87
processor you wish to run in the Full Command Line, like "/bin/sh ./installThis.sh". Include appropriate arguments for an unattended, batch script. If you select the uninstall check box in the MI detail, the KBOX agent will run the command: /usr/sbin/pkgrm -n packagename.pkg on either your standalone rpm file or each rpm file it finds in the archive, removing the package(s) automatically. Uninstallation in this way will be performed only if the archive or package is downloaded to the Agent. If you select the check box for "Run Command Only", you should specify a full command line to ensure the correct removal command is run on the correct package. Since no package is downloaded in this case, you should specify the path in the installation database where the package receipt is stored. 6. If your package requires additional options, you can enter the following installation details: Run Parameters
You don’t need to specify any parameters if you have a .pkg file. If no Run Parameters are filled in, all will be used by default to install all packages in the .pkg file. Setting a value here will override the default option.
Full Command Line
You don’t need to specify a full command line if you have a .pkg file. The server executes the installation command by itself. The Solaris client will try to install this via: pkgadd -n -d "packagename.pkg" [Run Parameters] If you don’t want to use the default command at all, you can replace it completely by specifying the complete command line here. Remember that if you have specified an archive file, this command will run against all of the .pkg files it can find.
Un-Install using Full Command Line
Select this check box to uninstall software. If the Full Command Line above is filled in, it will be run. Otherwise, by default the agent will attempt the command, which is generally expected to remove the package.
Run Command Only
Select this check box to run the command line only. This will not download the actual digital asset.
Managed Action
Managed Action allows you to select the most appropriate time for this package to be deployed. Execute anytime (next available) and Disabled are the only options available for Solaris platform.
7. Specify the deployment details: Deploy to All Machines
Select this check box if you want to deploy to all the machines.
Limit Deployment To Selected Labels
Select a label to limit deployment only to machines grouped by that label. Press CTRL and click labels to select more than one label.
Limit Deployment To Listed Machines
You can limit deployment to one or more machines. From the drop-down list, select a machine to add to the list. You can add more than one machine. You can filter the list by entering filter options.
Deploy Order
The order in which software should be installed. Lower deploy order will deploy first.
Max Attempts
Specify the maximum number of attempts, between 0 and 99, to indicate the number of times the KBOX 1000 Series appliance will try to install the package. If you specify 0, KBOX will enforce the installation forever..
Administrator Guide for KBOX 1000 Series, version 3.3
88
Deployment Window(24H clock)
Specify the time (using a 24 hr. clock) to deploy the package. Deployment Window times will affect any of the Managed Action options. Also, the run intervals defined under the Server Settings > Options page will override and/or interact with the deployment window of a specific package.
8. Set user interaction details: Allow Snooze
This option is not available for Solaris platform.
Custom Pre-Install Message
This option is not available for Solaris platform.
Custom Post-Install Message
This option is not available for Solaris platform.
Delete Downloaded Files
Select this check box to delete the package files after installation.
Use Alternate Download
Select this check box to specify details for alternate download. When you select this check box, the following fields appear: Alternate Download Location - Specify the location from where the KBOX Agent can retrieve digital installation files. Alternate Checksum - Specify an Alternate Checksum (MD5) that matches the MD5 checksum on the remote file share (for security purposes). Alternate Download User - Specify a username that will have the necessary privileges to access the Alternate Download Location. Alternate Download Password - Specify the password for the username specified above. Note: If the target machine is part of a replication label, then the KBOX will not fetch software from the alternate download location.
9. Click Save.
Standard TAR.GZ Example Deploying software using a tar.gz file is a convenient way to package software when more than one file is required to deploy a particular software title (for example, packagename.pkg plus required configuration and data files). For example, if you have a CD-ROM containing a group of files required to install a particular application, you can package them together in a tar.gz file, and upload them to KBOX for deployment. To create a managed installation for a tar.gz file: 1. Use the following two commands to create tar.gz file: tar –cvf filename.tar packagename.pkg gzip filename.tar This will create filename.tar.gz. 2. Create an inventory item for the target deployment. You can do this manually from the Inventory | Software tab, or by installing the package on a KBOX Agent machine that regularly connects to the KBOX 1000 Series appliance. 3. Associate the tar.gz file with the inventory item and upload it to the KBOX 1000 Series. 4. Select Distribution | Managed Installation. The Managed Installations page appears.
Administrator Guide for KBOX 1000 Series, version 3.3
89
5. Select Add New Item in the Choose action drop-down list. The Managed Software Installation: Edit Detail page appears. 6. Select the software title with which the tar.gz file is associated from the software drop-down list. 7. This file will be uncompressed and searched for .pkg files. The installation command will be run against each of them. 8. If no Run Parameters are filled in, all will be used by default to install all packages in the .pkg file. 9. You don’t need to specify a full command line. The server executes the installation command by itself. The Solaris client will try to install this via: pkgadd -n -d "packagename.pkg" [Run Parameters] If extension is tar.gz:
tar xzpf “packagename” If extension is .zip:
unzip “packagename.zip” If extension is .gz:
gunzip “packagename.gz” 10. Enter other package details as described in the Creating a Managed Installation procedures for .pkg file above. 11. Click Save.
The KBOX Agent will automatically run deployment packages with .pkg extensions. However, KBOX 1000 Series also provides a capability for administrators to Zip many files together and direct the KBOX 1000 Series to unpack the Zip and run a specific file within.
Administrator Guide for KBOX 1000 Series, version 3.3
90
Examples of Common Deployments on Macintosh(r) On the Apple MacOS X platform, there is a universal installer with the usual file extension of .pkg. (This format is different from the Solaris .pkg files.) You cannot upload a .pkg file directly, because .pkg files are actually directories at a low level and web browsers can't handle uploading entire directories. You do not need to use an installer for KBOX to install plain packages. These are the ".app" packages you might normally drag to your Applications folder. These must be archived as well, since they are also directories at a very low level, just like installer packages. You can even archive installers alongside plain applications. KBOX will run the installers first and then copy the applications into the Applications folder. The supported package deployments are .pkg, .app, .dmg, .zip, .tgz and tar.gz. If you package the file as a disk image, KBOX will mount and unmount it quietly. This section provides examples for each type of deployment. For each of these examples, you must have already uploaded the file to KBOX prior to creating the Managed Installation package. We recommend installing the software on a test machine, waiting a sufficient amount of time for the KBOX Agent to connect to the KBOX 1000 series appliance and create an inventory item for the software, and then creating the Managed Installation package. You can also run the file runallkbots located in /Library/KBOXAgent/Home/bin to force the KBOX Agent to check in with the KBOX 1000 appliance.
To create a managed installation: 1. Select Distribution | Managed Installations. The Managed Installations page appears. 2. Select Add New Item in the Choose action drop-down list. The Managed Installation: Edit Detail Page appears. 3. Select the software from the drop-down list. You can filter the list by entering any filter options. 4. By default the kbox agent will attempt to install the .pkg file via the following command. In general, this should be sufficient to install a new package or update an existing one to a new version: installer -pkg packagename.pkg -target / [Run Parameters] 5. If you have selected a zip/tgz/tar.gz file, then the contents will be unpacked and the root directory searched for all .pkg files. The installation command will be run against each of them. KBOX will search for all the .pkg files on the top level of an archive and execute that same installer command on all of them in alphabetical order. After that, KBOX will search for all plain applications (.app) on the top level of the archive and copy them to /Applications with this command: ditto -rscs Application.app /Applications/Application.app If you wish to execute a script or change any of these command lines more fully, you may specify the appropriate script invocation as the Full Command Line. You may specify wildcard in the filenames you use. Enclose the filename in single or double quotation marks if it contains spaces. The files will the
Administrator Guide for KBOX 1000 Series, version 3.3
91
unarchived into a directory in "/tmp" and that will become the current working directory of the command. On MacOS, you do not need to include any other files in your archive other than your script if that's all you wish to execute.
If the PATH environment variable of your root account does not include the current working directory and you wish to execute a shell script or other executable that you've included inside an archive, be sure to specify the relative path to the executable in the Full Command Line field. Remember, you'll be executing your command inside a directory alongside the files which have been unarchived. For example, if you want to run a file called "installThis.sh", you would package it up alongside a .pkg file and then put the command "./installThis.sh" in the Full Command Line field. If you archived it inside another directory, like "foo", the Full Command Line field should be "./foo/installThis.sh". Both these examples, as well as some other KBOX functions, assume that "sh" is in root's PATH. If you're using another scripting language, you may need to specify the full path to the command processor you wish to run in the Full Command Line, like "/bin/sh ./installThis.sh". Be sure to include appropriate arguments for an unattended, batch script. If you select the uninstall check box in the MI detail, KBOX will remove each .app it finds in the top level of your archive from the Applications folder. Thus, if you include two files in your archive named "MyApp.app" and "MyOtherApp.app", those two applications will disappear from your Applications folder if they exist there. Uninstallation in this way will be performed only if the archive or package is downloaded to the client. If you select the check box for "Run Command Only", you should specify a full command line to ensure the correct removal command is run on the correct package. Since no package is downloaded in this case, you should specify the path in the installation database where the package receipt is stored or run the correct file removal command to delete the files from the Applications folder. In that case, you can download a script inside an archive and run the script on the Full Command Line. 6. If your package requires additional options, you can enter the following installation details: Run Parameters
You cannot apply "Run Parameters" to the above mentioned commands.
Full Command Line
You don’t need to specify a full command line. The server executes the installation command by itself. The Macintosh(r) client will try to install this via: installer -pkg packagename.pkg -target / [Run Parameters] or ditto -rsrc packagename.app /Applications/theapp If you don’t want to use the default command at all, you can replace it completely by specifying the complete command line here. Remember that if you have specified an archive file, this command will run against all of the .pkg files or .app files it can find.
Un-Install using Full Command Line
Select this check box to uninstall software. If the Full Command Line above is filled in, it will be run. Otherwise, by default the agent will attempt the command, which is generally expected to remove the package.
Run Command Only
Select this check box to run the command line only.This will not download the actual digital asset.
Administrator Guide for KBOX 1000 Series, version 3.3
92
Managed Action
Managed Action allows you to select the most appropriate time for this package to be deployed. Execute anytime (next available) and Disabled are the only options available for Macintosh(r) platform.
7. Specify the deployment details: Deploy to All Machines
Select this check box if you want to deploy to all the machines.
Limit Deployment To Selected Labels
Select a label to limit deployment only to machines grouped by that label. Press CTRL and click labels to select more than one label.
Limit Deployment To Listed Machines
You can limit deployment to one or more machines. From the dropdown list, select a machine to add to the list. You can add more than one machine. You can filter the list by entering filter options.
Deploy Order
The order in which software should be installed.Lower deploy order will deploy first.
Max Attempts
Specify the maximum number of attempts, between 0 and 99, to indicate the number of times the KBOX 1000 Series appliance will try to install the package. If you specify 0, KBOX will enforce the installation forever.
Deployment Window(24H clock)
Specify the time (using a 24 hr. clock) to deploy the package. Deployment Window times will affect any of the Managed Action options. Also, the run intervals defined under the Server Settings->Options page will override and/or interact with the deployment window of a specific package.
8. Set user interaction details: Allow Snooze
This option is not available for Macintosh(r) platform.
Custom Pre-Install Message
This option is not available for Macintosh(r) platform.
Custom Post-Install Message
This option is not available for Macintosh(r) platform.
Delete Downloaded Files
Select this check box to delete the package files after installation.
Use Alternate Download
Select this check box to specify details for alternate download. When you select this check box, the following fields appear: Alternate Download Location - Specify the location from where the KBOX Agent can retrieve digital installation files. Alternate Checksum - Specify an Alternate Checksum (MD5) that matches the MD5 checksum on the remote file share (for security purposes). Alternate Download User - Specify a username that will have the necessary privileges to access the Alternate Download Location. Alternate Download Password - Specify the password for the username specified above. Note: If the target machine is part of a replication label, then the KBOX will not fetch software from the alternate download location.
9. Click Save.
Administrator Guide for KBOX 1000 Series, version 3.3
93
File Synchronizations File synchronizations enable you to distribute software files to the computers on your network. These can be any type of file, such as PDF, ZIP files, or EXE files, which are simply downloaded to the user’s machine, but not installed.
Creating a file synchronization Using file synchronizations, you can push out any type of file to the computers on your network. You can choose to install the files from the KBOX 1000 Series, or you can specify an alternate location where users will download the file. The string KACE_ALT_Download in the Alternate Download Location field will be replaced with the value assigned by the corresponding LABEL. You should not have a machine in more than one LABEL with an Alternate Download Location specified. To create a file synchronization: 1. Select Distribution | File Synchronization. The File Synchronizations page appears. 2. Select Add New Item in the Choose action drop-down list. The File Synchronization: Edit Detail page appears. 3. Select the software title to install in the Software Title to Install drop-down list. 4. Set or modify the following installation details: Notes
Enter any information related to the software title selected.
Location (full directory path)
Specify the location on the users machine where you want to upload this file.
Location User
If the Location specified above is a shared location, specify the User login name.
Location Password
If the Location specified above is a shared location, specify the login password.
Enabled
Select this check box to download the file the next time the KBOX Agent checks in to the KBOX 1000 Series appliance.
Create Location (if doesn’t exists)
Creates the installation location if not already there.
Replace existing files
Select this check box to overwrite existing files of the same name on the target machines.
Do Not Uncompress Distribution
Select this check box if you are distributing a compressed file and do not want the file uncompressed.
Persistent
Select this check box if you want the KBOX 1000 Series to confirm every time that this package does not already exist on the target machine before attempting to deploy it.
Create shortcut (to location)
Select this check box if you want to create a desktop shortcut to the file location.
Shortcut name
Type a display name for the shortcut.
Delete Temp Files
Select this check box to delete temporary installation files.
Administrator Guide for KBOX 1000 Series, version 3.3
94
5. Specify the deployment details: Limit Deployment to
Specify a label for the package. The file will be distributed to the users assigned to the label, such as operating system affected by the synchronization.
6. Set user interaction details: Pre-Install User Message
Select this check box to display a message to users prior to installation. When you select this check box, additional fields appear: Pre-Install User Message - Enter a pre-install message. Pre-Install Message Timeout - Specify a timeout in minutes for which the message will be displayed. Pre-Install Timeout Action - Select a timeout action that will take place at the end of the timeout period from the drop-down list. Options include Install later or Install now. For example, you might select Install now because you may be installing at a time when you know that the user is away from his or her desktop, making it a good time to install. Or, you might select Install later if the installer needs some user interaction and it would not work if the user was not at his or her desktop.
Post-Install User Message Select this check box to display a message to users after the installation completes. When you select this check box, message field and timeout options appear. Enter a message and a timeout value in minutes. Deployment Window
Specify the time (using a 24 hr. clock) to deploy the package. Deployment Window times will affect any of the Managed Action options. Also, the run intervals defined under the Server Settings | Options page will override and/or interact with the deployment window of a specific package.
Use Alternate Download
Select this check box to specify details for alternate download. When you select this check box, the following fields appear: Alternate Download Location - Specify the location from where the KBOX Agent can retrieve digital installation files. Alternate Checksum - Specify an Alternate Checksum (MD5) that matches the MD5 checksum on the remote file share (for security purposes). Alternate Download User - Specify a username that will have the necessary privileges to access the Alternate Download Location. Alternate Download Password - Specify the password for the username specified above. Note: If the target machine is part of a replication label, then the KBOX will not fetch software from the alternate download location.
7. Click Save. To distribute files previously deployed after the deployment window has closed, click the Resend Files button.
Administrator Guide for KBOX 1000 Series, version 3.3
95
Replication A Replication Share allows a KBOX Agent to replicate software installers to a share for use by other KBOX Agents. This allows users to download software from the share instead of directly from the KBOX 1000 Series. This is useful if you have machines in a remote office where downloading the software once for each machine would impact the network. From the Replication tab, users can: Add or delete replication shares Enable or disable replication shares
Creating a Replication Share Replication shares can only be created on one of the machines listed in the KBOX Inventory | Computers tab. If you want to create a share on a machine not listed there, you will need to create an inventory record for the machine before continuing. For more information, see Chapter 3,“Inventory,” starting on page 26. The Replication Machine will need write permissions to the Destination Path to write the software files. To create a replication share: 1. Select Distribution | Replication. The Replication Shares page appears. 2. Select Add New Item in the Choose Action drop-down list. The Replication Share: Edit Detail page appears. 3. Select the machine on which the share will reside in the Replication Machine drop-down list. 4. Specify the Replication Share destination details: Destination Path
Specify the destination path where the replication machine should copy all the software from the KBOX 1000 Series. All software items with digital assets are copied, including patches. The Replication Machine will need write permissions to the Destination Path to write the software files.
Destination Path User
Specify the login name for the share.
Destination Path Password
Specify the password for the share.
5. Select a label for the Replication Share. Make sure that the label does not have ALT_KACE_LOCATION specified on it. 6. Specify the replication share download details: Download Path
Specify the download path from where machines in the replication label will copy these assets instead of downloading them directly from KBOX. The Clients will need read permission to this share.
Download Path User
Specify the login name the users in the replication share label will enter to access the assets on the replication share.
Download Path Password
Specify the password for the share. The password the users in the replication share label will enter to access the assets on the replication share.
7. Enter comments in the Notes field as necessary.
Administrator Guide for KBOX 1000 Series, version 3.3
96
8. Click Save. 9. After creating a replication share, select the Enabled check box to allow users to begin using the share to download digital assets.
Viewing Replication Share Details After clicking Save, the Replication Shares list will be displayed showing the new replication share. You can view the list of digital assets that will be copied to this share by clicking the linked name of the Replication Share and scrolling down to the table at the bottom. You can also click the Details link beside the Replication Machine field to view the computer inventory record for the Replication Share. Click the Details link beside the Labels field to view the computers and users assigned to that label.
Administrator Guide for KBOX 1000 Series, version 3.3
97
C H A P T E R 7
Wake-on-LAN The KBOX 1000 Series Wake-on-LAN feature provides the ability to “wake up” computers equipped with network cards that are Wake-on-LAN compliant. “Wake-on-LAN Feature Overview,” on page 99 “Issuing a Wake-on-LAN Request,” on page 100 “Troubleshooting Wake-on-LAN,” on page 101
Wake-on-LAN Feature Overview The KBOX 1000 Series Wake-on-LAN feature enables you to remotely power-on device on your network, even if those machines don’t have the KBOX Agent installed. Wake-on-LAN can target a label, or specific MAC-addressed machine. Wake-on-LAN is often used to power on machines prior to some IT activity, such a distributing a package from the KBOX 1000 Series to a subnet, to ensure that the distribution or update reaches as many of the target machines as possible. Because many of the updates are performed during off-hours to minimize the impact on your network, some of the machines targeted for updating might be turned off at the time you are performing the updates. In such cases, you could issue a Wake-on-LAN call to turn computers on prior to performing updates, running scripts, or distributing packages. This feature only supports machines that are equipped with a Wake-On-LAN-enabled network interface card (NIC) and BIOS.
Using the Wake-on-LAN feature on the KBOX 1000 Series will cause broadcast UDP traffic on your network on port 7. This traffic should be ignored by most computers on the network. The KBOX 1000 Series sends 16 packets per Wake-on-LAN request because it must guess the broadcast address that is required to get the "Magic Packet" to the target computer. This amount of traffic should not have a noticeable impact on the network.
Administrator Guide for KBOX 1000 Series, version 3.3
99
Issuing a Wake-on-LAN Request You can wake multiple devices at once by specifying a label to which those devices belong, or you can wake computers or network devices individually. If you need to wake devices on a regular basis, for example to perform monthly maintenance, you could schedule a Wake-on-LAN to go out a specific time. If the device you want to wake is not inventoried by the KBOX 1000 Series but you still know the MAC (Hardware) address and its last-known IP address, you can manually enter the information to wake the device. To issue a Wake-on-LAN request: 1. Click Distribution | Wake-on-LAN. The Wake-on-LAN page appears. 2. To wake multiple devices, select a label from the Labels drop-down list. 3. To wake computers individually, select them from the Wake a Computer list. Press CTRL, and then click to select multiple computers. 4. To wake a network device, specify the device’s IP address in the Devices field. 5. Enter the filter criteria in the Filter field. 6. Specify the MAC address of the device in the MAC Address field. 7. Specify the IP address of the device in the IP Address field. 8. Click Send Wake-on-LAN. After sending the Wake-on-LAN request, you will see the results at the top of the page indicating the number of machines that received the request and to which label, if any, those machines belong. To schedule a Wake-On-LAN request: 1. Click Distribution | Wake-on-LAN. 2. Click the Schedule a routine Wake-on-LAN event link. The Wake-on-LAN page appears. 3. Select Add New Item in the Choose action drop-down list. The Wake-on-LAN Settings page appears. 4. In the Labels to Wake-on-LAN box, select the labels to include in the request. Press CTRL, then click to select multiple labels. 5. In the Limit by Operating Systems box, select the operating systems to include in the request. 6. Specify the Wake-on-LAN schedule in the Scheduling area: Don’t Run on a Schedule
Tests will run in combination with an event rather than on a specific date or at a specific time.
Run Every day/specific day at HH:MM AM/PM
Runs every day or only the selected day at the specified time.
Run on the nst of every month/specific month at HH:MM AM/PM
Runs on the 1st, or 2nd, etc. of every month or only the selected month at the specified time.
7. Click Save. On clicking Save, you will see the Wake-on-LAN tab with the scheduled request listed. From this view you can edit or delete any scheduled requests.
Administrator Guide for KBOX 1000 Series, version 3.3
100
Troubleshooting Wake-on-LAN If a Wake-on-LAN request fails to wake devices, your network devices could be configured in a way that is causing Wake-on-LAN to fail: The device does not have a WOL-capable network card or is not configured properly. The KBOX 1000 Series has incorrect information about the subnet to which the device is attached. UDP traffic is not routed between subnets or is being filtered by a network device. Broadcast traffic is not routed between subnets or is being filtered by a network device. Traffic on Port 7 is being filtered by a network device. For more assistance with troubleshooting Wake-on-LAN, see http://support.intel.com/support/network/sb/ cs-008459.htm
Administrator Guide for KBOX 1000 Series, version 3.3
101
C H A P T E R 8
Scripting The optional Policy and Scripting Module provides a pointand-click interface for performing many tasks that would typically require a manual process or advanced programming. This feature is available only for computers that run on the Windows operating system. “Scripting Module Overview,” on page 103 “Creating and Editing Scripts,” on page 105 “Using the Run Now Function,” on page 111 “Searching Scripting Log Files,” on page 114 “Configuration Policies,” on page 115
Scripting Module Overview If you purchased the optional KBOX 1000 Series Policy and Scripting Module, you now have a way to easily and automatically perform a variety of tasks across your network through customized scripts that run when and where you want them to. You can automate tasks like installing software, checking antivirus status, changing registry settings, or configuring browser settings by creating a custom script and then scheduling deployment to the endpoints on your network. Each script consists of metadata, dependencies (where necessary), rules, tasks, and deployment and schedule settings. Dependencies are supporting files that are needed for the script to run, such as executable, .zip files, etc. When creating your script, you will be prompted to upload any required dependencies. Rules are tasks performed in a specified order on the target machine. Each task determines whether processing should continue or end at the end of each task. Tasks are the individual steps being carried out by the script. In each script, you can have any number of tasks. Whether or not a task is executed is dependent upon the success or failure of the previous task and any rules for performing subsequent tasks. There are two types of scripts you can create: policies and jobs. Policies are generally used to perform tasks that will be repeated, such as checking to see whether McAfee Antivirus is installed and working. Jobs are used to perform one-time tasks, such as uninstalling software or moving files.
Administrator Guide for KBOX 1000 Series, version 3.3
103
Using Scripts that are Installed with KBOX KBOX installs the following scripts by default: Script Name
Description
Force Checkin
Runs KBScriptRunner on client to force checkin. WARNING: do not run this with more than 50 clients selected as this can overload the server with requests.
Defragment the C: drive
Example script to defragment the c:
DOS-DIR
DOS-DIR
Inventory Startup Programs Fix
On some machines, a missing registry entry causes all of the contents of the system32 directory to be reported as the Startup Programs. This script fixes the registry entry if it is missing.
KBOX Remote Control Disabler
Disables KBOX Remote Control functionality on Windows XP Professional by configuring Terminal Services properly.
KBOX Remote Control Enabler
Enables KBOX Remote Control functionality on Windows XP Professional by configuring Terminal Services properly.
KBOXClient debug logs Disable
If the client is checking in and a problem occurs with the inventory and deployment, this script will disable the debug switch.
KBOXClient debug logs Enable
If the client is checking in and a problem occurs with the inventory and deployment, this script will enable the client debug and send the debug back to the server. This only turns on debug for the inventory and deployment part of the client. It does not enable debugging of the scheduling service.
Make Removable Drives Read-Only
Removable drives may only be mounted read-only. This prevents people from absconding with corporate data, though they may transport data to their PC.
Make Removable Drives Read-Write
Removable drives may be mounted read-write.
Message Window Script Example
This is an example script to illustrate use of message window. Your script must have properly paired create/destroy message window commands in order to work properly. Message Windows remain displayed until user dismisses, until the script finishes executing, or until the timeout is reached, whichever comes first.
Reset KUID
Deletes the registry keys that identify a machine. You should also delete the specific machine record from the inventory tab.
Shutdown a Windows system
It specifies timeout in seconds while the message in quotes will be displayed to the user. Omit for silent immediate shutdown.
USB Drives Disable
USB Drives may not be used at all.
USB Drives Enable
USB Drives may be used.
Table 8-1: Default scripts in KBOX
Administrator Guide for KBOX 1000 Series, version 3.3
104
Creating and Editing Scripts There are three ways you can create scripts: by importing an existing script (in XML format), by making a copy of an existing script, or by creating a new script from scratch. You can perform these actions from the Scripting | Scripts tab. The process of creating scripts is an iterative one. After creating a script, it’s a good idea to deploy the script to a limited number of machines (you can create a test label to do this) so that you can verify it is doing what you intend before deploying it to all of the machines on your network. It’s good practice to leave a script disabled until after you have done all of your editing and testing and you are ready to run the script.
Administrator Guide for KBOX 1000 Series, version 3.3
105
Adding Scripts Scripts are made up of one or more Tasks. Within each Task there are Verify and Remediation sections where you can further define the script behavior. If a section is left blank, it defaults to success. For example, if you leave the Verify section blank, it will end in On Success. To add a script: 1. Select Scripting | Scripts. 2. Select Add New Item from the Choose action drop-down list. The Script: Edit Detail page appears. 3. In the Configuration area, enter the requested details: Name
Provide a meaningful name for the script to make it easier to distinguish from others listed on the Scripts tab.
Description
Describe briefly the actions the script will perform. Although this field is optional like the Name field, it will help you to distinguish one script from another on the Scripts tab.
Type
Classify the script as either a Job or a Policy. This distinction has no affect on how the script will run, however, it can help to differentiate those scripts that will run regularly (policies) from those that will run only once (jobs).
Status
Use this field to indicate whether the script is in development (Draft) or has been rolled out to your network (Production). Use Template if you are building a script that will be used as the basis for future scripts.
Enabled
Select this check box to run the script on the target machines. Do not enable until you are finished and want to run it. Enable on a test label before you enable on all machines.
Allow Run While Dis- Select this option if you want to allow the script to run even if the target connected machine cannot contact the KBOX 1000 Series to report results. In such a case, results will be stored on the machine and uploaded to the KBOX 1000 Series until the next contact. Allow Run While Logged Off
Select this option if you want to allow the script to run even if a user is not logged in. To run the script only when the user is logged into the machine, clear this option.
4. Specify the deployment options: Deploy to All Machines
Select this check box if you want to deploy to all the Machines.
Limit Deployment To Selected Labels
Select a label to limit deployment only to machines grouped by that label. Press CTRL and click labels to select more than one label.
Limit Deployment To Listed Machines
You can limit deployment to one or more machines. From the drop-down list, select a machine to add to the list. You can add more than one machine. You can filter the list by entering filter options.
Supported Operating Systems
Select an operating system on which the script will run. If you selected a label as well, the script will only run on machines with that label if they are also running the selected operating system.
Administrator Guide for KBOX 1000 Series, version 3.3
106
Scheduling
In the Scheduling area, specify when and how often the script will run. Don’t Run on a Schedule
Tests will run in combination with an event rather than on a specific date or at a specific time. Use this option in combination with one or more of the “Also” choices below. For example, use this option in conjunction with “Also Run at User Login” to run whenever the user logs in.
Run Every n minutes/hours
Test will run on every hour and minutes as specified.
Run Every day/specific day at HH:MM AM/PM
Test will run on the specified time on the specified day.
Run on the nst of every month/specific month at HH:MM AM/PM
Test will run on the specified time on the 1st, or 2nd, etc. of every month or only the selected month.
Custom Schedule
This option allows you to set an arbitrary schedule using standard cron format. For example, 1,2,3,5,20-25,30-35,59 23 31 12 * * means: On the last day of year, at 23:01, 23:02, 23:03, 23:05, 23:20, 23:21, 23:22, 23:23, 23:24, 23:25, 23:30, 23:31, 23:32, 23:33, 23:34, 23:35, 23:59. The KBOX 1000 Series doesn’t support the extended cron format.
Also Run Once at next Client Checkin
This option runs the script once when new scripts are downloaded from the KBOX 1000 Series. The time interval for downloaded scripts is set in KBOX Settings | Client Options | Scripting Update Interval.
Also Run at Machine Boot Up
This option runs the script at machine boot time. Be aware that this will cause the machine to boot up slower than it might normally.
Also Run at User Login
This option runs the script after the user has entered their Windows login credentials.
5. Click Run Now to immediately push the script to all machines. Use this option with caution. For more information about the Run Now button, see “Using the Run Now Function,” on page 111.
6. To browse for and upload files required by the script, click Add new dependency, click Browse, and then click Open to add the new dependency file. Repeat this step to add additional new dependencies as necessary. 7. Click Add Task Section to add a new task. The process flow of a task in a script is shown below. IF Verify THEN Success ELSE IF Remediation THEN Remediation Success ELSE Remediation Failure Figure 8-2: Example of Task process flow
Administrator Guide for KBOX 1000 Series, version 3.3
107
8. Under Job or Policy Rules, set the following options for Task 1: Attempts
The number of times the script will attempt to run. If the script fails but remediation is successful, you may want to run the task again to confirm the remediation step. To do this, set the number of Attempts to 2 or more. If the Verify section fails, it will be run Attempts number of times.
On Failure
Select Break if you want the script to stop running upon failure. Select Continue if you want the script to perform remediation steps upon failure.
9. In the Verify section, click Add to add a step, and then select one or more steps to perform. See Appendix A,“Steps for Task sections,” starting on page 204. 10. In the On Success and Remediation sections, select one or more steps to perform. See Appendix A,“Adding steps to a Task,” starting on page 203. 11. In the On Remediation Success and On Remediation Failure sections, select one or more steps to perform. See Appendix A,“Adding steps to a Task,” starting on page 203. To remove a dependency, task, or step, click the trash can icon This icon appears when your mouse hovers over an item.
beside the item.
Editing Scripts You can edit scripts on the Script: Edit Detail page, or in an XML editor. To use the XML editor, click the View raw XML editor link at the top of the Script: Edit Detail page. Scripts created using one of the wizards can be re-edited using the wizard in addition to these methods. To edit a script: 1. Select Scripting | Scripts. 2. Click the name of the script you want to edit. The Script: Edit Detail page appears. 3. Modify the script as desired. 4. Click Save. To delete a script: 1. Select Scripting | Scripts. 2. Select the check box beside the script you want to delete. 3. Choose Delete Selected Item(s) from the Choose action drop-down list. 4. Click OK to confirm deletion.
Administrator Guide for KBOX 1000 Series, version 3.3
108
Importing scripts If you prefer to create your script in an external XML editor, you can upload your finished script to the KBOX 1000 Series. Be sure that the imported script conforms to the following structure: The root element
Administrator Guide for KBOX 1000 Series, version 3.3
109
To import an existing script: 1. Click the Scripting button, then choose the Scripts tab. 2. From the Choose action drop-down list, select Import from XML. The Script: Edit Detail page appears. 3. Paste the existing script into the space provided, then click Save.
Duplicating scripts If you have already created a script that performs many of the tasks required of your new script, the simplest way to begin is to make a copy of the current script, then modify the steps as required, and then upload any new dependency files. To duplicate an existing script: 1. Select Scripting | Scripts. 2. Click the linked name of the script you want to copy to open it for editing. The Script: Edit Detail page appears. 3. Click the Duplicate button. The Scripts list page appears, which includes a new script named “Copy of xxx”, where “xxx” is the name of the copied script. 4. Click the linked name of the copied script to open it for editing. Continue as you would in “Adding Scripts,” on page 106.
Administrator Guide for KBOX 1000 Series, version 3.3
110
Using the Run Now Function The Run Now function provides a way for you to run scripts on selected machines immediately without setting a schedule. You may want to use this function if you have machines on your network that you suspect are infected with a virus or other vulnerability which could compromise your entire network if not resolved right away. Run Now is also useful for testing and debugging scripts on a specific machine or set of machines during development. The Run Now function is available in three places: Run Now tab - Running Scripts from the Scripting | Run Now tab allows you to run one script at a time on the target machines. Script: Edit Detail Page - Running Scripts from the Script : Edit Detail page allows you to run one script at a time on the target machines. Scripts List Page - Running scripts from the Scripts List Page using the Run Now option from the Choose action drop-down list allows you to run more than one script at the same time on the target machines. CAUTION: Because a script is deployed immediately when you click Run Now, use this feature cautiously, and do not deploy unless you are certain that you want to run the script on the target machines. Be sure to specify a label on which to run the script, otherwise it will deploy to all machines by default. See “Creating Labels,” on page 43 for more information.
Run Scripts using the Run Now tab You can run scrips using the Scripting | Run Now tab. To run Scripts using the Run Now tab: 1. Select Scripting | Run Now. The Run Now page appears. 2. Select the Script you want to run in the Scripts list. You can use the Filters to filter the Scripts list. 3. Select the machines on which Script needs to run from the Inventory Machines list. Selected machine name appears in the Machine Names field. You can use the Filters to filter the machine names list. You can add all the machines by clicking Add All. Atleast one machine name should be present in the list to run the script. 4. Click Run Now to run the selected Script.
Run Now from the Script Detail page To use the Run Now function from the Script Detail page: 1. To minimize the risk of deploying to unintended target machines, KACE recommends that you create a label that represents the machine or machines on which you want to use the Run Now function. See “Creating Labels,” on page 43 for more information. 2. Select the Scripting tab.
Administrator Guide for KBOX 1000 Series, version 3.3
111
3. Select the script you want to run. The Script: Edit Detail page appears. 4. Select the label or labels that represent the machine(s) on which you want to run the script. Press CTRL and click to select multiple labels. 5. Scroll to the bottom of the Scheduling section, then click Run Now. To use the Run Now function from the Scripts Lists Page: 1. To minimize the risk of deploying to unintended target machines, KACE recommends that you create a label that represents the machine or machines on which you want to use the Run Now function. See “Creating Labels,” on page 43 for more information. 2. Select the Scripting tab. 3. Select the script or scripts you want to run. 4. Select Run Now from the Choose action drop-down list.
Monitoring Run Now status When you click Run Now or select Run Now from the Choose action drop-down list, the Run Now Status tab appears where you will see a new line item for the script. The Pushed column indicates the number of machines on which the script is attempting to run. The Completed column indicates the number of machines that have finished running the script. The numbers in these columns increment accordingly as the script runs on all of the selected machines. The icons above the right-hand column provide further details of the script status. Icon
Description The script completed successfully. The script is still being run, therefore its success or failure is unknown. An error occurred while running the script.
Table 8-4: Run Now Status tab icons If there were errors in pushing the scripts to the selected machines, you can search the scripting logs to determine the cause of the error. For more information about searching logs, see “Searching Scripting Log Files,” on page 114. The Run Now function communicates over port 52230. One reason a script might fail to deploy is if firewall settings are blocking the KBOX Agent from listening on that port.
Administrator Guide for KBOX 1000 Series, version 3.3
112
Run Now Detail Page For more information on a Run Now item, click the linked start time on the Run Now Status page to display the item’s Run Now Detail page. The Run Now Detail page displays the results of a script that was run manually using the Run Now Function, instead of running it on a schedule. The Push Failures section lists those machines that the server could not contact, and therefore did not receive the policy. Once pushed, it may take some time for the machine to complete a policy. Machines that have received the policy, but have not reported their results yet are listed in the Scripts Running section. After the policy is run, it will report either success or failure. The results will be sorted under the appropriate section. Each individual computer page also has the results of the Run Now events run on that machine.
Administrator Guide for KBOX 1000 Series, version 3.3
113
Searching Scripting Log Files The Search Logs page allows you to search the logs uploaded to the KBOX 1000 Series appliance by the machines on your network. To search scripting logs: 1. Select Scripting |Search Logs. 2. Enter the keywords to search for in the Search for field. You can use the following operators to change how the logs are searched: Operator
Function
+
A leading plus sign indicates the word must be present in the log.
-
A leading minus sign indicates the word must not be present in the log.
*
A trailing asterisk can be used to find logs that contain words that begin with the supplied characters.
“
A phrase enclosed in double quotes matches only if the log contains the phrase exactly as typed.
Table 8-5: Available search operators 3. To search only in logs uploaded by a particular script, choose the script name. 4. Select the log type to search in from the drop-down list. Options include: Output, Activity, Status, and Debug. 5. In the Historical field, select whether to search in only the most recent logs or in all logs from the drop-down list. 6. To search only in logs uploaded by KBOX Agents in a particular label group, select the label from the drop-down list. 7. Click Search.
Administrator Guide for KBOX 1000 Series, version 3.3
114
Configuration Policies The Configuration Policy page displays a list of wizards you can use to create policies that manage various aspects of the computers on your network. To access the list of available Configuration Policy wizards, click the Scripting button, then select the Configuration Policy tab. This section includes descriptions of the settings for each of the policies you can create. Available wizards include: Enforce Registry Settings Remote Desktop Control Troubleshooter Enforce Desktop Settings Desktop Shortcuts Wizard Event Log Reporter MSI Installer Wizard UltraVNC Wizard Un-Installer Wizard Windows Automatic Updates Settings.
Administrator Guide for KBOX 1000 Series, version 3.3
115
Enforce Registry Settings This wizard allows you to quickly create scripts that enforce particular registry settings. To enforce registry settings: 1. Use regedit.exe to locate and export the values from the registry that you are interested in. 2. Open the .reg file that contains the registry values you want with notepad.exe and copy the text. 3. Select Scripting |Configuration Policy. 4. Click Enforce Registry Settings. The Configuration Policy : Enforce Registry Settings page appears. 5. Enter a policy name in the Policy Name field. 6. Paste the copied registry values into the Registry File field. 7. Click Save. After clicking Save you will be taken to the Script: Edit Detail page, where you will need to enable and set a schedule for this policy to take effect. A new script will be created that will check that the values in registry file match the values found on the target machines. Any values that are missing or incorrect will be replaced. See “Adding Scripts,” on page 106 for more information.
Remote Desktop Control Troubleshooter This editor creates a troubleshooting script for the KBOX 1000 Series Remote Control functionality. The script that this page generates will test the following things: Terminal Services: To access a Windows XP Professional machine using Remote Desktop, Terminal Services must be running. This script will verify that this is the case; Firewall Configuration: If the Windows XP SP2 Firewall is running on the machine, several different configurations may be affecting whether the Remote Desktop requests are being blocked by the firewall. To troubleshoot remote behavior: 1. Select Scripting |Configuration Policy. 2. Click Remote Desktop Control Troubleshooter. The Configuration Policy : Remote Control Troubleshooter page appears. Under Firewall Configuration, specify the desired settings. 3. Click Save. After clicking Save you will be taken to the Script: Edit Detail page, where you will need to enable and set a schedule for this policy to take effect. See “Adding Scripts,” on page 106 for more information.
Administrator Guide for KBOX 1000 Series, version 3.3
116
Enforce Desktop Settings This wizard allows you to build policies that affect the user's desktop wallpaper. The Wallpaper bitmap file is distributed to each machine affected by the policy. This file must be in the Bitmap (.bmp) format. To create a policy to enforce Desktop Settings: 1. Select Scripting |Configuration Policy. 2. Click Enforce Desktop Settings. 3. Select the Use wallpaper check box to enforce this setting. 4. Click Browse to select and upload the .bmp file to use for the wallpaper. 5. Select a position for the wallpaper image from the Position drop-down list. Select Stretch to stretch the image so that it covers the entire screen. Select Center to display the image in the center of the screen. Select Tile to repeat the image over the entire screen. 6. Click Save. After clicking Save you will be taken to the Script: Edit Detail page, where you will need to enable and set a schedule for this policy to take effect. See “Adding Scripts,” on page 106 for more information.
Desktop Shortcuts Wizard This wizard allows you to quickly create scripts that add shortcuts to users' Desktop, Start Menu, or Quick Launch bar. You can create an Internet shortcut and can put a URL to the target with no parameters and working shortcut. To create scripts to add shortcuts: 1. Select Scripting |Configuration Policy. 2. Click Desktop Shortcuts Wizard. The Configuration Policy : Enforce Shortcuts page appears. 3. Enter a name for the desktop shortcut policy in the Policy Name field. 4. Click Add Shortcut. 5. Specify the shortcut details. Name
The text label that will appear below or beside the shortcut.
Target
The application or file that is launched when the shortcut is clicked, e.g., Program.exe.
Parameters
Any command line parameters. For example: /S /IP=123.4
WorkingDir
Changes current working directory. For example: C:\Windows\Temp
Location
Select the location where the shortcut will appear from the drop-down list. Options include Desktop, Quick Launch, and Start Menu.
6. Click Save Changes to save the new shortcut. 7. Click Add Shortcut to add more shortcuts. To edit or delete a shortcut, hover over a shortcut and click the Trash can icon that appears. 8. Click Save. After clicking Save you will be taken to the Script: Edit Detail page, where you will need to enable and set a schedule for this policy to take effect. See “Adding Scripts,” on page 106 for more information.
Administrator Guide for KBOX 1000 Series, version 3.3
117
Event Log Reporter This wizard creates a script that queries the Windows Event Log and uploads the results to the KBOX 1000 Series. To create an Event Log query: 1. Select Scripting |Configuration Policy. 2. Click Event Log Reporter. The Configuration Policy : Event Log Reporter page appears. 3. Specify query details: Output filename
The name of the log file created by the script.
Log file
The type of log you want to query. Options include Application, System, and Security.
Event Type
The type of event you want to query. Options include Information, Warning, and Error.
Source Name
Use this optional field to restrict the query to events from a specific source.
4. Click Save. After clicking Save you will be taken to the Script: Edit Detail page, where you will need to enable and set a schedule for this policy to take effect. See “Adding Scripts,” on page 106 for more information.
MSI Installer Wizard This wizard helps you set the basic command line arguments for running MSI based installers. See the MSI Command Line documentation for full details. To create the MSI Installer policy: 1. Select Scripting |Configuration Policy. 2. Click MSI Installer Wizard. The Configuration Policy : MSI Wizard page appears. 3. Enter the following information: Action
Select a task. Options include Install, Uninstall, Repair missing files, and Reinstall all files.
Software
Select the application you want to install, uninstall, or modify.
MSI filename
Enter a MSI filename.
User Interaction
Select an option to specify how the installation should appear to end users. Options include: Default, Silent, Basic UI, Reduced UI, and Full UI. See MSI documentation for a complete description of the available options.
Installation Directory
Specify the installation directory.
Additional Switches
Include any additional installer switches. Additional Switches will be inserted between the msiexe.exe and the /i foo.msi arguments.
Administrator Guide for KBOX 1000 Series, version 3.3
118
Additional Properties
Include any additional properties. Additional Properties will be inserted at the end of the command line. For example: msiexec.exe /s1 /switch2 /i patch123.msi TARGETDIR=C:\patcher PROP=A PROP2=B
Feature List
Enter the features to install. Separate features with commas.
Store Config per machine
Select this box to do per-machine installations only.
After install
Select the behavior after installation. Options include: Delete installer file and unzipped files Delete installer file, leave unzipped files Leave installer file, delete unzipped files Leave installer file and unzipped files.
Restart Options
Select the restart behavior. Options include: No restart after installation Prompts user for restart Always restart after installation Default
Logging
Select the type(s) of installer messages to log. Press CTRL and click to select multiple message types. Options include: None All Messages Status Messages Non-fatal warnings All error messages Start up actions Action-specific records User requests Initial UI parameters Out-of-memory or fatal exit information Out-of-disk-space messages Terminal properties Append to existing file Flush each line to the log See MSI documentation for a complete description of the available logging options.
Log File Name
Specify the name of the log file.
4. Click Save. After clicking Save you will be taken to the Script: Edit Detail page, where you will need to enable and set a schedule for this policy to take effect. See “Adding Scripts,” on page 106 for more information.
Administrator Guide for KBOX 1000 Series, version 3.3
119
UltraVNC Wizard The UltraVNC Wizard creates a script to distribute UltraVNC to Windows computers on your network. UltraVNC is a free software solution that allows you to display the screen of a computer (via Internet or network) on another computer. You can use your mouse and keyboard to control the other computer remotely. It means that you can work on a remote computer, as if you were sitting in front of it, right from your current location.This wizard creates a script to deploy UltraVNC to your computers. See UltraVNC documentation for complete details. Go to http://www.uvnc.com/ for UltraVNC downloads and documentation.
To distribute UltraVNC to the computers on your network: 1. Select Scripting | Configuration Policy. 2. Click UltraVNC Wizard. The Configuration Policy : Ultra VNC Wizard page appears. 3. Specify UltraVNC installation and authentication options: Install Options
Install Mirror Driver
Check the Mirror Driver box to if you want to install the optional UltraVNC Mirror Video Driver. The Mirror Video Driver is a driver that UltraVNC can use to be quickly and efficiently notified with screen changes. Using it on an UltraVNC server results in an excellent accuracy. The video driver also makes a direct link between the video driver framebuffer memory and UltraWinVNC server. Using the framebuffer directly eliminates the use of the CPU for intensive screen blitting, resulting in a big speed boost and very low CPU load. See UltraVNC documentation for complete details.
Authentication
Install Viewer
Check the Mirror Driver box to if you want to install the optional UltraVNC Mirror Video Driver.
VNC Password
Provide a VNC password for authentication.
Require MS Logon
If you want to use MS Logon authentication, use MSLogonACL.exe /e acl.txt to export the ACL from your VNC installation. Copy and paste the contents of the text file into the ACL field. It is advisable to look at the script that is generated by this wizard to make sure it is doing something you expect. You can view the raw script by clicking View raw XML Editor on the Script Detail page.
Administrator Guide for KBOX 1000 Series, version 3.3
120
4. Specify UltraVNC miscellaneous options: Disable Tray Icon
Check this box if you do not want to display the UltraVNC tray icon on the target computers.
Disable client options in tray icon menu
If you did not check Disable Tray Icon, check this box if you do not want to display client options in the tray icon menu on the target computers.
Disable properties panel
Check this box to disable the UltraVNC properties panel on the target computers.
Forbid the user to close down WinVNC
Check this box if you do not want to allow computer users to shut down WinVNC.
5. Click Save. After clicking Save you will be taken to the Script: Edit Detail page, where you will need to enable and set a schedule for this policy to take effect. See “Adding Scripts,” on page 106 for more information.
Un-Installer Wizard This wizard allows you to quickly build a script to uninstall a software package. The resulting script can perform three actions: Execute an uninstall command;Kill a process; and Delete a directory. To create an uninstaller script: 1. Select Scripting | Configuration Policy. 2. Click Un-Installer Wizard. The Configuration Policy : Uninstaller page appears. 3. Enter the following information: Job Name
Enter a name for the uninstaller script.
Software Item
Select the software item to uninstall. The wizard will attempt to fill in the correct uninstall command. Verify that the values are correct.
Uninstall Command Directory Uninstall Command File
When you select the software item, the wizard will attempt to fill in the uninstall command directory, file, and parameters.
Uninstall Command Parameters
Review the entries to make sure the values are correct.
Kill Process
To have a process killed before executing the uninstall command, enter the full name of the process in the Kill Process field. (For example: notepad.exe)
Delete Directory.
To have a directory deleted after executing the uninstall command, enter the full name of the directory in the Delete Directory field here. (For example: C:\Program Files\An Example App\).
4. Click Save. After clicking Save you will be taken to the Script: Edit Detail page, where you will need to enable and set a schedule for this policy to take effect. See “Adding Scripts,” on page 106 for more information.
Administrator Guide for KBOX 1000 Series, version 3.3
121
Windows Automatic Update Settings policy This policy allows you to configure a script to control Windows Automatic Updating system. Detailed information can be found at Microsoft's Knowledge Base Article 328010 (http://support.microsoft.com/kb/ 328010). To modify Windows Automatic Update settings: 1. Select Scripting | Configuration Policy. 2. Click Windows Automatic Update Settings. The Windows Automatic Update Policy page appears. The Windows Automatic Update Policy page appears. 3. Enter the following information: Automatic (recommended)
Select this option to enable automatic downloading of Windows Updates.
Download updates for me, but let me choose when to install them.
Select this option to ensure that you always receive the latest downloads, but retain the flexibility to decide when to install them.
Notify me but don’t automati- Select this option provides for the most flexibility. Be aware, howcally download or install them. ever, that this may make your network more vulnerable to attack if you neglect to retrieve and install the updates on a regular basis. Turn off Automatic Updates
Select this option if you are using the KBOX 1000 Series Patching feature to manage Microsoft patch updates.
Remove Admin Policy. User allowed to configure.
Select this option to provide users with control over the update process. Be aware, however, that this may make end-users, and therefore your network, more vulnerable to attack.
4. Select the interval (in minutes) to wait to reschedule an update if the update fails from the Reschedule Wait Time drop-down list. 5. Specify whether or not to reboot while a user is logged in. 6. Enter the details for the SUS Server and SUS Server Statistics. 7. Click Save. After clicking Save you will be taken to the Script: Edit Detail page, where you will need to enable and set a schedule for this policy to take effect. See “Adding Scripts,” on page 106 for more information.
Administrator Guide for KBOX 1000 Series, version 3.3
122
C H A P T E R 9
Patching The KBOX 1000 Series Patching feature enables you to quickly and easily deploy Microsoft patches to your network. This feature is available only for computers that run on the Windows operating system. “Overview of Patching feature,” on page 124 “Bulletin Management workflow,” on page 126 “Updating Patch definitions,” on page 131
Overview of Patching feature The KBOX 1000 Series patching feature provides access to the latest Microsoft Security bulletin updates for Windows platforms including Microsoft Office programs. Microsoft updates its list of Security bulletins nightly, and new patches are available for download from the KBOX 1000 Series daily beginning at 3 AM. The KBOX 1000 Series automatically downloads patch software and creates managed installations based on the configured patch settings. You can view the list of available bulletins, see which bulletins require attention, and access other patching functions from the Distribution | Patches tab. The Bulletin Management view of the Patches tab provides a central interface where you can easily review, approve, or decline patches, as well as access all other patch functions. From the Distribution | Patches tab you can: Filter and search patch bulletins Approve or decline bulletins Configure and troubleshoot patch deployment Create a new Replication Share Create a new Windows update policy See a list of computers currently patching Run patch reports View patch status. To sort the bulletin list view by status, importance, or bulletin year, click one of the links at the top of the page under Bulletin Lists. The Patch Listing page appears. The Patch Listing page provides a list of all available bulletins, which you can further sort based on status, bulletin year, importance, bulletin year, or affected operating system. You can also view only those bulletins that encountered errors during deployment. To view details about a specific patch, click the linked name of the bulletin. The Patch Listing page uses the following icons to convey the status of a bulletin: Icon No icon
Description Bulletin needs review. The bulletin is approved for distribution. The bulletin is under review. The bulletin is declined and will not be distributed.
Table 9-1: Patch List icons
The Patch Listing page also contains the following information: Importance - The severity rating of the patch: Unrated, Low, Moderate, Important, or Critical Expected - The number of computers to which the patch will be deployed
Administrator Guide for KBOX 1000 Series, version 3.3
124
ToDo - The number of computers still to be patched Error - The number of errors encountered during the patch process. To return to the Bulletin Management page from the Patch Listing page, click the Patches tab again.
Administrator Guide for KBOX 1000 Series, version 3.3
125
Bulletin Management workflow The process for deploying patches on your network follows these basic steps: Downloading, Reviewing/ Approving, Deploying, and Reporting. The sections that follow describe each of these steps in detail along with associated tasks and settings. The Bulletin Management page provides a dashboard from which you can access all the necessary patch deployment tasks. The Bulletin Lists offer a filtered view of the bulletins so you can scale the list to specific bulletins by year, importance (critical), or status (approved or declined).
Downloading patch bulletins As mentioned previously, the KBOX 1000 Series automatically downloads all new patches available from Microsoft every day. However, you can modify the patch configuration settings to only download bulletins from a certain year, invoke an immediate patch download, or delete all software associated with previously downloaded patches. To configure patch download settings: 1. Select Distribution |Patches. 2. Under Associated Activities, click the Change Patch Settings link. The Patch Settings page appears. 3. Scroll down and click the [Edit Mode] link. 4. Under Download Patches from, select the bulletin year. 5. To update patch definitions immediately, click Update Patches Now. 6. To delete all software associated with previously download patches, click Delete Patches ( ). The number of Managed Installations that will be deleted is in parenthesis.
Reviewing & approving bulletins When new bulletins appear in the KBOX 1000 Series, they appear under the Need Review Bulletins section of the Bulletin Management page so that you can easily see which bulletins need your attention. You should review items listed here and move them to the appropriate category (Approved, Reviewing, or Declined) as soon as possible. You can review and approve bulletins in several ways: from the Needs Review Bulletin list, from the Patch List page, or from the individual bulletin detail page. Both the Needs Review Bulletin and Patch List offer the option of modifying multiple bulletins at once. Additionally, you can sort the bulletin view by the most Critical bulletins to ensure that you approve and deploy the most sensitive bulletins as quickly as possible. To review bulletins from the Needs Review Bulletin list: 1. Select Distribution | Patches. 2. Under the Needs Review Bulletins, select the check box beside the bulletin(s) you want to modify. 3. Select the check box beside the bulletin(s) you want to modify. 4. Select the check box next to the check mark in the header to select all bulletins.
Administrator Guide for KBOX 1000 Series, version 3.3
126
5. Select one of the following options from the Choose action drop-down list: Needs review
The default option on this page. Bulletin will remain on the Needs Review list. Bulletin will not be distributed.
Reviewing
The bulletin is moved out of the Needs Review list, but still requires an Approved status before it will be deployed.
Approved
The bulletin will be deployed according to the patch settings you specify.
Declined
The bulletin will be removed from the Needs Review list.
6. Click Save. To review patches from the Patch listing: 1. Select Distribution | Patches. 2. Under To Do Lists, click the Need Review Bulletins link. The Patch Listing page appears. 3. Select the check box beside the bulletin(s) you want to modify. 4. From the Choose action drop-down list, select the desired status. You can change the status of bulletins in batches or individually. There are several ways to change the status of a bulletin: From the Bulletin Management page From the Patch List page From the Bulletin Detail page. To change the status of all open bulletins at once: 1. From the Bulletin Management Page, under Need Review Bulletins, click the + Bulletins link to expand the list. 2. Scroll down and select the Check All Bulletins check box. 3. Select the desired status: Reviewing Approved Declined. 4. Click Save. To change bulletin status individually: 1. From the Bulletin Management Page, under Need Review Bulletins, click the + Bulletins link to expand the list. 2. Click the linked bulletin number. The Bulletin: Detail page appears in a new browser window. 3. Select the desired status: Needs review Reviewing Approved Declined.
Administrator Guide for KBOX 1000 Series, version 3.3
127
4. Click Save. If you see the word WARNING on this page, it means that the settings for the various Managed Installations listed are different from each other. Clicking Save under these circumstances will overwrite those different settings with the values you specify on this page. To see a list of software titles affected by this bulletin, scroll down to the bottom of the page.
Deploying bulletins When you approve a bulletin, you will see the Bulletin: Detail page where you will see the bulletin details, such as the computers to which you want to deploy bulletins be deployed to, operating systems affected, and links to access the Managed Installation details for the bulletin. By default, approved bulletins are set to execute the next time a machine checks in to the KBOX 1000 Series. You can configure this and other settings, such as installation behavior, user interaction, and deployment window from the Patch Settings page. To configure bulletin deployment settings: 1. Select Distribution |Patches. 2. Under Associated Activities, click the Change Patch Settings link. The Patch Settings page appears. 3. Click the [Edit Mode] link to modify settings. 4. Enter Patch Download Maintenance information as follows: Download Patches From
Select a year from the drop-down list.
Update Patches Now
Click Update Patches Now to update your list of patches.
Delete all Patch Software
Click Delete Patches to delete all downloaded patches.
5. Specify the following Default Patch Settings: Managed Action
Select a Managed Action from the drop-down list. This dictates deployment behavior. Options include: Execute anytime (next available) Execute before logon (at machine bootup) Execute after logon (before desktop loads) Execute while user logged on Execute while user logged off.
Quiet Install
Select this check box to install the patch without notifying the user.
Suppress Reboot
Select this check box to install the patch without requiring the users machine to reboot.
Deployment Window
By default, the KBOX 1000 Series will attempt to deploy this patch for 24 hrs. Select a time on a 24-hour clock to open the deployment window and a time to close the deployment window.
Administrator Guide for KBOX 1000 Series, version 3.3
128
Limit Deployment To
Specify the label(s) to which you want to deploy the patch. KACE recommends deploying patches to a test label with a small number of machines before deploying more widely on your network. Press CTRL and click to select multiple labels.
Max Attempts
Specify the maximum number of times (between 1 and 99) the KBOX 1000 Series will attempt to install the patch before giving up.
Allow Snooze
Select this check box to allow users to delay patch installation until a later time.
Pre-Install Message
Select this check box to display a message to users before installing the patch. Additional Pre-Install Message fields appear.
Pre-Install User Message
Enter the message text that will displayed to users before installing the patch.
Pre-Install Message Timeout
Enter a timeout duration for the message in minutes.
Pre-Install Message Timeout Action
Select one of the following options from the drop-down list. This action will be taken if the time duration is reached. Options include: Install Now Install Later
Post-Install Message
Select this check box to display a message to users after installing the patch. Type message in space provided.
Post-Install User Message
Enter the message text that will displayed to users after the patch is installed.
Post-Install Message Timeout
Enter a timeout duration for the message in minutes.
Delete Downloaded Files
Select to download all the files after the patch is installed.
6. To apply these changes across all patches, select the Apply changes to existing patches check box. 7. Click Save.
Administrator Guide for KBOX 1000 Series, version 3.3
129
Reporting patching results There are several ways you can access patching results. To see which patches were unsuccessful, for example, you could select Bulletins with deployment errors from the To Do Lists section of the Bulletin Management page, or sort the Patch Listing page by Bulletins with Errors. For more details about patching status and results, you can refer to the Computer Information, Patch Reports, and Patch System Status sections of the Bulletin Management page. Computer Information includes the Machine name, IP Address, Last Sync, Last User Logged In, and the Number of Patches for each machine to which patches were deployed. The Patch Reports section provides quick links for viewing reports on: Critical Bulletin List For each Machine, what patches are installed For each Patch, what machines have it installed How many computers have each Patch installed Installation Status of each enabled Patch Needs Review Bulletin List Patches waiting to be deployed. The Patch System Status gives an overview of the number of bulletins that have been downloaded from Microsoft, the status of the last update, and the date and time of the last attempted and successful downloads.
Creating a Replication Share for patches A Replication Share allows a KBOX Agent to replicate software installers to a share for use by other KBOX Agents. This allows KBOX Agent machines to download patch software from the share instead of directly from the KBOX 1000 Series. This is useful if you have machines in a remote office where downloading the software once for each machine would impact the network. For more information about creating Replication Shares, see Chapter 6,“Replication,” starting on page 91.
Create new Windows Update Policy The KBOX 1000 Series provides a way for you to control the behavior of the Windows Update feature. This feature allows you to specify how and when Windows updates are downloaded so that you can control the update process for the computers on your network. Although this functionality is accessible from the Bulletin Management page, the configuration settings reside under the Scripting | Configuration Policy tab. For more information about this policy, see “Windows Automatic Update Settings policy,” on page 111.
Administrator Guide for KBOX 1000 Series, version 3.3
130
Updating Patch definitions Although the definitions for Microsoft patches are updated automatically on a scheduled basis, you can retrieve the latest files manually from the Server Maintenance page. To update the Patch definitions:
1. Select Distribution | Patches. 2. To update Microsoft patches, click Change Patch Setting.
Administrator Guide for KBOX 1000 Series, version 3.3
131
C H A P T E R 10
Security The optional KBOX 1000 Series Security Enforcement and Audit Module allows you to run vulnerability tests on your network using Open Vulnerability and Assessment Language (OVAL). This feature is available only for computers that run on the Windows operating system. “Security Module Overview,” on page 133 “OVAL Tests,” on page 134 “OVAL Reports,” on page 138 “Creating Security Policies,” on page 139
Security Module Overview If you purchased the optional KBOX 1000 Series Security Enforcement and Audit Module, you can ensure the health of your network by running vulnerability tests on the computers in your network, then, based on testing results, you can determine how to bring the computers back into compliance. You can customize security policies to enforce certain rules, schedule tests to run automatically, and run reports based on testing results. The KBOX 1000 Series Security Enforcement and Audit Module uses Open Vulnerability and Assessment Language (OVAL), an internationally recognized standard for detecting security vulnerabilities and configuration issues on computer systems. OVAL is compatible with the Common Vulnerabilities and Exposures (CVE) list, which provides common names used to describe known vulnerabilities and exposures. The ability to describe vulnerabilities and exposures in a common language makes it easier to share security data with other CVE-compatible databases and tools. Note that the OVAL tests available with your KBOX 1000 Series when it is first installed might be out of date. After installation, the KBOX 1000 Series will automatically check for updates nightly. You can see the current OVAL version on the KBOX Summary Info page (Reporting | Summary).
About OVAL and CVE OVAL relies on definitions submitted by members of the security community on the Community Forum, by MITRE Corporation, or by the OVAL Board, to detect vulnerabilities on your network. OVAL uses the vulnerabilities on the CVE List as the basis for most of its definitions. CVE content is determined by the CVE Editorial Board, which is composed of experts from the international information security community. Any new information about a vulnerability that is uncovered as a result of discussions on the Community Forum are sent to the CVE Initiative for possible addition to the list. For more information about CVE visit http://cve.mitre.org. OVAL definitions pass through a series of phases before being released. Depending on where a definition is in this process, it will likely be assigned a status of DRAFT, INTERIM, or ACCEPTED. Other possible values for status are Initial Submission and Deprecated. For more information about the stages of OVAL definitions, visit http://oval.mitre.org/about/stages.html. Status
Description
Draft
Definitions with this status have been assigned an OVAL ID number and are under discussion on the Community Forum and by the OVAL Board.
Interim
Definitions with this status are under review by the OVAL Board and available for discussion on the Community Forum. Definitions are generally assigned this status for two weeks, unless further changes or discussion are required.
Accepted
Definitions with this status have passed the Interim stage and are posted on the OVAL Definition pages. All history of discussions surrounding Accepted definitions are linked from the OVAL definition.
Table 10-1: OVAL status definition descriptions
Administrator Guide for KBOX 1000 Series, version 3.3
133
OVAL Tests The KBOX 1000 Series checks nightly for updates to the list of available OVAL definitions. Definitions are displayed on the OVAL Tests tab, along with their associated OVAL ID and CVE Number. Search for a specific OVAL test by operating system, vulnerability, or by OVAL ID or CVE Number. To view the list of OVAL definitions, click the Security button, then select the OVAL Tests tab. To view the details of a test, click the linked definition to view the OVAL Test Detail page. When OVAL tests are enabled, all of the available OVAL tests are run on the target machines. Click the OVAL-ID or CVE-ID for more details about a vulnerability
Definition status
The steps used to test for the vulnerability
The computers detected to have this vulnerability along with the IP address and operating systems of the affected computers Figure 10-2: OVAL Test Definition page OVAL Test details do not indicate the severity of the vulnerability. Use your own judgement when determining whether to test your network for the presence of a particular vulnerability.
Administrator Guide for KBOX 1000 Series, version 3.3
134
The table below contains an explanation of the fields found on the OVAL Tests Definition page. Field
Description
OVAL-ID
Click the OVAL-ID to visit an external Web site with more details about the vulnerability. The status of the vulnerability follows the OVAL-ID. Possible values are DRAFT, INTERIM, or ACCEPTED.
Class
Indicates the nature of the vulnerability. Possible values are: compliance, deprecated, patch, and vulnerability.
Ref-ID
Click the Ref-ID to visit an external Web site for more details about the vulnerability.
Description
The common definition of the vulnerability as found on the CVE list.
Definition
Specifies the testing steps used to determine whether or not the vulnerability exists.
Table 10-3: OVAL Test Definition page fields
The table at the bottom of the page displays the list of computers in your network that contain this vulnerability. For convenience, a printer-friendly version of this data is available.
Running OVAL Tests The KBOX 1000 Series runs OVAL tests automatically based on the schedule specified in OVAL Settings. Because OVAL Tests take up a considerable amount of memory and CPU, they will impact the performance of the target machines. OVAL Tests take between 5 and 20 minutes to run. Therefore, to minimize the disruption to your users, it is best to run OVAL Tests once a week, or once a month during off hours when your users are least likely to be inconvenienced. For example, you may want to schedule OVAL to run once a week on a Saturday. If you are only running OVAL Tests periodically, or if there are only select machines whose OVAL Test results you are concerned about, you could assign a label to those machines and use the Run Now Function to run OVAL Tests on those machines only. For more information about the Run Now Function, see “Using the Run Now Function,” on page 101.
OVAL Updates The KBOX 1000 Series checks www.kace.com for new OVAL definitions nightly, but you should expect new definitions weekly. If you have OVAL tests enabled, the KBOX 1000 Series will download new OVAL definitions to all client machines on the next scripting update interval whenever a new package becomes available, regardless of the OVAL schedule settings. The .zip file that contains the updates could be up to 2MB, so use caution when enabling OVAL Tests for the computers on your network, as the size of the package could impact the performance of users’ machines, particularly those on dialup connections. For this reason, a good rule to follow is to only enable OVAL Tests when you want to run them. For example, if you wanted to schedule OVAL Tests to run on January 1st, you could disable them on January 2nd, and not enable them again until close to the next time you want them to run. Any OVAL updates that are pulled down while the OVAL Tests are disabled will be stored on the KBOX 1000 Series and only pushed out to the target machines when enabled again.
Administrator Guide for KBOX 1000 Series, version 3.3
135
OVAL Settings and Schedule By default, OVAL is set to run on all machines, on all operating systems, and at 3AM. To specify OVAL settings: 1. Select Security | Oval Settings. The OVAL Settings & Schedule page is displayed. 2. Specify the Configuration settings: Enabled
Run OVAL on the target machines. Only enabled OVAL Tests will run when you want to run them.
Allow Run While Disconnected
Run OVAL on the target machines, but store test results on the target machine until they can be uploaded to the KBOX 1000 Series.
Allow Run While Logged Off
Run OVAL even if a user is not logged in. With this turned off, the script will only run when a user is logged into the machine.
3. Edit deployment settings as shown in the following table: Deploy to All Machines
Select this check box if you want to deploy to all the Machines. Click OK in the confirmation dialog box.
Limit Deploy To
You can limit deployment to one or more labels. Press CTRL and click to select more than one label.
Supported Operating Systems
Select the operating system to which you want to limit deployment. Press CTRL and click to select more than one operating system. Note: Leave blank to deploy to all operating systems.
4. In the Scheduling area, specify the time and frequency for running OVAL: Don’t Run on a schedule
Tests will run in combination with an event rather than on a specific date or at a specific time. Use this option in combination with one or more of the “Also” choices below. For example, use this option in conjunction with “Also Run at User Login” to run whenever the user logs in.
Run Every n minutes/hours
Test will run on every hour and minutes as specified.
Run Every day/specific day at ...
Test will run on the specified time on the specified day.
Run on the nst of every month/ specific month at...
Test will run on the specified time on the 1st, or 2nd, etc. of every month or only the selected month.
Custom Schedule
This option allows you to set an arbitrary schedule using standard cron format. For example, 1,2,3,5,20-25,30-35,59 23 31 12 * * means: On the last day of year, at 23:01, 23:02, 23:03, 23:05, 23:20, 23:21, 23:22, 23:23, 23:24, 23:25, 23:30, 23:31, 23:32, 23:33, 23:34, 23:35, 23:59. The KBOX 1000 Series doesn’t support the extended cron format.
Also Run Once at next Client Checkin
If this option is selected, test will run once at next client checkin. It is recommended to avoid this option because this option will run tests when the user’s machine is in use. Selecting this option could impact the machine’s performance.
Administrator Guide for KBOX 1000 Series, version 3.3
136
Also Run at Machine Boot Up
If this option is selected, test will run at machine boot up. It is recommended to avoid this option because this option will run tests when the user’s machine is in use. Selecting this option could impact the machine’s performance.
Also Run at User Login
If this option is selected, test will run at user login. It is recommended to avoid this option because this option will run tests when the user’s machine is in use. Selecting this option could impact the machine’s performance.
5. To run the script immediately, click Run Now. The Run Now button only runs tests on the machines selected in the Deployment area, specified in steps 3 and 4 above. For more information about Run Now, see “Using the Run Now Function,” on page 101.
Administrator Guide for KBOX 1000 Series, version 3.3
137
OVAL Reports The OVAL Reports tab displays a list of all of the OVAL Tests that have been run. At a glance, you can see which OVAL Tests failed and the number of computers that failed each OVAL test. From the test detail view, you can see all of the computers that failed that OVAL Test and you can assign a label to those machines so that you can patch them at a later time. In addition, the Computer Reports tab offers a list of machines with OVAL results where you can see a summary of tests run on specific computers. The label under the Machine column is the KBOX 1000 Series inventory ID assigned by the Inventory module. For more information about any of the computers on the report, click the linked machine name to go to the computer’s Inventory Detail page.
Administrator Guide for KBOX 1000 Series, version 3.3
138
Creating Security Policies The KBOX 1000 Series Security Module includes several wizards that can help you create security policies to manage the computers on your network. To view the list of available security policies you can create, Select Security | Security Policy. This section includes descriptions of the settings for each of the policies you can create. After you click Save on one of the policy wizard screens, the Scripting tab will appear where you can specify when to run the script and which machines will be targeted. If you want to modify a script that was created using one of these wizards, you can either re-edit it using the wizard or you can edit the script in the KBOX 1000 Series script editor. Opening the script in the regular KBOX 1000 Series script editor is also a useful way to determine exactly what actions the script performs. Available wizards include: Enforce Internet Explorer Settings Enforce XP SP2 Firewall Settings Enforce Disallowed Programs Settings Enforce McAfee AntiVirus Settings McAfee SuperDAT Updater Enforce Symantec AntiVirus Settings Quarantine Policy Lift Quarantine Action.
Enforce Internet Explorer Settings This policy allows you to control user’s Internet Explorer preferences. You can choose to control some preferences, while leaving others as user-defined. Policy settings enforced by you will overwrite the users’ corresponding Internet Explorer preferences. Because this script modifies user settings, you will need to schedule it to run when the user is logged in. To set the Internet Explorer settings policy: 1. Select Security | Security Policy. 2. Click Enforce Internet Explorer Settings. 3. In the User Home Page area, select Enforce User Home Page policy, then specify the URL to use as the home page. 4. In the Security area, select the Enforce Internet Zone settings policy check box, then choose the security level. 5. Select the Enforce Local Intranet Zone settings policy check box, then choose the security level. 6. Set the following options: Include all local (intranet) sites not listed in other zones Include all sites that bypass the proxy server Include all network paths (UNCs) 7. Select the Enforce Trusted Zone settings policy check box, then choose the security level. 8. Select the Enforce Zone Map check box, then specify the IP addresses or ranges for the following zones:
Administrator Guide for KBOX 1000 Series, version 3.3
139
Restricted sites Locale Intranet sites Trusted sites 9. Select the Enforce Privacy settings policy check box, then set the Cookie policy. 10. Select the Enforce pop-up settings policy check box, then set the following options: Pop-up filter level Web sites to allow 11. Click Save. After clicking Save you will be taken to the Script: Edit Detail page where you must enable and set a schedule for this policy to take effect.
Enforce XP SP2 Firewall Settings This policy enables you to enforce firewall settings on endpoint computers running Windows XP with Service Pack 2. You can enforce different policies based on whether the endpoint computer has authenticated with a domain controller, or is accessing the network remotely, from home or through a wireless hotspot. If your endpoint computer has authenticated with a domain controller, it uses the Domain Policy; otherwise, it uses the Standard Policy, so you might want to configure it to impose tighter restrictions. To set the XP SP2 Firewall settings policy: 1. Select Security | Security Policy. 2. Click Enforce XP SP2 Firewall settings. 3. In either the Domain Policy or Standard Policy areas, indicate whether Firewall is Enabled, Disabled, or if No Policy is in effect. 4. Select or clear the Enable logging check box, then specify a location and name for the log file. By default, the log is stored here: C:\Program Files\KACE\firewall.log. 5. Select or clear the check boxes for the following settings: Allow WMI traffic
Enables inbound TCP traffic on ports 135 and 445 to traverse the firewall. These ports are necessary for using remote administration tools such as the Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI).
Allow Remote Desktop
Enables inbound TCP traffic on port 3389 to traverse the firewall. This port is required for the computer to receive Remote Desktop requests.
Allow file and printer sharing
Enables inbound TCP traffic on ports 139 and 445, and inbound UDP traffic on ports 137 and 138. These ports are required for the machine to act as a file or printer sharing server.
Allow Universal Plug-and-Play (UPnP)
Enables inbound TCP traffic on port 2869 and inbound UDP traffic on port 1900. These ports are required for the computer to receive messages from Plug-and-Play network devices, such as routers with built-in firewalls.
Administrator Guide for KBOX 1000 Series, version 3.3
140
6. To specify Inbound Port Exceptions, click Add Port Exception. Inbound Port Exceptions enables additional ports to be opened in the firewall. These may be required for the computer to run other network services. An Inbound port exception is automatically added for port 52230 for the KACE Client Listener, which is required to use the Run Now functionality. 7. Specify a Name, Port, Protocol, and source for the exception. 8. Click Save. After clicking Save you will be taken to the Script: Edit Detail page, where you must enable and set a schedule for this policy to take effect.
Enforce Disallowed Programs Settings This policy allows you to quickly create a script that prevents certain programs from running on the endpoint machines. After the resulting script is executed on a target machine, these policies take effect only after the next reboot of that machine. On Windows XP or 2000, you can add a shutdown command as the last step of the script to force a reboot, which will enable the policy to take effect right away. The script created as a result of this wizard will overwrite any disallowed program settings on the target machines.
To set the Disallowed Programs settings policy: 1. Select Security | Security Policy. 2. Click Enforce Disallowed Programs Settings. 3. Specify a name for the policy. 4. Select or clear the Disallow programs check box. When checked, all disallowed programs will be prevented from running. When unchecked, all programs will be allowed to run. 5. Add disallowed programs. To prevent Notepad from running, for example, enter notepad.exe. 6. Click Save. After clicking Save you will be taken to the Script: Edit Detail page, where you must enable and set a schedule for this policy to take effect.
Administrator Guide for KBOX 1000 Series, version 3.3
141
Enforce McAfee AntiVirus Settings This policy allows you to configure which McAfee VirusScan features are installed. This policy works with McAfee VirusScan version 8.0i and verifies that the software is installed with the configuration you specify here. It also confirms that the OnAccessScan (McShield) is running. You will need to zip the McAfee VirusScan installation directory and upload it here. A Software Inventory item will be created automatically if it does not already exist. To set the McAfee AntiVirus settings policy: 1. Zip the McAfee VirusScan installation directory. 2. Select Security | Security Policy. 3. Click Enforce McAfee AntiVirus Setting. 4. Click Browse to search for the McAfee zip file. 5. Use the User Interaction drop-down list to specify how the installation should appear to your users. For a description of the available options, refer to the McAfee documentation. 6. Select the McAfee AntiVirus features to install. Press CTRL and click to select multiple features. To install the Alert Manager, use the McAfee tools to include the Alert Manager installation files in the deployment package. Please consult the McAfee documentation for specific information about the features available here. 7. Select or clear the following check boxes: Enable On Access Scanner Lockdown VirusScan Shortcuts Preserve earlier version settings Remove other anti-virus software. 8. Specify the location on the target machine where the following files will be installed: McAfee installation Alert Manager SITELIST.XML Desktop Firewall EXTRA.DAT. 9. Select the information you want to log. Press CTRL and click to select multiple log items. 10. Specify a filename for the log. 11. Enter any special arguments. 12. Specify the reboot behavior. 13. Specify the behavior following installation. 14. Click Save. After clicking Save you will be taken to the Script: Edit Detail page where you must enable and set a schedule for this policy to take effect.
Administrator Guide for KBOX 1000 Series, version 3.3
142
McAfee SuperDAT Updater This policy allows you to build a script for applying McAfee SuperDAT or XDAT updates. There are several steps involved in creating this script: Specifying the update files and reboot behavior on the target machines Selecting the software package(s) to push to target machines during update Verifying network scan status. To create the McAfee update script: 1. Select Security | Security Policy. 2. Click McAfee SuperDAT Updater. 3. Enter a file name and then click Browse to search for the SDAT or XDAT file. 4. Set update options: Install Silently
This option causes the update to be installed without showing a UI on the target computers.
Prompt for Reboot
Use this option to make the update prompt the user before rebooting. Use this option with the "Install Silently" option.
Reboot if Needed
This option causes the update to reboot the machine as needed. If this options is not used, a silent installation will not reboot the machine.
Force Update
Use this option to always update all file versions, even if the machine already appears to have the latest versions.
5. Click Save. After clicking Save you will be taken to the Script: Edit Detail page where you must enable and set a schedule for this policy to take effect.
Enforce Symantec AntiVirus Settings This policy allows you to configure which Symantec AntiVirus features are installed. It verifies that the software is installed with the configuration you specify here. This policy is intended to be run periodically to ensure that Symantec AntiVirus is installed, configured, and running properly, not only upon initial installation. You will need to create a Software inventory item and upload the Symantec AntiVirus.msi file to be distributed.
To set the Symantec AntiVirus settings policy: 1. Select Security | Security Policy. 2. Click Enforce Symantec AntiVirus Settings. 3. Specify the Action to perform. Install Uninstall Repair missing files
Administrator Guide for KBOX 1000 Series, version 3.3
143
Reinstall all files. 4. Select the software package to use for this script. 5. If the software package is zipped, specify the MSI file name. 6. Use the User Interaction drop-down list to specify how the installation should appear to your users. 7. Specify the install directory. 8. Specify any additional switches. 9. Specify any additional properties. 10. Specify behavior after installation. 11. Select the information you want to log. Press CTRL and click to select multiple items. 12. Specify a filename for the log. 13. Select a NETWORKTYPE from the Network Management drop-down list. 14. Specify the server name, if required. 15. Set the AutoProtect option. 16. Set the Disable SymProtect option. 17. Set the Live Update behavior. 18. Select the features you want to install. Press CTRL and click to select multiple items. Please consult the Symantec documentation for specific information about the options available here. You must include the SAVMain feature for this script to work properly, although this wizard does not enforce that.
19. Click Save. After clicking Save you will be taken to the Script: Edit Detail page where you must enable and set a schedule for this policy to take effect. You can/should look at the script that is generated by this wizard to make sure it is doing what you expect. You can view the raw script by clicking To edit the policy using this editor, click here on the Script detail page.
Quarantine Policy Use this wizard to create a script that you can use to quarantine computers that have failed OVAL tests for vulnerabilities. The script that is created as a result of this wizard is merely a template. Use the script editor to modify the template script and add the appropriate verification steps to decide which computers to quarantine. When a computer is under quarantine, all communication from it is blocked except for communication to the KBOX 1000 Series Server, therefore use care when performing this action. If you were to deploy this accidentally to all machines on your network, you could take your network down very quickly.
Administrator Guide for KBOX 1000 Series, version 3.3
144
After a user’s machine is in quarantine, it cannot be unquarantined without intervention by the KBOX 1000 Series administrator. The user will not be able to recover from this without you taking some action. Quarantined computers only have access to the KBOX 1000 Series Server in order to receive a Run Now event to lift the quarantine. To set the Quarantine policy: 1. Select Security | Security Policy. 2. Click Quarantine Policy. 3. Specify a Policy Name. This field is optional. It could be helpful to assign a meaningful name that relates to the vulnerability so that you can lift the quarantine later once that vulnerability is resolved. 4. Leave the KBOX SERVER IP unchanged. 5. Specify the DNS Server IP address. 6. Modify the Message dialog text as desired. This message is displayed to users prior to placing their computer in quarantine. 7. Modify the description text as desired. 8. Click Save. After clicking Save you will be taken to the Script: Edit Detail page where you must enable and set a schedule for this policy to take effect. Modify the Verify steps to determine the conditions under which you want the quarantine to take effect. Although it will not be enabled automatically, it will be configured to deploy to everyone. For more information on scripting, see Chapter 7,“Scripting,” starting on page 91.
Lift Quarantine Action Assuming you have a machine that has been quarantined from the network using the KBOX 1000 Series Quarantine application, you can use this to turn off the quarantine. To set the Lift Quarantine Action policy: 1. Select Security | Security Policy. 2. Click Lift Quarantine Action. 3. Select the label for the quarantined machines or select the specific machine to unquarantine. 4. Enter data in the Filter field to help narrow your search. 5. Click Send Lift Quarantine Now. If there are a lot of computers in quarantine, it will take some time for all of them to receive and process the request.
Administrator Guide for KBOX 1000 Series, version 3.3
145
C H A P T E R 11 User Portal and Help Desk The KBOX 1000 Series Help Desk provides an online area for you to upload software library, support documents, and other self-help tools. The optional KBOX 1000 Series Help Desk Module adds the ability to create, track, and manage Help Desk tickets. “Overview of the User Portal,” on page 147 “Understanding the Software Library feature,” on page 149 “Using the Knowledge Base,” on page 151 “Managing Users,” on page 153 “Overview of the Help Desk Module,” on page 159 “Configuring basic Help Desk settings,” on page 160 “Customizing Help Desk fields,” on page 162 “Creating and editing Help Desk Tickets,” on page 166 “Managing Help Desk tickets,” on page 169 “Running Help Desk Reports,” on page 171
Overview of the User Portal The User Portal provides the ability for users to download software, run scripts, have software installed for them automatically, track computer info, and view a record of what they have downloaded. You can log onto the User Portal by visiting the root URL of the KBOX 1000 Series machine name (for example, http://kbox/). Although users can access the User Portal even if they do not have KBOX Agent installed on their machine, they will not be able to run installations or scripts. The User Portal is administered from the User Portal tab. If you have purchased the optional KBOX 1000 Series Help Desk Module, additional tabs or options are added to the ones described below. For more information about using the features added by the Help Desk Module, see “Overview of the Help Desk Module,” on page 159.
End user view of the User Portal The end-user view of the User Portal displays the following tabs: Welcome - Users enter login credentials from this screen. Software Library - Displays available software for download or automatic install. My Computer - Displays status information about the user’s computer. License Keys - Lists license information for installed software, as available. Help Desk - Users create or edit a Help Desk ticket using this tab. Knowledge Base - Provides access to Knowledge Base articles authored by the administrator. Download Log - Displays a log of software downloaded and installed on the user’s computer. Users also can filter the software or Knowledge Base views by category, or use keywords to narrow their search.
Administrator Guide for KBOX 1000 Series, version 3.3
147
Administrator view of the User Portal As an administrator logged into the administrator UI, you can create and push packages, define Knowledge Base articles, and specify which users can connect. The User Portal tab displays the following tabs: Packages - Packages can be scripts, software packages, documentation, or other media. Knowledge Base - Knowledge Base articles include software notices, instructional content, IT reference documentation, self-help information, and any other specific content intended for the end users. Users - This user information is used to authenticate users of the KBOX 1000 Series Help Desk. Users can be "tagged" with labels in order to define which packages they can access through the portal. The sections that follow will focus on the administrator view of the User Portal and describe the process for creating packages and Knowledge Base articles, and describes managing user access to the User Portal.
Administrator Guide for KBOX 1000 Series, version 3.3
148
Understanding the Software Library feature Software Libraries are deployed to end users via the KBOX 1000 Series User Portal. This "self service" portal allows individuals to download and install software or documents on their own in a controlled environment. The software library you create from the Software Library tab are available for download on the Software Library tab of the User Portal. From the Software Library tab you can create or delete software library, sort software library by label or column header, and search for software library using keywords.
Creating a software library to deploy The Software Library tab allows you to specify the components of the software library you want to make available to your end users; it does not allow you to upload software or author scripts. Any software or script that you want to include in a software library must already exist on the KBOX 1000 Series Software Inventory or Scripting tabs. Along with the software library, you can choose to post cost information, documentation, or other instructions for your users. Any notifications that you have configured will be mailed at the time of user download. You can also restrict access to a software library by specifying a label. To create a package: 1. Select Help Desk | Software Library. 2. In the Choose action drop-down list, select Add New Item. The Portal Package: Edit Detail screen appears. 3. Select or clear the Enabled check box. Select this box to make the software library visible to users on the Help Desk. Clear this check box to hide a software library from users. 4. Specify the software library type: Download
Select this type to include documentation, files, or other software that does not automatically install.
Install
Select this type to select software that will install automatically on the user’s machine. The user must have the KBOX Agent installed to run installations.
Script
Select this type to select a script to include in the software library. The user must have the KBOX Agent installed to run scripts.
5. From the Download drop-down list, choose the software to install. You can filter the list by entering any filter options. 6. Specify the information to include with your package: Installation Instructions
Specify the installation instructions. Any defined instructions, legal policy, cost information, etc will be posted along with the portal package for user visibility.
Product Key
Select this check box to require users to enter a product key upon installation of the software library. The license key specified on the software license entry on the Inventory | Licensing tab.
Administrator Guide for KBOX 1000 Series, version 3.3
149
E-mail Product Key to User Select this option if you want to send download instructions at the time of user download. Request Mgr Notification
Select this option to require users to enter their manager’s mail address for notification prior to downloading or installing the software library.
7. If you selected the Install software library type, specify the command line to run the installation, including any necessary install switches or other parameters. Note that users must have the KBOX Agent installed on their machines in order to run the installations or scripts.
8. If you selected the Script software library type, choose the script from the Script drop-down list. 9. Type any notes in the Additional Notes field. 10. Specify the following informations, as necessary. Corporate License Text
Enter any text related to the Corporate License.
Vendor License Text
Enter any text related to Vendor License.
Unit Cost
Enter the cost per Unit.
Documentation File
Browse the desired documentation file.
11. If desired, select a label to limit software library deployment to specific users. 12. Select the check box to restrict software library deployment by machine label. 13. Click Save. A major benefit of the Help Desk is that it provides your users with the resources they need to solve many of the most common support issues on their own, thus alleviating some of the burden on your support staff. Be sure to provide adequate information to your users so that you, and they, can experience the full benefit of this feature.
Administrator Guide for KBOX 1000 Series, version 3.3
150
Using the Knowledge Base The Knowledge Base allows you to provide documentation, FAQs, or other self-help information for your users. If you purchased the optional Help Desk Module, the Knowledge Base integrates with the Tickets feature to enable users to resolve their own issues. For more information, see “Creating and editing Help Desk Tickets,” on page 166. Users can sort the articles by Article ID, Title, Category, Platform, or Importance, or search article contents by using keywords.
Adding Knowledge Base articles Knowledge base articles are published to the KBOX 1000 Series Help Desk where users can search and sort articles to locate the information they require. If you have the optional Help Desk Module installed, you can also create a new Knowledge Base article from the comments in a Ticket by clicking the Create KB article button on the Ticket Detail page. For more information, see “Creating and editing Help Desk Tickets,” on page 166. To add an article to the Knowledge Base: 1. Select Help Desk | Knowledge Base tab, or select Help Desk | Knowledge Base if you have the optional Help Desk Module installed. 2. Select Add New Item from the Choose action drop-down list. The Knowledge Base: Edit Article page appears. 3. Enter the following article information: Title
A specific description of the issue covered in the article. Make the title as descriptive as possible and use common terms so that it will be easy for an end-user to locate information about a problem.
Category
A general description of the type of issue. (For example, “printing” or “network access”).
Platform
The operating systems to which this article applies.
Importance
The relative weight of the article’s contents. (For example, “reference” or “low”; or “critical” or “high”.
Use Markdown
Markdown is a plain text formatting syntax, and a software tool, written in Perl, that converts the plain text formatting to HTML. See Figure 5-7 below, for an example of markdown syntax and HTML display. For more information about markdown, see http://daringfireball.net/projects/markdown/syntax.
Limit Access To User Labels
Select the labels you want to limit access to.
Article Text
Enter any text about the article.
Administrator Guide for KBOX 1000 Series, version 3.3
151
4. Click Save. The KBOX 1000 Series assigns the article an Article ID and displays it on the Knowledge Base Articles List page. To see how the article appears to your users on the Help Desk, click on the article’s title, and then click the User URL on the Edit Article page.
Editing and deleting Knowledge Base articles You can easily modify or remove existing Knowledge Base articles. There are two options for deleting articles: from the Articles List page and from the Edit Article page. To edit an existing Knowledge Base article: 1. Select Help Desk | Knowledge Base tab, or select Help Desk | Knowledge Base if you have the optional Help Desk Module installed. 2. Click the linked article title. The Knowledge Base: Edit Article page appears. 3. Click the [Edit] link to update the article details. 4. Modify article details, then click Save. To delete an article from the Articles List page: 1. Select Help Desk | Knowledge Base tab, or select Help Desk | Knowledge Base if you have the optional Help Desk Module installed. 2. To delete an article, select the check box beside the article and choose Delete Selected Item(s) from the Choose action drop-down list. 3. Click OK to confirm deletion. To delete an article from the Article Edit page: 1. Select Help Desk | Knowledge Base tab, or select Help Desk | Knowledge Base if you have the optional Help Desk Module installed. 2. Click the linked article title. The Knowledge Base: Edit Article page appears. 3. Click the [Edit] link, then click Delete. 4. Click OK to confirm deletion.
Administrator Guide for KBOX 1000 Series, version 3.3
152
Managing Users When logged in as an administrator, you can add users to the Help Desk either manually or automatically. Depending upon the permissions assigned to the user logged into the Help Desk, all or only a subset of Help Desk features may be available. When adding users to the Help Desk, be sure to specify the correct user permission level.
Adding users manually When adding users to the KBOX 1000 Series, you can tag them with a label, which determines which packages they will have access to in the Help Desk. The details that you enter below are used to authenticate users. To add users manually: 1. Select Help Desk | Users, or select Help Desk | Users if you have the optional Help Desk Module installed. 2. In the Choose action drop-down list, select Add New Item. The User : Edit User Detail page appears. 3. Enter the necessary user details. User Name
Required. This is the name the user types to enter the Help Desk.
Full Name
Required. The user’s full name.
Required for Help Desk installations. The user’s email address. This is the address to which Help Desk messages, if enabled, will be sent.
Domain
Optional. An active directory domain.
Budget Code
Optional. The financial department code.
Location
Optional. The name of a site or building.
Work Phone
Optional. Enter the user’s work phone number.
Home Phone
Optional. Enter the user’s home phone number.
Mobile Phone
Optional. Enter the user’s mobile phone number.
Pager Phone
Optional. Enter the user’s pager phone number.
Custom 1 Custom 2
Optional. Enter the custom related information.
Custom 3 Custom 4 Password
Required. Blank or empty passwords are not valid for new users. The user will be created but the user cannot be activated without a valid password.
Confirm Password
Required. Retype the user’s password.
Assign To Label
Select the labels to assign.
Administrator Guide for KBOX 1000 Series, version 3.3
153
Permissions
Required. Specify the user’s logon permissions: Admin - This user can log on to and access all features of the administrator UI and Help Desk. ReadOnly Admin - This user can log on to the administrator UI, but cannot modify any settings and Help Desk. User - This user can log on to the Help Desk.
Lock user out of User Portal
Select this check box to lock the user out of User Portal.
Allowed to be assigned Help Desk Tickets
Required for Help Desk installations. Select this check box to permit any user (Admin, ReadOnlyAdmin, or User) to be assigned as owner of Help Desk tickets.
4. Click Save. The Users page appears.
Adding users automatically Rather than setting up users individually on the Users tab, you can configure the KBOX 1000 Series to access a directory service (such as LDAP) for user authentication. This allows users to log into the KBOX 1000 Series Administrator portal using their domain username and password, without requiring to add users individually from the Users tab. If the external server requires credentials for administrative login (aka non-anonymous login), you will need to specify those credentials. If you do not specify an LDAP user name, then an anonymous bind will be attempted. The LDAP user configured should have at least READ access to the "search base" area. To configure access to a directory service: 1. Select Settings | Authentication. The KBOX Settings: User Portal Authentication page appears. 2. Click the [Edit Mode] link. 3. Specify the Authentication method you want to use: KBOX (local Authentication)
Select this option if you want to use local passwords for authentication.
External LDAP Server Authentication for
Specify LDAP settings as necessary. Contact KACE customer support if you need assistance with this process.
4. Local authentication is the default setting for the KBOX. If you require external user authentication, for example against an LDAP server or Active Directory server, complete the external server definition by specifying the following information. Server Host Name ( or IP )
Specify IP or Host Name of the LDAP Server. Note: For LDAPS, use the IP or the Host Name, as ldaps:// HOSTNAME
LDAP Port Number
Specify the LDAP Port number which could be either 389 / 636 (LDAPS).
Administrator Guide for KBOX 1000 Series, version 3.3
154
Search Base DN
Specify the Search Base DN. For example: CN=Users,DC=hq,DC=corp,DC=kace,DC=com
Search Filter
Specify the Search Filter. For example: (samaccountname=admin)
LDAP Login
Specify the LDAP login. For example: LDAP Login: CN=Administrator,CN=Users,DC=hq,DC=corp,DC=kace,DC=co m
LDAP Password (if required)
Specify the password for the LDAP login.
5. Click Apply to save your changes. 6. To test LDAP settings, enter a password in the Test User password, then click Test LDAP Settings.
LDAP Browser Wizard If you are unable to fill in the information for Search Base DN and Search Filter, you can use the LDAP Browser Wizard. The LDAP Browser Wizard allows you to browse and search the data located on the LDAP Server. For example, Active Directory Server. You must have the Bind DN and the Password to log on to the LDAP Server. To use the LDAP Browser Wizard: 1. Click LDAP Browser. 2. Specify the LDAP Server Details LDAP Server
Specify IP or Host Name of the LDAP Server. Note: For LDAPS, use the IP or the Host Name, as ldaps:// HOSTNAME
LDAP Port
Specify the LDAP Port number which could be either 389 / 636 (LDAPS).
LDAP Login
Specify the Bind DN For example: CN=Administrator,CN=Users,DC=kace,DC=com
LDAP Password
Specify the password for the LDAP login.
3. Click test. 4. On a successful connection to the LDAP server, a list of possible base DNs (Distinguished Names) available on that directory is displayed. These base DNs can be used as a start point to browse and search the directory. If the connection was not established, the Operation Failed message appears, which could be due to one of the following reasons: The IP or Host Name provided is incorrect.
Administrator Guide for KBOX 1000 Series, version 3.3
155
The LDAP Server is not up. The login credentials provided are incorrect. 5. Click Next or one of the base DNs to advance to the next step. A new window displays the Search Base DN and the Search Filter. The Search Base DN is populated on the basis of the Base DN that you selected in the previous screen. You can modify the Search Base DN and the Search Filter. 6. You can also use the Filter Builder to create complex filters. Click Filter Builder. The Query Builder is displayed. Specify the following information. Attribute Name
Specify the Attribute Name. For example, samaccountname.
Relational Operator
Select the Relational Operator from the drop - down list. For example, =.
Attribute Value
Specify the Attribute Value. For example, admin.
7. To add more than one attribute: Conjunction Operator
Select the Conjunction Operator from the drop - down list. For example, AND. Note: This field is available for the previous attribute only when you add a new attribute.
Add
Click Add. You can add multiple attributes.
Search Scope
Click One level to search at the same level or click Sub-tree level to search at the sub tree level.
8. Click OK. The query appears in the Search Filter text area. For example, (samaccountname=admin). 9. Click Browse to display all the immediate child nodes for the given base DN and search filter or click Search to display all the direct and indirect child nodes for the given base DN and Search Filter. The search results are displayed in the left panel. 10. Click a child node to view its attributes. The attributes are displayed in the right panel. 11. Click Next to confirm the LDAP configuration. 12. Click Next to use the displayed settings.
Importing users You can import Users and Labels directly from your LDAP or Active Directory system into the KBOX. To import users: 1. Specify the LDAP Server Details. LDAP Server
Specify IP or Host Name of the LDAP Server. Note: For LDAPS, use the IP or the Host Name, as ldaps:// HOSTNAME
Administrator Guide for KBOX 1000 Series, version 3.3
156
LDAP Port
Specify the LDAP Port number which could be either 389 / 636 (LDAPS).
Search Base DN
Specify the Search Base DN. For example: CN=Users,DC=hq,DC=corp,DC=kace,DC=com
Search Filter
Specify the Search Filter. For example: (samaccountname=admin)
LDAP Login
Specify the LDAP login. For example: LDAP Login: CN=Administrator,CN=Users,DC=hq,DC=corp,DC=kace,DC=co m
LDAP Password
Specify the password for the LDAP login.
2. Specify the attributes to import. Attributes to retrieve
Specify the attributes to retrieve. For example, samaccountname Note: You can leave this field blank to retrieve all attributes, but this may be slow and is not recommended.
Label Attribute
Specify a label attribute. For example, memberof. Label Attribute is the attribute on a customer item that returns a list of groups this user is a member of. The union of all the label attributes will form the list of Labels you can import.
Label Prefix
Specify the label prefix. For example, ldap_ Label Prefix is a string that is appended to the front of all the labels.
Binary Attributes
Specify the Binary Attributes. For example, objectsid. Binary Attributes indicates which attributes should be treated as binary for purposes of storage.
Max # Rows
Specify the maximum rows. This will limit the result set that is returned in the next step
Debug Output
Select this check box to view the debug output in the next step.
3. If you are unable to fill in the information for Search Base DN and Search Filter, you can use the LDAP Browser Wizard. For more information on how to use the LDAP Browser Wizard, refer to “LDAP Browser Wizard,” on page 155. 4. Click Next. 5. Select the value from the drop-down list next to each LDAP attribute to map the values from your LDAP server into the User record on the KBOX. The fields in Red are mandatory. The LDAP Uid must be a unique identifier for the user record.
Administrator Guide for KBOX 1000 Series, version 3.3
157
6. Select a label to add to the KBOX. Press CTRL and click to select more than one label. This list displays a list of all the Label Attribute values that were discovered in the search results. 7. Click Next. 8. Review the information displayed in the tables below. The Users to be Imported table displays list of users reported and the Labels to be Imported table displays the list of labels reported. The Existing Users table and the Existing Labels table display the list of Users and Lables that are currently on the KBOX. Only users with a LDAP UID, User Name, and Email value will be imported. Any records that do not have these values are listed in the Users with invalid data table. 9. Click Next to start the import.
Administrator Guide for KBOX 1000 Series, version 3.3
158
Overview of the Help Desk Module The optional KBOX 1000 Series Help Desk Module provides a ticket submission, tracking, and management system that allows you to solve problems in real time. The KBOX 1000 Series Help Desk Module provides integrated access with KBOX 1000 Series capabilities for hardware and software inventory, software deployment, updates and patching, remote control, and alerting and reporting. After installation, you can customize the Help Desk settings according to the needs of your organization. The Help Desk Module adds the following tabs to the administrator view of the Help Desk: Tickets - Provides a list view of tickets submitted for users, and allows Help Desk users to assign, resolve, or escalate tickets based on user profile Configuration - Allows administrators to customize the Help Desk displayed to users. If you do not have the optional Help Desk module installed, you will not see these tabs. The Help Desk Module provides permissions-based access to the features and functions needed by a particular user. The Tickets tab of the Help Desk provides a way for end-users to submit and track desk tickets. In addition to creating new tickets, users can search for Knowledge Base articles that might help them to resolve support issues on their own. From the Tickets tab users can: Create Help Desk tickets View tickets that they have submitted Search for tickets using keywords and advanced methods. If the end-user also happens to be a support technician and you have given them permission to own Help Desk tickets (see “Managing Users,” on page 153), this user is known as a Help Desk user. Users who are also Help Desk users (i.e., they can be assigned Help Desk tickets), can perform these additional functions: Apply labels to tickets/remove labels from tickets Delete Help Desk tickets By default, view unassigned tickets and additions to tickets assigned to them, and view other tickets by using the View by owner drop-down list Change a ticket’s status, priority, or owner. Administrators can create, modify, and manage Help Desk tickets from the Tickets tab in the Administrator UI. Administrators also can use the security, scripting, and distribution features to resolve Help Desk tickets, then use the Knowledge Base to create the documentation that references the resolution for users. From the Tickets tab, administrators can: Create or delete Help Desk tickets Apply labels to tickets/Remove labels from tickets Sort the Ticket view by owner or submitter, summary, priority, or status Change a ticket’s status, priority, or owner.
Administrator Guide for KBOX 1000 Series, version 3.3
159
Configuring basic Help Desk settings From the Help Desk Configuration tab, you can configure a variety of settings including the support mail address, defaults for ticket submission fields, and which events trigger mail alerts and to whom they are sent. This section describes how to configure basic Help Desk Settings only. To customize the default values for the options here, see “Customizing Help Desk fields,” on page 162. Field(s)
Description
Name
Specify the name for the Help Desk.
Email Address
Specify the email address used to send email to and from the Help Desk.
Ticket Defaults
Determines the default ticket values for tickets. To customize these options, click Customize These Values. For more information see “Customizing Help Desk fields,” on page 162.
Email on Events
These check boxes determine who gets email when tickets are changed or escalated. Note that "Any Change" overlaps with the "Owner Change" and "Status Change" events, but it does not include ticket escalations.
Table 11-1: Help Desk Configuration fields To configure basic Help Desk settings: 1. Select Help Desk | Configuration. 2. Click the [Edit Mode] link. 3. In the Name field, specify the name that is displayed in the From field when users receive emails from the Help Desk. 4. In the Email Address field, specify the email address to which users can submit Help Desk tickets. 5. In the Alt. Email Address field, specify the alternate email address to which users can submit Help Desk tickets. 6. Select the Accept email from unknown users check box to accept emails from unknown users. 7. In the Ticket Defaults area, specify the following settings: Category
Specify the default category for tickets. Options include Software, Hardware, Network, and Other.
Status
Specify the default status for tickets. Options include New, Opened, Closed, and Need More Info.
Impact
Specify the default impact for tickets. Options include Many people can’t work, Many people inconvenienced, 1 person can’t work, and 1 person inconvenienced.
Priority
Specify the default priority for tickets. Options include Low, Medium, and High.
8. In the Email on Events area, specify to whom, and under what circumstances, emails should be sent: Recipients: Owner - The Help Desk user assigned to the ticket Submitter - The user who submitted the ticket Ticket CC - The email recipients listed in the CC area of the ticket
Administrator Guide for KBOX 1000 Series, version 3.3
160
Category CC - The email recipients listed in the CC List area for the Ticket Category. Events: Any Change - Any change to any field on the ticket. Owner Change - A change to the owner field on the ticket. By default, emails are sent to the old and new owners of the ticket. Status Change - A change to the status field on the ticket. Comment - A comment on the ticket. Resolution Change - A change to the Resolution field on the ticket. Escalation - The ticket enters escalation based on the configured settings. For more information, see “Understanding the escalation process,” on page 169. Satisfaction Survey - Indicate whether you want to send an mail requesting that the submitter complete a satisfaction survey when the ticket is closed. For more information, see “About the satisfaction survey,” on page 170. New Ticket Via Email - Select this check box for an email notification on a new ticket. 9. Click Save.
Administrator Guide for KBOX 1000 Series, version 3.3
161
Customizing Help Desk fields Where the basic Help Desk configuration page allowed you to set default values for the various drop-down lists in the Help Desk fields, the Customization page allows you to customize the values that appear in those drop-down lists, as well as add up to six custom fields. To access the Help Desk Customization page: 1. Select Help Desk | Configuration. 2. Click the Customize These Values link. The Help Desk Customization page appears. To customize default Category Values: 1. In the Category Values area, click the
icon beside a category value to modify it.
Editable fields appear for that value. 2. Edit the Category Values fields: Name
Specify the name for the value.
Default Owner Assign a default owner for tickets of this category. CC List
Enter the email address(es) to be copied when tickets of this category are submitted to the Help Desk.
User Settable
Indicates whether or not this category appears in the list of choices displayed to the end user. This setting allows you to present a simplified list of values to the user, and display more and create additional values that are only displayed to the administrator or Help Desk users.
3. Click the
icon beside a Category value to change its order in the drop-down list.
4. Click the
icon to add an option to the Category drop-down list.
5. Click the
icon to remove a Category value.
You cannot remove Category values that are in use.
6. Click Save to apply your changes.
Administrator Guide for KBOX 1000 Series, version 3.3
162
To customize default Status Values: 1. In the Status Values area, click the
icon beside a category value to modify it.
Editable fields appear for that value. 2. Edit the Status Values field: Name
Specify the name for the value.
State
Indicates whether the ticket is open, closed, or stalled. Open - The ticket is active Closed - The ticket has been resolved Stalled - The ticket is open past its due date, but is not in escalation.
3. Click the
icon beside a Status value to change its order in the drop-down list.
4. Click the
icon to add an option to the Status drop-down list.
5. Click the
icon to remove a Status value.
You cannot remove Status values to which tickets are currently assigned.
6. Click Save to apply your changes. To customize default Priority values: 1. In the Priority Values area, click the
icon beside a category value to modify it.
Editable fields appear for that value. Edit the Priority Values fields: Name
Specify a name for the custom field.
Color
The displayed color of this status on the ticket list pages.
Escalation Time
The interval after which an open ticket of this priority is escalated. Specify a time integer and a unit from the drop-down list.
2. Click the
icon beside a Priority value to change its order in the drop-down list.
3. Click the
icon to add an option to the Priority drop-down list.
4. Click the
icon to remove a Priority value.
You cannot remove Priority values to Tickets which are currently assigned.
5. Click Save to apply your changes.
Administrator Guide for KBOX 1000 Series, version 3.3
163
To customize default Impact values: 1. In the Impact Values area, click the
icon beside an Impact value to modify it.
Editable fields appear for that value. 2. Modify the Name field as desired. 3. Click the
icon beside an Impact value to change its order in the drop-down list.
4. Click the
icon to add an option to the Impact drop-down list.
5. Click the
icon to remove an Impact value.
You cannot remove Impact values to Tickets which are currently assigned.
6. Click Save to apply your changes. To add custom value fields: 1. In the Custom fields area, click the Edit item icon to modify the fields. 2. In the Name field, enter the names for the custom fields as you want them to be displayed on the Ticket Details page. The custom fields are added as text boxes that hold up to 255 characters. You can add up to six custom fields. 3. Enter the select values in the Select Values field. Select Values are used for custom fields with Field Type of Single Select or Multiple Select. These values should be entered as comma-separated strings. 4. Select the field type in the Field Type list. 5. Select the Only Editable By Owners check box to make this field editable by owners. 6. To remove a custom field, clear the name from the field value. When you remove the name of a field, values for that custom field will be removed from all tickets. When you rename a field, values for that custom field will be retained. 7. Click Save to apply your changes. 8. In the Ticket List View area, click the Edit item icon to modify the desired Ticket List View fields. 9. Select the name in the Name list. 10. Specify the width in the Width field and then click Save. 11. Click Save.
Administrator Guide for KBOX 1000 Series, version 3.3
164
To customize Ticket List View: 1. In the Ticket List View area, click the
icon beside an attribute to modify it.
Editable fields appear for that value. Edit the fields: Name
Select an attribute name from the drop-down list.
Width
Specify the column width.
2. Click the
icon beside an attribute to change its order in the drop-down list.
3. Click the
icon to add an attribute to the Ticket List View drop-down list.
4. Click the
icon to remove an attribute.
5. Click Save to apply your changes.
Administrator Guide for KBOX 1000 Series, version 3.3
165
Creating and editing Help Desk Tickets Depending on whether you are creating a ticket from mail, the Administrator UI, or from the Help Desk, you will have different options available to you. This section describes each of these methods. Regardless of the method used to submit a Help Desk ticket, all interested parties will receive a confirmation mail that includes a link to the submitted ticket. To create a new ticket from the Help Desk: 1. Log into the User Portal as user. Tickets page appears. 2. Select Add New Item in the Choose action drop-down list. The New Ticket page appears. To create a new ticket from the Administrator UI: 1. Select Help Desk | Tickets. 2. Select Add New Item in the Choose action drop-down list. The New Ticket page appears. 3. Specify ticket details. Title
Enter a title for the ticket.
Impact
Specify the severity of the issue.
Category
Indicate the issue type.
Status
Indicate the status of the issue.
Priority
Indicate the importance of the issue.
Owner
Select an owner from the drop-down list.
Machine
The machine affected by the issue. Defaults to submitter’s computer after Ticket is saved. Note: You can see help ticket submissions from the Computer’s inventory record. See “Help Tickets,” on page 34
Asset
Select an asset from the drop-down list.
Filter
Enter the filter criteria in the desired Filter field.
Due Date CC List Submitter
Specify a due date if desired. Click the
icon to select the Month, Day, and Year.
A comma-separated list of additional email addresses for users who might be interested in changes to this ticket. Click the
icon to select the submitter from the drop-down list.
See Also
Link(s) to related tickets. When editing this list, enter the Ticket IDs as comma-separated integers.
Referrers
If other tickets refer to this ticket in the see also field, those ticket IDs will appear here after this ticket is saved.
Owners only
Select this check box to have the comment you are entering visible only to users who are authorized to own tickets.
Comment
Provide comments about the support issue.
Attachment
Browse the desired attachment file.
Administrator Guide for KBOX 1000 Series, version 3.3
166
4. Click Save. After you create the new ticket, you can open the ticket record and view a print-friendly version of the ticket, email the ticket to someone, and click the Find Relevant Articles link to locate Knowledge Base articles related to the ticket.
Submitting Help Desk tickets through email In addition to submitting tickets via the Web-based User and Administrator interfaces, users also can submit Help Desk tickets by sending mail to the Help Desk mail configured in the Help Desk settings. Tickets created from mails will receive the default values for Impact, Category, and Priority, as set on the Help Desk | Configuration tab. The body of the mail message will be added as a comment. The submitter is determined by the sender’s mail address. For more information, see “Configuring basic Help Desk settings,” on page 160.
Editing Help Desk tickets After you create a Help Desk ticket, you can edit the tickets from the Tickets List page, or from the Ticket Detail page. Regardless of where the change is made, any change made to a ticket is reflected in the history log at the bottom of the Ticket Detail window. To edit a ticket from the Tickets List page: 1. Select the check box beside the ticket(s) you want to edit. 2. From the Choose action drop-down list, select the desired option: •
Delete Selected Item(s)
•
Set status to New, Opened, Closed, or Need More Info
•
Set priority to High, Medium, or Low
•
Reassign to another user.
To edit a ticket from the Ticket Detail page: When reassigning a ticket to a new owner using the Choose action drop-down list, the number in parentheses (), indicates the number of tickets currently assigned to that Help Desk user. 1. Select Help Desk | Tickets. 2. Click the Ticket ID or linked Issue Summary. The Ticket Detail page appears. 3. Edit Ticket details as desired. You can edit the Ticket details like Title, Impact, Category, Status, Priority, Owner, Machine, Asset, Due Date, CC List, Submitter, See Also, Referrers, and Resolution. 4. To provide additional information about your change, click Add Comment, and then perform the following steps: a Select the Owners only check box to have the comment you are entering visible only to users who are authorized to own tickets. b Enter comment about the changes in the Comment field.
Administrator Guide for KBOX 1000 Series, version 3.3
167
c Browse the desired attachment file. 5. To provide additional information about the work, click Add Work, and then perform the following steps: a Select the work date. b Select the start date of the work. c Select the end date of the work. d Enter the adjustment hours in the Adjustment field. e Enter work related details in the Work Note field. 6. To copy an existing ticket, click Clone. 7. To create a Knowledge Base article from the comments in the ticket, click the Create KB article button. 8. Click Save to apply your changes.
Searching Help Desk tickets From the Ticket List page, users can search tickets submitted by them, as well as view tickets by other owners. You can use Advanced Search options to locate tickets. Advanced search allows you to use operators such as contains, >, <, =, and Match RegEx. Match RegEx allows for wildcard and other search expressions standard to PERL users. “%” functions as the wildcard (similar to * in the DOS world). For additional information about RegEx searching, visit http:/ /www.regular-expressions.info/ and/or http://dev.mysql.com/doc/mysql/en/regexp.html.
Administrator Guide for KBOX 1000 Series, version 3.3
168
Managing Help Desk tickets After a ticket is submitted to the Help Desk, it is the responsibility of the ticket owner to resolve the ticket. The owner reviews the ticket, adjusts the impact if necessary, and assigns a priority. If the ticket issue is straightforward, the owner might resolve the issue quickly, enter a resolution in the ticket details, then close the ticket. In more complicated situations, however, a ticket may take more time to close, and be assigned to different owners over its lifetime. In some cases, the owner is unable to resolve the ticket by the due date and the ticket is then escalated to someone else to resolve. The process of escalation is determined by the settings configured in the Help Desk | Configuration tab. Depending on the Help Desk configuration, the submitter of a ticket might receive a satisfaction survey to gather feedback about the way the ticket was handled, after the ticket is closed. For more information about the satisfaction survey, see “About the satisfaction survey,” on page 170.
Understanding the escalation process The escalation process allows you to send out automatic emails when a ticket remains in an Open state longer than a specified time. This gives you a way to monitor service level agreements, and allows you to notify a large group when a ticket hasn’t been handled properly. There are three variables that control the escalation process: Which tickets can/should be escalated The length of time a ticket can be open before an escalation email is sent The recipient(s) of the escalation emails. Each ticket has a Priority, and each Priority has an Escalation Time associated with it. Tickets are escalated if they have been open longer than the time specified by their priority setting. Tickets also have a Status that can either be Open, Stalled, or Closed. Tickets with an Open status will trigger an escalation mail every n minutes, where n is the time specified by the Escalation Time assigned to the priority. For example, by default, the KBOX 1000 Series has a Priority value of High, with an Escalation Time of 30 minutes. This means that for each ticket that is marked as High Priority, an escalation mail will be sent every 30 minutes to notify people that the ticket is still Open. Tickets that are Stalled or Closed do not trigger escalation emails. Moving a ticket from Open to Stalled or Closed, and then back to Open will not change the creation time, so the escalation mails will continue to be processed based on the original time. For example, if you were to open a ticket, close it after 5 minutes, then reopen it after 35 minutes, an escalation email would be sent saying that the ticket is older than 30 minutes. After that email is sent, the next email would go out after an additional 30 minutes had elapsed. You determine who receives the escalation emails in the Email on Events area of the Help Desk Configuration settings. You could choose to send the escalation email to any of the following: The ticket owner The submitter The email address(es) listed in the Ticket CC area The email address(es) listed in the Category CC area. By specifying the recipient for escalation emails, you are routing open tickets to the right person or people who can help to resolve the issue.
Administrator Guide for KBOX 1000 Series, version 3.3
169
About the satisfaction survey After a ticket is Closed, if a user views the detail page for that ticket, he or she will be presented with the option to indicate their level of satisfaction with the way the ticket was handled. Users also can add comments to the ticket to further explain their assessment. In addition, you can configure the Help Desk to actively solicit feedback from users after a ticket is closed, by automatically sending them an email with a link to the survey. Select the Closed ticket in the Tickets list, click Email this Ticket, and enter an email address to which you want to send the survey. Score values assigned in the survey are stored in the ticket and are not editable by the Help Desk administrator, although you can run a variety of reports to display survey data. For more information about displaying survey data, please see, “Running Help Desk Reports,” on page 171.
Administrator Guide for KBOX 1000 Series, version 3.3
170
Running Help Desk Reports The KBOX 1000 Series provides several default reports you can run on the Help Desk. You can view these reports by selecting the Reporting tab and then selecting HelpDesk from the View by category drop-down list. By default, the KBOX 1000 Series includes the Help Desk reports shown in the table below. For convenience, each of these reports is available in a variety of formats: HTML, PDF, CSV, and TXT. Help Desk Report
Description
Closed Satisfaction Survey last 31 days by Owner
Lists by Owner all Closed Satisfaction Surveys in the last 31 days.
Closed Ticket Resolutions last 31 days by Owner
Lists by Owner all Closed Ticket Resolutions in the last 31 days.
Closed Ticket Resolutions last 7 days by Owner
Lists by Owner all Closed Ticket Resolutions in the last 7 days.
Closed Tickets last 31 days by Category
Lists by Category all Help Desk tickets that have been closed in the last 31 days.
Closed Tickets last 31 days by Owner
Lists by Owner all Help Desk tickets that have been closed in the last 31 days.
Closed Tickets last 7 days by Owner
Lists by Owner all Help Desk tickets that have been closed in the last 7 days.
Escalated/Open Tickets by Owner
Lists by Owner all escalated and open Help Desk tickets.
Open Tickets by Category
Lists by Category all open Help Desk tickets.
Open Tickets by Owner
Lists by Owner all open Help Desk tickets.
Open Tickets last 7 days by Owner
Lists by Owner all open Help Desk tickets opened in the last 7 days.
Stalled Tickets by Owner
Lists by Owner all tickets that are past their due date but not in escalation (stalled tickets).
Stalled/Open Tickets by Category
Lists by Category all stalled and open Help Desk tickets.
Stalled/Open Tickets by Impact
Lists by Impact all stalled and open Help Desk tickets.
Stalled/Open Tickets by Owner
Lists by Owner all stalled and open Help Desk tickets.
Stalled/Open Tickets by Priority
Lists by Priority all stalled and open Help Desk tickets.
Stalled/Open Tickets by Status
Lists by Status all stalled and open Help Desk tickets.
Stalled/Open Tickets with Due Date by Owner
Lists by Owner and due date all stalled and open Help Desk tickets.
Work Report Date Range - Long Notes Display
Displays date, ticket #, technician and hours worked as a header above the Notes for a Work entry for 2006-04-01 through 2006-07-01.
Table 11-2: Default Help Desk reports
Administrator Guide for KBOX 1000 Series, version 3.3
171
Help Desk Report
Description
Work Report last 31 days
Reports all tickets for which work has been logged for the last 31 days.
Work Report last 31 days Customize
Use this report if you want to build a customized report showing only select fields for all tickets for which work has been logged for the last 31 days.
Work Report last 31 days - Long Notes Display
Displays date, ticket #, technician, and hours worked as a header above the Notes for each Work entry.
Work Report last 31 days by Person
Displays all people who logged work during the last 31 days first by person, and then by ticket and time.
Table 11-2: Default Help Desk reports To run Help Desk reports: 1. Select Reporting. The KBOX Reports page appears. 2. From the View by category drop-down list, select HelpDesk. 3. Click the format type for the report you want to view. If you need to create custom reports, see “Creating and editing reports,” on page 190 for information on using the Report Wizard.
Administrator Guide for KBOX 1000 Series, version 3.3
172
C H A P T E R 12
Server Maintenance This chapter describes the most commonly used features and functions that the Administrator will use in administering and maintaining your KBOX 1000 Series appliance. “KBOX 1000 Series maintenance overview,” on page 174 “Backing up KBOX 1000 Series data,” on page 174 “Restoring KBOX 1000 Series Settings,” on page 176 “Updating KBOX 1000 Series software,” on page 177 “Updating OVAL definitions,” on page 179 “Troubleshooting the KBOX 1000 Series,” on page 180
KBOX 1000 Series maintenance overview The Settings | Server Maintenance page allows you to perform a variety of functions to maintain and update the KBOX 1000 Series appliance. You can access the most recent KBOX server backups, upgrade your KBOX 1000 Series server to newer server versions, retrieve updated OVAL definitions, as well restore to backed-up versions as creating a new backup of the KBOX 1000 Series at any time that you'd like. The Settings | Server Maintenance tab also enables you to reboot and shutdown the KBOX 1000 Series, as well as update KBOX 1000 Series license key information. From the Server Maintenance tab you can: Upgrade KBOX 1000 Series appliance Update OVAL vulnerability definitions Create a backup KBOX 1000 Series appliance Enter or update KBOX 1000 Series License Key Restore to most recent backup Restore to factory default settings Restore from uploaded backup files Reboot KBOX 1000 Series Shutdown KBOX 1000 Series. The following sections describe some of the most commonly used features of the Settings | Server Maintenance tab.
Backing up KBOX 1000 Series data By default, the KBOX 1000 Series automatically takes backup at 3 A.M. and creates two files on the backup drive: kbox_dbdata.gz, containing the database backup, and kbox_file.tgz, containing any files and packages you have uploaded to the KBOX 1000 Series alliance.
Backing up KBOX 1000 Series manually In some cases, you might want to invoke a KBOX 1000 Series backup before the nightly backup occurs. In such cases, you can create a KBOX 1000 Series backup manually. To create a KBOX 1000 Series backup manually: 1. Select Settings | Server Maintenance. 2. Scroll down and click the [Edit Mode] link. 3. Beside Run KBOX Backup, click Run Backup Now. After creating the backup, the Settings | Logs tab will appear.
Administrator Guide for KBOX 1000 Series, version 3.3
174
Downloading backup files to another location The backup files are used to restore your KBOX 1000 Series configuration in the event of a data loss or during an upgrade or migration to new hardware. The KBOX 1000 Series contains only the most recent full backup of the files. For a greater level of recoverability (for instance if you wanted to keep rolling backups), you can offload the backup files to another location so that they can be restored later if necessary. You can access the backup files for downloading from the Administrator UI as well as through ftp. To download backup files to another location: 1. Select Settings |Server Maintenance. 2. Click the backup links on the sidebar.
Contains the database backup Contains the files and packages you have uploaded to the KBOX 1000 Series Figure 12-1: Links to backup files 3. Click Save in the alert that appears, then specify a location for the files. 4. Browse to the location where you want to store the files, then click Save. To access the backup files through ftp: 1. Open a command prompt. 2. At the C:\ prompt, type: ftp kbox 3. Enter the login credentials: user: kbftp, password: getbxf 4. Type the following ftp commands:
Figure 12-2: FTP command for accessing backup files
Administrator Guide for KBOX 1000 Series, version 3.3
175
Restoring KBOX 1000 Series Settings The backup files are used to restore your KBOX 1000 Series configuration in the event of a data loss or during an upgrade or migration to new hardware. Restoring any type of backup file will destroy the data currently configured in the KBOX 1000 Series Server. KACE recommends off loading any backup files or data that you want to keep before performing a restore.
Restoring from most recent backup The KBOX 1000 Series has a built-in ability to restore files from the most recent backup directly from the backup drive. You can access the backup files from the KBOX 1000 Series Administrator UI or through ftp. To restore from the most recent backup: 1. Click Settings | Server Maintenance. 2. Scroll down and click the [Edit Mode] link. 3. Click the Restore from Backup button.
Uploading files to restore settings If you have off-loaded your backup files to another location, you can upload those files manually, rather than restoring from the backup files stored on the KBOX 1000 Series. To upload backup files: 1. Click Settings | Server Maintenance. 2. In the Database Backup Files field, click Browse and locate the backup file. 3. In the KBOX Backup Files field, click Browse and locate the backup file. 4. Click Restore from Upload Files.
Administrator Guide for KBOX 1000 Series, version 3.3
176
Updating KBOX 1000 Series software Part of maintaining your KBOX 1000 Series appliance involves updating the software that runs on the KBOX 1000 Series server. This process also involves verifying that you are using the minimum required version of the KBOX 1000 Series, as well as updating the license key in the KBOX 1000 Series to reflect the current product functionality.
Verifying minimum server version Before applying this update, verify your KBOX 1000 Series server version meets the minimum version requirement. To verify minimum server version: 1. Open your browser and go to the URL for the KBOX 1000 Series appliance (http://kbox/admin). 2. Click About KBOX in the upper right-hand corner of the screen.
The version of the server
Figure 12-3:
About KBOX
Updating the license key After installing an upgrade to the KBOX 1000 Series server, you may need to enter a new KACE license key to fully activate the KBOX 1000 Series. You should have the new license key to upgrade your KBOX 1000 Series appliance. Updating your KBOX 1000 Series license key: 1. Select Settings | Server Maintenance. 2. Scroll down and click the [Edit Mode] link. 3. Enter your new license key, then click Save.
Administrator Guide for KBOX 1000 Series, version 3.3
177
Applying the server update If you are using a previous version of the KBOX 1000 Series, you must apply the earlier updates separately before continuing. Refer to the release notes for your version of the KBOX 1000 Series to determine the minimum updates. To apply the server update: 1. Download the kbox_upgrade_server_XXXX.bin file and save it locally. 2. Open your browser to http://kbox/admin. 3. Select Settings | Server Maintenance. 4. Scroll down and click the [Edit Mode] link. 5. Under Update KBOX, click Browse, and locate the update file you just downloaded. 6. Click Update KBOX. When the file has completed uploading, your KBOX 1000 Series will reboot with the latest features.
Verifying the update After applying the upgrade, verify successful completion by reviewing the update log. To verify the upgrade: 1. Select Settings | Logs. 2. Click the Update link. 3. Review the Update log for any error messages or warnings. 4. Click About KBOX in the upper right corner to verify the current version.
Rebooting and shutting down KBOX 1000 Series appliance You may need to reboot the KBOX 1000 Series appliance from time to time when troubleshooting or possibly upgrading KBOX 1000 Series settings. When rebooting KBOX 1000 Series, you should always do so by clicking the Reboot KBOX button located on the Settings | Server Maintenance tab. Before performing hardware maintenance, you will need to shutdown the KBOX 1000 Series prior to unplugging appliance. You can shutdown the KBOX 1000 Series appliance either by pressing the power button ONCE, quickly, or by clicking the Shutdown KBOX button on the Settings | Server Maintenance tab. The Reboot and Shutdown buttons will only be clickable if you have already click the blue "Edit Mode" link at the bottom of the page.
Administrator Guide for KBOX 1000 Series, version 3.3
178
Updating OVAL definitions Although the definitions for OVAL vulnerabilities are updated automatically on a scheduled basis, you can retrieve the latest files manually from the Server Maintenance page. For more information about OVAL definitions, see “About OVAL and CVE,” on page 133 To update the OVAL & Patch definitions: 1. Select Settings | Server Maintenance. 2. To update OVAL definitions, click Update OVAL Now.
Administrator Guide for KBOX 1000 Series, version 3.3
179
Troubleshooting the KBOX 1000 Series The KBOX 1000 Series provides several log files that can help you detect and resolve errors. The log files are rotated automatically as each grows in size so no additional administrative log maintenance procedures are required. Log maintenance checks are performed daily. The KBOX 1000 Series maintains the last seven days of activity in the logs. KACE Technical Support may request that you send the KBOX 1000 Series Server logs if they need more information in troubleshooting an issue. To download the logs, click the Download Logs link. For more information, see “Downloading log files,” on page 180.
Accessing KBOX 1000 Series logs You can access the KBOX 1000 Series Server logs by going to the Settings | Logs tab. This area also provides a reference for any KBOX 1000 Series informational or exception notices. Log Type
Description
Disk Status
Displays the status of the KBOX 1000 Series disk array.
Application
Displays miscellaneous information about the application's operation and execution.
Access
Displays the HTTP Server's access information.
Server
Displays errors or server warnings regarding any of the onboard server processes.
Update
Displays details of any KBOX 1000 Series patches or upgrades applied using the Update KBOX function.
Client
Displays KBOX Agent exception logs.
Table 12-4: Types of Server Logs
Downloading log files The KBOX 1000 Series provides the ability to download the logs into one file directly from the Admin UI. You may be asked by KACE Technical support to submit KBOX 1000 Series logs in order to help diagnose a problem. To download KBOX 1000 Series logs: 1. Select Settings | Logs. 2. Click the Download logs link on the right of the Log page. The logs are downloaded in a file called kbox_logs.tgz. 3. Click Save.
Administrator Guide for KBOX 1000 Series, version 3.3
180
Understanding disk log status data The log you are likely to interact with most often when troubleshooting the KBOX 1000 Series is the Disk Status log. If there is a physical problem with the KBOX 1000 Series, that issue would be reflected here. KBOX 1000 Series Server and KBOX Agent exceptions are reported nightly to kace.com if you enabled crash reporting on the Settings | General tab.
Figure 12-5: Disk status without error
Error status listed here Figure 12-6: Disk status with error The figures above display the difference in the Disk status log when no error is found and when an error exists. Although this section does not describe every possible error message that could be displayed here, many of the errors that occur can be resolved by following the same set of steps:
Administrator Guide for KBOX 1000 Series, version 3.3
181
Step
Description
Step 1: Rebuild
If the disk status log error reads “Degraded” that is an indication that you need to rebuild the array. To do this, click the Rebuild Disk Array button. Rebuilding can take up to 2 hours. If an error state still exists after this, proceed to step 2.
Step 2: Power Down and Reseat the Drives
In some cases, the degraded array may be caused by a hard-drive that is no longer seated firmly in the drive-bay. In these cases, the disk status will usually show "disk missing" for that drive in the log. Power down the KBOX 1000 Series. Once the appliance is powered off, eject each of the hard-drives and then re-insert them, making sure that the drive is firmly in the bay. Power the machine back on and then look again at the disk status log to see if that has resolved the issue. If an error state still exists, try rebuilding again or proceed to Step 3.
Step: Call KACE Technical Support
If you have the previous steps and are still experiencing errors, please contact KACE Technical Support by email ([email protected]) or phone (888) 522-3638 option 2.
Table 12-7: Troubleshooting your KBOX 1000 appliances
Administrator Guide for KBOX 1000 Series, version 3.3
182
C H A P T E R 13 Reporting The KBOX 1000 Series provides a variety of alert and reporting features that enable you to communicate easily with users and to get a detailed view of the activity on your network. “KBOX 1000 Series Reports overview,” on page 184 “Alert Messages,” on page 193 “Email Alerts,” on page 194 “KBOX 1000 Series Summary,” on page 195 “LDAP Browser,” on page 201
KBOX 1000 Series Reports overview The KBOX 1000 Series ships with many included stock reports. The reporting engine utilizes XML-based report layouts to output report types of HTML, PDF, CSV, and TXT. By default, the KBOX 1000 Series provides reports in the following general categories: Compliance Hardware Help Desk KBOX Network Patching Security Software Template
Administrator Guide for KBOX 1000 Series, version 3.3
184
Types of Reports Within each of the general categories mentioned above, there are various reports you can run to display information about the computers on your network. Descriptions of each type of report you can run are provided below. Help desk reports are discussed in Chapter 11,“User Portal and Help Desk,” starting on page 146. Category
Report
Description
Compliance
Hotfix Compliance
Shows which computers have the specified hotfix installed.
Compliance
Software Compliance Simple
Lists the licenses and counts like the License list page with details such as vendor, PO#, and Notes.
Compliance
Software License Compliance Complete
Lists software and computers that are impacted by each license record.
Compliance
Unapproved Software Installation
Lists software found on computers that do not have approved licenses.
Hardware
C drives less than 2G free
Shows which computers less than 2 gigabytes of free space.
Hardware
Computer - Video/Ram/Proc by Label
Lists all computers and their video, ram and processor information sorted by label and name.
Hardware
Computer Export
This report is intended to generate a CSV listing for data export to other programs.
Hardware
Computer Inventory Detail
Detail listing of all computers on the KBOX 1000 Series network with full field detail.
Hardware
Computer Listing by Free Disk Space
Lists computer disk drives in order of total free disk space.
Hardware
Computer Listing by Label
Lists all computers by all KBOX 1000 Series labels.
Hardware
Computer Listing by Memory
Lists computer RAM in order of total memory size.
Hardware
Computer Listing by Operating System
Sorts all computers by Operating System type and sums OS Types.
Hardware
Computer Uptime Report
Reports the uptime of the computers.
Help Desk
Closed Satisfaction Survey last 31 days by Owner
Lists by Owner all Closed Satisfaction Surveys in the last 31 days.
Help Desk
Closed Ticket Resolutions last 31 days by Owner
Lists by Owner all Closed Ticket Resolutions in the last 31 days.
Help Desk
Closed Ticket Resolutions last 7 days by Owner
Lists by Owner all Closed Ticket Resolutions in the last 7 days.
Help Desk
Closed Tickets last 31 days by Category
Lists by Category all Help Desk tickets that have been closed in the last 31 days.
Table 1: Default reports
Administrator Guide for KBOX 1000 Series, version 3.3
185
Category
Report
Description
Help Desk
Closed Tickets last 31 days by Owner
Lists by Owner all Help Desk tickets that have been closed in the last 31 days.
Help Desk
Closed Tickets last 7 days by Owner
Lists by Owner all Help Desk tickets that have been closed in the last 7 days.
Help Desk
Escalated/Open Tickets by Owner
Lists by Owner all escalated and open Help Desk tickets.
Help Desk
Open Tickets by Category
Lists by Category all open Help Desk tickets.
Help Desk
Open Tickets by Owner
Lists by Owner all open Help Desk tickets.
Help Desk
Open Tickets last 7 days by Owner
Lists by Owner all open Help Desk tickets opened in the last 7 days.
Help Desk
Stalled Tickets by Owner
Lists by Owner all tickets that are past their due date but not in escalation (stalled tickets).
Help Desk
Stalled/Open Tickets by Category
Lists by Category all stalled and open Help Desk tickets.
Help Desk
Stalled/Open Tickets by Impact
Lists by Impact all stalled and open Help Desk tickets.
Help Desk
Stalled/Open Tickets by Owner
Lists by Owner all stalled and open Help Desk tickets.
Help Desk
Stalled/Open Tickets by Priority
Lists by Priority all stalled and open Help Desk tickets.
Help Desk
Stalled/Open Tickets by Status
Lists by Status all stalled and open Help Desk tickets.
Help Desk
Stalled/Open Tickets with Due Date by Owner
Lists by Owner and due date all stalled and open Help Desk tickets.
Help Desk
Work Report Date Range - Long Notes Display
Displays date, ticket #, technician and hours worked as a header above the Notes for a Work entry for 2006-04-01 through 2006-07-01.
Help Desk
Work Report last 31 days
Reports all tickets for which work has been logged for the last 31 days.
Help Desk
Work Report last 31 days Customize
Use this report if you want to build a customized report showing only select fields for all tickets for which work has been logged for the last 31 days.
Help Desk
Work Report last 31 days - Long Notes Display
Displays date, ticket #, technician, and hours worked as a header above the Notes for each Work entry.
Help Desk
Work Report last 31 days by Person
Displays all people who logged work during the last 31 days first by person, and then by ticket and time.
Table 1: Default reports
Administrator Guide for KBOX 1000 Series, version 3.3
186
Category
Report
Description
KBOX
Boot/Login Policies
Lists all the activities that could happen at machine boot time or after the user logs in.
KBOX
KBOX Agent Roll Out Log
Reports when a computer record was first created.
KBOX
KBOX Communication
Lists by day the latest communication from computers on the network.
KBOX
MI's enabled on all machines
Lists all the managed installations that are enabled on all machines.
KBOX
Scripts enabled on all machines This report lists the scripts that are enabled on all machines.
Network
Network Info - Domain Listing
This report lists computers groups computers by domain/workgroup.
Network
Network Info - IP Address Listing
Lists computers in order of IP Address (ascending).
Network
Network Scan Report
Displays the results of the nightly Network Scan.
Patching
Critical Bulletin List
Lists all critical bulletins.
Patching
For each Machine, what patches are installed
Lists of all patches on each computer in the KBOX network.
Patching
For each Patch, what machines have it installed
Lists the computers having each software patch in inventory.
Patching
How many computers have each Patch installed
Software Inventory listing sorted by software title showing number of seats deployed.
Patching
Installation Status of each enabled Patch
Lists the installation status of each enabled patch.
Patching
Needs Review Bulletin List
List of all the Bulletins that need review.
Patching
Patches waiting to be deployed
Lists all patches waiting to be deployed.
Security
Number of machines with OVAL vulnerabilities
Lists, for each OVAL test, how many machines failed the test and are therefore vulnerable.
Security
OVAL Machine Report
Reports all the machines and how many OVAL tests that each of them failed.
Security
SANS Top 10 - Q2 2005
Reports all OVAL results from vulnerabilities reported by SANS.
Security
Threating Items
Displays all items o threat level 4 or 5 and the computers which have them.
Security
Top 10 OVAL Vulnerabilities
Displays a Pie graph of the top 10 OVAL vulnerabilities that have been reported by the OVAL scan.
Software
Software Export
Generates a CSV listing for data export to other programs.
Table 1: Default reports Administrator Guide for KBOX 1000 Series, version 3.3
187
Category
Report
Description
Software
Software Installed But Not Used Last 6 Months
Lists, by software item, where software has been installed but not used according to software metering. This will only work when you have attached the metering to a particular software item which will limit you to a particular version of software.
Software
Software Inventory By Vendor
Software Inventory listing grouped by vendor showing number of seats deployed.
Software
Software Listing By Label
Lists all software titles organized by all KBOX 1000 Series labels.
Software
Software not on any computer
Listing of all software titles that are not currently installed on any computers.
Software
Software on Computer
Listing of all software on each computer in the KBOX 1000 Series network.
Software
Software OS Report - Graph
Pie graph showing the list and count of Operating Systems currently deployed on your network.
Software
Software Title & Version - Com- This report lists the computers having each softputer List ware title in inventory.
Software
Software Title - Computer List (MS Only)
This report lists computers having each Microsoft software title in inventory.
Software
Software Title Deployed Count
Software Inventory sorted by software title showing number of seats deployed.
Template
Computer Listing - XP SP2 installed?
Lists all computers, reporting if XP SP2 is installed or not. Change 'Windows XP Service Pack 2' to any other Software title you are interested in. Sorted by installation status.
Template
Computer Listing with Software Template
Computer Listing sorted by LABEL with computers having software names like "Microsoft Office Professional%".
Template
Custom Inventory Template
Reports the values returned by a custom inventory rule that you can setup in the Software Item page. Change 'McAfeeDATFile' to be the name of the Software item with the Custom Inventory Rule in it.
Template
Log File Information Template
This is a template that lists the values returned from a 'Log File Information' action in a script. Replace 'AccessedDate: ' with the actual attribute that you returned.
Template
Log Registry Value Template
This template lists the values returned from a script using the 'Log Registry Value' action. Replace the value '!doc =' with the appropriate value name that you entered in the script.
Table 1: Default reports Administrator Guide for KBOX 1000 Series, version 3.3
188
Category Template
Report
Description
Machines By Label X with Software Y Installed
Reports all the machines in label(s) and indicates if they have a particular software product installed. Replace KBOX with the name of the software you are looking for and QA_LABEL and KBOX_LABEL with the labels of the machines you want included.
Table 1: Default reports
Administrator Guide for KBOX 1000 Series, version 3.3
189
Running Reports To run any of the KBOX 1000 Series reports, you simply need to click the desired format type (HTML, PDF, CSV, or TXT). For HTML or PDF formats, the report will be displayed in a new window. If you select CSV or TXT format, you will be prompted to open the file or save it to your computer. For example, the KBOX server build at your end is 3.1.6474. On clicking the Reporting | Summary tab, the KBOX Summary Information page appears, and on clicking the Settings | Server Maintenance tab, the KBOX Settings : Server Maintenance page appears. Let’s say KACE comes up with a new patch for the server build by the name 3.1.6748 and pushes it to the corporate server. If you click on the Check for upgrade button in the Settings| Server Maintenance page, the An upgrade is now available link appears on the KBOX Summary Information page and the latest build is available in the Upgrade KBOX field on the KBOX Settings : Server Maintenance page. The An upgrade to 3.1.6748 is now available link also appears in the Reporting | Summary page. Clicking on this link will take you to the Settings | Server Maintenance page. Click Upgrade now to upgrade your KBOX Server to the build 3.1.6748 build.
Creating and editing reports If you have other reporting needs not covered by the reports previously mentioned, you can either create a new report from scratch, or you can modify one of the templates provided in the KBOX 1000 Series Template category. You can create a report in the following ways: Duplicate an existing report - Another way to create a report is to open an existing report and create a copy of it, which you can then modify to suit your needs. Create a new report using the Report Wizard. Create a new report from scratch To duplicate an existing report: 1. Select Reporting | Reports. 2. Click the linked Report Title. The KBOX Report: Edit Detail page appears. 3. Click the Duplicate button. 4. Modify the report details as necessary, then click Save. Consult the list of database table names in Appendix B,“Database tables,” starting on page 209.
Administrator Guide for KBOX 1000 Series, version 3.3
190
To create a new report using the Report tab: 1. Select Reporting | Reports. The KBOX Report page appears. 2. Select Add New Report from the Choose action drop-down list. 3. Enter the report details as shown below: Report Title
Enter a display name for the report. Make this as descriptive as possible, so you can distinguish this report from others.
Report Category
Enter the category for the report. If the category does not already exist, it will be added to the drop-down list on the Reports list page.
Description
Describe the information that the report will provide.
Report Type
Select a report type from the list. The fields that you will be able to include on the report vary depending on the report type you choose.
4. Click Next. 5. The next step is to select fields you want to include on the report. Click Select All to select all fields or Deselect All to deselect all fields. 6. Click Next. 7. The next step is to arrange the fields you selected in the order in which you want the columns to appear on the report. Highlight and drag a column block to change the order. Rearrange the fields until the columns are in the order you want to display them on the report. 8. Click Next. 9. The next step is to sort the fields you selected for the report and to decide where you want the report to break. You can sort first by one field, then further sort by one or two more fields. a. Select a field or fields by which you want to sort from the Order By drop-down list or lists. b. Select either Ascending or Descending from the Sequence drop-down list or lists. c. Check Break Header? if you want to break the report with a new header and do subtotals. 10. Click Next. 11. The next step is to specify filter criteria for the report: a. Select a field or fields by which you want to filter from the field drop-down list or lists. b. Select an operator or operators from the operator drop-down list or lists. c. Enter a value by which you want to search and filter. You can combine individual field filter searches (create a compound filter search) by selecting an AND or an OR operator. The example above will search for and filter users who have “kace” or “kacepartner” in their mail address. 12. Click Save to save your report. The KBOX Reports page is displayed with the new report in the list. To run the new report, click the desired format type (HTML, PDF, CSV, or TXT). For HTML or PDF formats, the report will be displayed in a new window. If you select CSV or TXT format, you will be prompted to open the file or save it to your computer.
Administrator Guide for KBOX 1000 Series, version 3.3
191
To create a new report from scratch: 1. Select Reporting | Reports. 2. Select Add New SQL Report from the Choose action drop-down list. The KBOX Report: Edit Detail page appears. 3. Specify the following report details: Title
Enter a display name for the report. Make this as descriptive as possible, so you can distinguish this report from others.
Report Category
Enter the category for the report. If the category does not already exist, it will be added to the drop-down list on the Reports list page.
Output File Name
Specify the name for the file generate when this report is run.
Description
Describe the information that the report will provide.
Output Types
Specify the formats that should be available for this report.
SQL Select Statement
Enter the query statement that will generate the report data. For reference, consult the MYSQL documentation.
Break on Columns
A comma-separated list of SQL column names. The report will generate break headers and sub totals for these columns. This setting refers to the auto-generated layout.
XML Report Layout
When checked, this option will create the XML layout based on the SQL you enter. Select this check box if you have changed the columns that are being returned by the query so that the XML Report Layout is regenerated using the new columns.
4. Click Save. For assistance with formatting the report XML, refer to the rlib documentation found here: http://rlib.sicompos.com/.
Administrator Guide for KBOX 1000 Series, version 3.3
192
Alert Messages Alert messages provide a way for you to interact with your users by displaying a message in a pop-up window. The Alerts List page displays the messages you have distributed to users. From the Alerts list page you can open existing alerts, create new alerts, or delete alerts. You can also search messages using keywords.
Creating alert messages If you have information you want to distribute to your network, you can review and modify previous messages you have deployed, or you can create a new message. To create an alert message: 1. Select Reporting | Alerts. 2. Select Add New Item from the Choose action drop-down list. The Alerts: Edit Detail page appears. 3. In the Message Content field, type the text of your message. 4. In the Keep Alive field, specify the length of time the message will be valid. Messages will be broadcast to users until either the user's desktop has received the message or the specified time interval has elapsed. This is based on the Run Interval set on the Distribution | KBOX Agent | KBOX Agent Setting. 5. In the Limit Broadcast To area, select the recipient label(s) to which this message will be sent. Press CTRL and click to select multiple labels. 6. Click Save.
Administrator Guide for KBOX 1000 Series, version 3.3
193
Email Alerts Mail alerts differ from Alerts (broadcast messages) in that they allow you to send messages out to administrators based on more detailed criteria. The Mail Alert feature relies on the Inventory | Computers engine to create a notification that will be sent to administrators when computers meet the criteria you specify. The KBOX 1000 Series checks the computers in inventory against the criteria in the Mail Alert once an hour until one or more computers meet the criteria, then a message is sent to the administrator(s) specified in the alert details.
Creating Email Alerts Notifications are processed every 60 minutes. Should a notification query result in 1 or more machine records, then a notification email is automatically sent to the specified recipient. To create an Email Alert: 1. Select Reporting | Email Alerts. The Email Alerts page appears. 2. Select Add New Computer Notification in the Choose action drop-down list. The Inventory | Computers tab appears with the Create Email Notification fields exposed. 3. Enter the search criteria. 4. In the Title field, enter a title for the alert. The Title will appear in the Subject field. 5. In the Recipient field, enter the email address(es) of the message recipient. Email addresses must be fully qualified email addresses. The recipient address may be a single email address or a list of addresses separated by commas.
Administrator Guide for KBOX 1000 Series, version 3.3
194
KBOX 1000 Series Summary The KBOX 1000 Series Summary page provides information about the configuration and operation of your KBOX 1000 Series appliance. When you log on to the KBOX Administrator Console, the Summary tab appears by default. To view KBOX Summary: 1. Select Reporting | Summary. The KBOX Summary page appears. 2. The sections that follow provide a description of the summary information displayed. 3. Click Refresh to refresh the information displayed.
Client Check-In Rate Displays the total number of clients that have checked in to the server in an hour.
The counter automatically adjusts if the number increases beyond one hundred.
Administrator Guide for KBOX 1000 Series, version 3.3
195
Distributions Displays the number of managed installations, scripts, and file synchronizations that are enabled. This also displays the number of alerts that you have configured.
The counter automatically adjusts if the number increases beyond thirty.
Administrator Guide for KBOX 1000 Series, version 3.3
196
Software Threat Level Displays the number of machines on various software threat levels.
The number of machines displayed on the Y axis automatically adjusts if the number of machines found on a particular threat level increases beyond twelve.
License Compliance Displays the number of machines that use a particular licensed software. For example, the following figure displays a licensed software named Adobe flash player 9, which can be used on one thousand machines. In this example, this software is used by twelve machines.
Administrator Guide for KBOX 1000 Series, version 3.3
197
KBOX Network Load Displays the number of sockets connected to the server.
The counter automatically adjusts if the number of sockets connected increases beyond one hundred.
Managed Operating Systems Displays the number, in percentage, of various operating systems present in the inventory.
Administrator Guide for KBOX 1000 Series, version 3.3
198
To view KBOX Summary Details: 1. Select Reporting | Summary. The KBOX Summary page appears. 2. Scroll down, and then click View Details. The KBOX Summary Details page appears. 3. The sections that follow provide a description of the summary details provided.
As this page is refreshed, the record count information is refreshed. New KBOX 1000 Series installations will mostly contain zero or no record counts.
Computer statistics Provides a summary of the computers on your network, including a breakdown of the operating systems in use. In addition, if the number of computers on your network exceeds the number allowed by your KBOX 1000 Series license key, a notification to that effect will be displayed here.
Software statistics Provides a summary of the software in KBOX 1000 Series Inventory. Includes the number of software titles that have been uploaded to the KBOX 1000 Series.
Software Distribution Summary Provides a summary of the packages that have been distributed to the computers on your network, separated out by distribution method. Also indicates the number of packages that are enabled vs. disabled.
Alert Summary Provides a summary of the alerts that have been distributed to the computers on your network, separated by message type. This also indicates the number of alerts that are active vs. expired. The IT Advisory refers to the number of Knowledge Base Articles in Help Desk.
Administrator Guide for KBOX 1000 Series, version 3.3
199
Patch Bulletin Information Provides a summary of the patches received from Microsoft. Includes the date and time of the last patch download (successful and attempted) and the number of bulletins in the KBOX 1000 Series.
OVAL Information Provides a summary of the OVAL definitions received and the number of vulnerabilities detected on your network. Includes the date and time of the last OVAL download (successful and attempted) and the number of OVAL tests in the KBOX 1000 Series, in addition to the numbers of computers that have been scanned.
Network Scan Summary Provides a summary of the results of Network Scans run on the network. Includes the number of IP addresses scanned, the number of services discovered, the number of devices discovered, as well as the number of detected devices that are SNMP-enabled.
Administrator Guide for KBOX 1000 Series, version 3.3
200
LDAP Browser The LDAP Browser allows you to browse and search the data located on the LDAP Server. For example, Active Directory Server. You must have the Bind DN and the Password to log on to the LDAP Server. To use the LDAP Browser: 1. Select Reporting | LDAP Browser. 2. Specify the LDAP Server Details LDAP Server
Specify the IP or the Host Name of the LDAP Server. Note: For LDAPS, use the IP or the Host Name, as ldaps:// HOSTNAME
LDAP Port
Specify the LDAP Port number, which could be either 389/636 (LDAPS).
LDAP Login
Specify the Bind DN For example: CN=Administrator,CN=Users,DC=kace,DC=com
LDAP Password
Specify the password for the LDAP login.
3. Click test. 4. On a successful connection to the LDAP server, a list of possible base DNs (Distinguished Names) available on that directory is displayed. These base DNs can be used as a start point to browse and search the directory. If the connection was not established, the Operation Failed message appears, which could be due to one of the following reasons: The IP or Host Name provided is incorrect. The LDAP server is not up. The login credentials provided are incorrect. 5. Click a Base DN or click next. A new window displays the Search Base DN and the Search Filter. The Search Base DN is populated on the basis of the Base DN that you selected in the previous screen. You can modify the Search Base DN and the Search Filter. 6. You can also use the Filter Builder to create complex filters. Click Filter Builder. The Query Builder is displayed. Specify the following information. Attribute Name
Specify the Attribute Name. For example, samaccountname.
Relational Operator
Select the relational operator from the drop-down list. For example, =.
Attribute Value
Specify the attribute value. For example, admin.
Administrator Guide for KBOX 1000 Series, version 3.3
201
7. To add more than one attribute: Conjunction Operator
Select the conjunction operator from the drop - down list. For example, AND. Note: This field is available for the previous attribute only when you add a new attribute.
Add
Click Add. You can add multiple attributes.
Search Scope
Click One level to search at the same level or click Sub-tree level to search at the sub-tree level.
8. Click OK. The query appears in the Search Filter text area. For example, (samaccountname=admin). 9. Click Browse to display all the immediate child nodes for the given base DN and search filter. Click Search to display all the direct and indirect child nodes for the given base DN and search filter. The search results are displayed in the left panel. 10. Click a child node to view its attributes. The attributes are displayed in the right panel.
Administrator Guide for KBOX 1000 Series, version 3.3
202
A P P E N D I X A
Adding steps to a Task This appendix documents steps for tasks of a script. The steps documented here are available on the Scripting tab. For more information, see “Scripting,” on page 91. “Steps for Task sections,” on page 204
Steps for Task sections Refer to the following table when adding steps to a Policy or Job Task. These are the steps available in the step drop-down lists in the Verify, On Success, Remediation, On Remediation Success, and On Remediation Failure sections of a task. The Column headings V, OS, R, ORS, and ORF indicate whether a particular step is available in the corresponding Task sections. Step
Explanation
Always Fail
V
OS
R
X
ORF
X
Call a Custom DLL Function
Call function "%{procName}" from "%{path}\%{file}"
X
X
X
Create a Custom DLL Object
Create object "%{className}" from "%{path}\%{file}"
X
X
X
Create a message window
Create a message window named "%{name}" with title "%{title}", message "%{message}" and timeout "%{timeout}" seconds.
X
X
X
Delete a registry key
Delete "%{key}" from the registry.
X
X
Delete a registry value
Delete "%{key}!%{name}" from the registry.
X
X
Destroy a message window
Destroy the message window named "%{name}".
Install a software package
Install "%{name}" with arguments "%{install_cmd}". Note: This step requires you to choose from a list of software packages already uploaded using the functionality in the Inventory/Software tab. For more information, see “Adding Software to Inventory,” on page 39.
Kill a process
Kill the process "%{name}".
Launch a program
Launch "%{path}\%{program}" with params "%{parms}".
Log a registry value
Log “%{key}!%{name}”.
X
Log file information
Log “%{attrib}”from “%{path}\%{file}”
X
Log message
Log “%{message}”to “%{type}”
X
Restart a service
Restart service “%{name}”
X
ORS
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Table A-1: Steps for Tasks in Policy & Job scripts
Administrator Guide for KBOX 1000 Series, version 3.3
204
Step Run a batch file
Explanation
V
OS
Run the batch file "%{_fake_name}" with params "%{parms}".
X
X
R
ORS
ORF
X
Note: In this step, you do not need to upload the batch file. You create the batch file by pasting the script in the space provided. Search the file system
Search for "%{name}" in "%{startingDirectory}" on "%{drives}" and "%{action}".
X
Set a registry key
Set "%{key}".
X
X
Set a registry value
Set "%{key}!%{name}" to "%{newValue}".
X
X
Start a service
Restart service “%{name}”
X
Stop a service
Stop service “%{name}”
X
Unzip a file
Unzip "%{path}\%{file}" to "%{target}".
X
X
X
X
Update message window text
Set the text in the message window named "%{name}" to "%{text}".
X
X
X
X
Update Policy and Job schedule
Update policy and job schedule from KBOX 1000 Series
X
Upload a file
Upload "%{path}\%{file}" to the server.
Upload \ logs
Upload KBOX Agent logs to KBOX 1000 Series
X
X
Verify a directory exists
Verify that the directory "%{path}" exists.
X
Verify a file exists
Verify that the file "%{path}\%{file}" exists.
X
Verify a file version is exactly
Verify that the file "%{path}\%{file}" has version "%{expectedValue}".
X
Verify a file version is greater than
Verify that the file "%{path}\%{file}" has version greater than "%{expectedValue}".
X
Verify a file version is greater than or equal to...
Verify that the file "%{path}\%{file}" has version greater than or equal to "%{expectedValue}”
X
Verify a file version is less than
Verify that the file "%{path}\%{file}" has version less than "%{expectedValue}".
Verify a file version is less than or equal to
Verify that the file "%{path}\%{file}" has version less than or equal to "%{expectedValue}
X X
X X
X X
Table A-1: Steps for Tasks in Policy & Job scripts
Administrator Guide for KBOX 1000 Series, version 3.3
205
Step
Explanation
V
Verify a file version is not
Verify that the file "%{path}\%{file}" does not have version "%{expectedValue}".
X
Verify a file was modified since
Verify that the file "%{path}\%{file}" was modified since "%{expectedValue}".
X
Verify a process is not running
Verify the process "%{name}" is not running.
X
Verify a process is running
Verify the process "%{name}" is running.
X
Verify a product ver- Verify that the product "%{path}\%{file}" sion is exactly.. has version "%{expectedValue}"
X
Verify a product ver- Verify that the product "%{path}\%{file}" sion is greater than has version greater than "%{expectedValue}".
X
Verify a product ver- Verify that the product "%{path}\%{file}" sion is greater than has version greater than or equal to "%{expected-Value}” or equal to...
X
Verify a product ver- Verify that the product "%{path}\%{file}" sion is less than has version less than "%{expectedValue}".
X
Verify a product ver- Verify that the product "%{path}\%{file}" sion is less than or has version less than or equal to "%{expectedValue}” equal to
X
Verify a product ver- Verify that the product "%{path}\%{file}" sion is not does not hav version "%{expectedValue}"
X
Verify a registry key does not exist
Verify that "%{key}" does not exist.
X
Verify a registry key exists
Verify that "%{key}" exists.
X
Verify a registry key’s subkey count is exactly
Verify that "%{key}" has exactly "%{expectedValue}" subkeys.
X
Verify a registry key’s subkey count is greater than
Verify that "%{key}" has greater than "%{expectedValue}" subkeys.
X
Verify a registry key’s subkey count is greater than or equal to
Verify that "%{key}" has greater than or equal to "%{expectedValue}" subkeys.
X
Verify a registry key’s subkey count is less than
Verify that "%{key}" has less than "%{expectedValue}" subkeys.
X
OS
R
ORS
ORF
Table A-1: Steps for Tasks in Policy & Job scripts
Administrator Guide for KBOX 1000 Series, version 3.3
206
Step
Explanation
V
Verify a registry key’s subkey count is less than or equal to
Verify that "%{key}" has less than or equal to "%{expectedValue}" subkeys.
Verify a registry key’s subkey count is not
Verify that "%{key}" does not have exactly "%{expectedValue}" subkeys.
X
Verify a registry key’s value count is exactly
Verify that "%{key}" has exactly "%{expectedValue}" values.
X
Verify a registry key’s value count is greater than
Verify that "%{key}" has greater than "%{expectedValue}" values.
X
Verify a registry key’s value count is greater than or equal to
Verify that "%{key}" has greater than or equal to "%{expectedValue}" values.
X
Verify a registry key’s value count is less than
Verify that "%{key}" has less than "%{expectedValue}" values.
X
OS
R
ORS
ORF
X
Verify a registry Verify that "%{key}" has less than or key’s value count is equal to "%{expectedValue}" values. less than or equal to
X
Verify a registry key’s value count is not
Verify that "%{key}" does not have exactly "%{expectedValue}" values.
X
Verify a registry pat- Verify that "%{key}!%{name}=%{expecttern doesn’t match edValue}" doesn't match.
X
Verify a registry pat- Verify that "%{key}!%{name}=%{expecttern matches edValue}" matches.
X
Verify a registry Verify that "%{key}!%{name}" does not value does not exist exist
X
Verify a registry value exists
Verify that "%{key}!%{name}" exists
X
Verify a registry value is exactly
Verify that "%{key}!%{name}" is equal to "%{expectedValue}"
X
Verify a registry value is greater than
Verify that "%{key}!%{name}" is greater than "%{expectedValue}"
X
Verify a registry value is greater than or equal to
Verify that "%{key}!%{name}" is greater than or equal to "%{expectedValue}"
X
Table A-1: Steps for Tasks in Policy & Job scripts
Administrator Guide for KBOX 1000 Series, version 3.3
207
Step
Explanation
V
Verify a registry value is less than
Verify that "%{key}!%{name}" is less than "%{expectedValue}"
X
Verify a registry value is less than or equal to
Verify that "%{key}!%{name}" is less than or equal to "%{expectedValue}"
X
Verify a registry value is not
Verify that "%{key}!%{name}" is not equal to "%{expectedValue}"
X
Verify a service exists
Verify the service "%{name}" exists
X
Verify a service is running
Verify the service "%{name}" is running
OS
R
ORS
ORF
X
Table A-1: Steps for Tasks in Policy & Job scripts
Administrator Guide for KBOX 1000 Series, version 3.3
208
A P P E N D I X B
Database tables This appendix contains a list of the table names used in the KBOX 1000 Series database. Use this as a reference when creating custom reports. “KBOX 1000 Series database tables,” on page 210
KBOX 1000 Series database tables Refer to the following table when creating custom reports. For more information, see Chapter 13,“Reporting,” starting on page 183. Table
Used In
ADVISORY
HelpDesk
ADVISORY_LABEL_JT
HelpDesk
AUTHENTICATION
KBOX
CLIENTDIST_LABEL_JT
KBOX
CLIENT_DISTRIBUTION
KBOX
CR_CLIENT_CRASH
KBOX
CR_SERVER_CRASH
KBOX
CUSTOM_FIELD_DEFINITION
Custom Fields
FILTER
Labeling
FS
File Synchronization
FS_LABEL_JT
File Synchronization
FS_MACHINE_JT
File Synchronization
GLOBAL_OPTIONS
KBOX
HD_ATTACHMENT
Help Desk
HD_CATEGORY
Help Desk
HD_EMAIL_EVENT
Help Desk
HD_IMPACT
Help Desk
HD_MAIL_TEMPLATE
Help Desk
HD_PRIORITY
Help Desk
HD_QUEUE
Help Desk
HD_QUEUE_PRIORITY
Help Desk
HD_QUEUE_STATUS
Help Desk
HD_STATUS
Help Desk
HD_TICKET
Help Desk
HD_TICKET_CHANGE
Help Desk
HD_TICKET_RELATED
Help Desk
HD_WORK
Help Desk
KBOT
Scripting
Table B-1: KBOX 1000 Series database table names
Administrator Guide for KBOX 1000 Series, version 3.3
210
Table
Used In
KBOT_CRON_SCHEDULE
Scripting
KBOT_DEPENDENCY
Scripting
KBOT_EVENT_SCHEDULE
Scripting
KBOT_FORM
Scripting
KBOT_FORM_DATA
Scripting
KBOT_GRAMMAR
Scripting
KBOT_GRAMMAR_ATTRIBUTE
Scripting
KBOT_LABEL_JT
Scripting
KBOT_LOG
Scripting
KBOT_LOG_DETAIL
Scripting
KBOT_LOG_LATEST
Scripting
KBOT_OS_JT
Scripting
KBOT_RUN
Scripting
KBOT_RUN_MACHINE
Scripting
KBOT_RUN_TOKEN
Scripting
KBOT_UPLOAD
Scripting
KBOT_UPLOAD_TOKEN
Scripting
KBOT_VERIFY
Scripting
KBOT_VERIFY_STEPS
Scripting
KBOX_VERSION
KBOX
LABEL
Labeling
LDAP_FILTER
Labeling
LDAP_IMPORT_USER
User
LICENSE
Inventory
LICENSE_MODE
Inventory
MACHINE
Inventory
MACHINE_CUSTOM_INVENTORY
Inventory
MACHINE_DISKS
Inventory
MACHINE_KUID
Inventory
MACHINE_LABEL_JT
Inventory
MACHINE_NICS
Inventory
Table B-1: KBOX 1000 Series database table names
Administrator Guide for KBOX 1000 Series, version 3.3
211
Table
Used In
MACHINE_NTSERVICE_JT
Inventory
MACHINE_PROCESS
Inventory
MACHINE_PROCESS_JT
Inventory
MACHINE_SOFTWARE_JT
Inventory
MACHINE_STARTUP_PROGRAMS
Inventory
MACHINE_STARTUPPROGRAM_JT
Inventory
MESSAGE
Alerts
MESSAGE_LABEL_JT
Alerts
MI
Managed Installs
MI_ATTEMPT
Managed Installs
MI_LABEL_JT
Managed Installs
METER
Software Metering
METER_COUNTER
Software Metering
MSP_AFFECTEDPRODUCT
Patching
MSP_AFFECTEDSERVICEPACK
Patching
MSP_BULLETIN
Patching
MSP_BULLETIN_STATUS
Patching
MSP_LOCATION
Patching
MSP_MI_TEMPLATE
Patching
MSP_MI_TEMPLATE_LABEL_JT
Patching
MSP_PATCH
Patching
MSP_PATCH_OS_VERSION
Patching
MSP_PRODUCT
Patching
MSP_SERVICEPACK
Patching
MSP_SERVICEPACK_MACHINE_JT
Patching
MSP_SEVERITY
Patching
MSP_UPDATE_STATUS
Patching
NETWORK_SETTINGS
KBOX
NODE
Network Scan
NODE_LABEL_JT
Network Scan
NODE_PORTS
Network Scan
Table B-1: KBOX 1000 Series database table names
Administrator Guide for KBOX 1000 Series, version 3.3
212
Table
Used In
NODE_SNMP_IF
Network Scan
NODE_SNMP_SYSTEM
Network Scan
NOTIFICATION
Alerts
NTSERVICE
Inventory
OPERATING_SYSTEMS
Inventory
OVAL_DEFINITION
OVAL
OVAL_STATUS
OVAL
OVAL_UPDATE_STATUS
OVAL
PORTAL
User Portal
PORTAL_LABEL_JT
User Portal
PROCESS
Inventory
PORT_SERVICES
KBOX
REPLICATION_SHARE
Replication
REPORT
Reporting
REPORT_FIELD
Reporting
REPORT_FIELD_GROUP
Reporting
REPORT_JOIN
Reporting
REPORT_OBJECT
Reporting
SCAN_FILTER
Labeling
SCAN_SETTINGS
Network Scan
SERVER_LOG
KBOX
SOFTWARE
Inventory
SOFTWARE_LABEL_JT
Inventory
SOFTWARE_OS_JT
Inventory
STARTUPPROGRAM
Inventory
THROTTLE
KBOX
TIME_SETTINGS
KBOX
TIME_ZONE
KBOX
USER
User
USER_HISTORY
User Portal
USER_KEYS
User Portal
Table B-1: KBOX 1000 Series database table names
Administrator Guide for KBOX 1000 Series, version 3.3
213
Table USER_LABEL_JT
Used In User
Table B-1: KBOX 1000 Series database table names
Administrator Guide for KBOX 1000 Series, version 3.3
214
Administrator Guide for KBOX 1000 Series, version 3.3
215
A P P E N D I X C
Manual Deployment of KBOX Agent This appendix contains a list of tasks and commands that you can carry out using the command line interface. “Manual Deployment of KBOX Agent on Linux,” on page 217 “Manual Deployment of KBOX Agent on Solaris,” on page 219 “Manual Deployment of KBOX Agent on Macintosh,” on page 221
Manual Deployment of KBOX Agent on Linux Installing and Configuring the KBOX Agent 1. Ensure that you have kboxagent-buildnumber.i386.rpm on your computer. 2. Open the command line interface. 3. Type rpm -ivh kboxagent-buildnumber.i386.rpm, and then press ENTER. The installer creates the following directories on your computer: /KACE /KACE/bin /KACE/lib /KACE/data /var/KACE/kagentd. This directory contains the kbot_config.yaml file. 4. Type cd KACE/bin, and then press ENTER. 5. Set the name of the KBOX server by typing ./setkbox name_of_kbox_server. 6. Restart all KBOX Agent services and connect to the KBOX server by typing ./runallkbots.
Upgrading the KBOX Agent 1. Ensure that you have kboxagent-buildnumber.i386.rpm on your computer. 2. Open the command line interface. 3. Type rpm -uvh kboxagent-linux_buildnumber.rpm, and then press ENTER.
Removing the KBOX Agent 1. Open the command line interface. 2. Type rpm -e kboxagent-buildnumber.i386, and then press ENTER.
Verifying Deployment of the KBOX Agent This section describes the various tasks you can perform to manage the KBOX agent using the command line interface.
Starting and Stopping the KBOX Agent 1. Open the command line interface. 2. Type cd KACE/bin, and then press ENTER. 3. To start the KBOX agent, type ./kagentctl start, and then press ENTER. To stop the KBOX agent, type ./kagentctl stop, and then press ENTER.
Checking Whether the Agent is Running 1. Open the command line interface. 2. Type ps aux | grep kagentd, and then press ENTER.
Administrator Guide for KBOX 1000 Series, version 3.3
217
Checking the Version of the KBOX Agent 1. Open the command line interface. 2. Type cat /KACE/data/version, and then press ENTER.
Performing an Inventory 1. Open the command line interface. 2. Type sudo /KACE/bin/inventory, and then press ENTER. If you want to save the inventory results to a file, type sudo /KACE/bin/inventory > 'uname n'.txt, and then press ENTER. This command saves the inventory results to a file named yourcomputer.txt, where yourcomputer is the name of your computer.
Enabling Debugging 1. Open the command line interface. 2. Type sudo touch /var/kace/kagentd/debug_agent.tag, and then press ENTER. 3. Type sudo /etc/rc.d/init.d/kagentctl stop, and then press ENTER. 4. Type sudo /etc/rc.d/init.d/kagentctl start, and then press ENTER. The debug_agent.log file contains debug logs.
Administrator Guide for KBOX 1000 Series, version 3.3
218
Manual Deployment of KBOX Agent on Solaris Installing and Configuring the KBOX Agent 1. Ensure that you have KBOX-agent-all-buildnumber.pkg.gz on your computer. 2. Open the command line interface. 3. Type /usr/bin/gunzip KBOX-agent-all-buildnumber.pkg.gz, and then press ENTER. 4. Type /usr/sbin/pkgadd -n -d KBOX-agent-all-buildnumber.pkg all, and then press ENTER. The installer creates the following directories on your computer: /KACE /KACE/bin /KACE/lib /KACE/data /var/KACE/kagentd. This directory contains the kbot_config.yaml file. 5. Type cd KACE/bin, and then press ENTER. 6. Set the name of the KBOX server by typing ./setkbox name_of_kbox_server. 7. Restart all KBOX Agent services and connect to the KBOX server by typing ./runallkbots.
Upgrading the KBOX Agent 1. Ensure that you have KBOX-agent-all-buildnumber.pkg.gz on your computer. 2. Open the command line interface. 3. Type /etc/init.d/kagentctl stop, and press ENTER. 4. Type /usr/sbin/pkgrm -A -n KBOX-agent, and press ENTER. 5. Type /usr/bin/rm -rf /KACE/, and press ENTER. 6. Type /usr/bin/gunzip -v KBOX-agent-all*.pkg.gz, and press ENTER. 7. Type /usr/sbin/pkgadd -n -d KBOX-agent-all*.pkg all, and press ENTER. 8. Type /etc/init.d/kagentctl start, and press ENTER.
Removing the KBOX Agent 1. Open the command line interface. 2. Type /etc/init.d/kagentctl stop, and press ENTER. 3. Type /usr/sbin/pkgrm -A -n KBOX-agent, and press ENTER. 4. Type /usr/bin/rm -rf /KACE/, and press ENTER.
Administrator Guide for KBOX 1000 Series, version 3.3
219
Verifying Deployment of the KBOX Agent This section describes the various tasks you can perform to manage the KBOX agent using the command line interface.
Starting and Stopping the KBOX Agent 1. Open the command line interface. 2. Type cd KACE/bin, and then press ENTER. 3. To start the KBOX agent, type ./kagentctl start, and then press ENTER. To stop the KBOX agent, type ./kagentctl stop, and then press ENTER.
Checking Whether the Agent is Running 1. Open the command line interface. 2. Type ps ef | grep kagentd, and then press ENTER.
Checking the Version of the KBOX Agent 1. Open the command line interface. 2. Type cat /KACE/data/version, and then press ENTER.
Performing an Inventory 1. Open the command line interface. 2. Type sudo /KACE/bin/inventory, and then press ENTER. If you want to save the inventory results to a file, type sudo /KACE/bin/inventory > 'uname n'.txt, and then press ENTER. This command saves the inventory results to a file named yourcomputer.txt, where yourcomputer is the name of your computer.
Enabling Debugging 1. Open the command line interface. 2. Type sudo touch /var/kace/kagentd/debug_agent.tag, and then press ENTER. 3. Type sudo /etc/init.d/kagentctl stop, and then press ENTER. 4. Type sudo /etc/init.d/kagentctl start, and then press ENTER. The debug_agent.log file contains debug logs.
Administrator Guide for KBOX 1000 Series, version 3.3
220
Manual Deployment of KBOX Agent on Macintosh To run the commands the user must be logged in as root.
Installing and Configuring the KBOX Agent 1. Double-click KBOX Agent 3.1.buildnumber.dmg. 2. Double-click KBOX Agent.pkg. 3. In the Introduction page, and then click Continue. 4. In the Read Me page, click Continue. 5. In the Select Destination page, select the destination volume where you want to install the KBOX agent, and then click Continue. 6. In the Installation Type page, click Install. 7. In the Finish Up page, click Close. The installer creates the following directories on your computer: /Library/KBOXAgent/Home/bin /Library/KBOXAgent/Home/data /Library/KBOXAgent/Home/lib /var/kace/kagentd. This directory contains the kbot_config.yaml file. 8. Type cd Library/KBOXAgent/Home/bin, and then press ENTER. 9. Set the name of the KBOX server by typing ./setkbox name_of_kbox_server. 10. Restart all KBOX Agent services and connect to the KBOX server by typing ./runallkbots.
Upgrading the KBOX Agent 1. Double-click KBOX Agent 3.1.buildnumber.dmg. 2. Double-click KBOX Agent.pkg. 3. In the Introduction page, and then click Continue. 4. In the Read Me page, click Continue. 5. In the Select Destination page, select the destination volume where you want to install the KBOX agent, and then click Continue. 6. In the Installation Type page, click Upgrade. 7. In the Finish Up page, click Close.
Administrator Guide for KBOX 1000 Series, version 3.3
221
Removing the KBOX Agent 1. Browse to /Library/KBOXAgent. 2. Removing the KBOX Agent, you first need to Drag the KBOXAgent folder to the Trash and then kill the process ID.
Verifying Deployment of the KBOX Agent This section describes the various tasks you can perform to manage the KBOX agent using the command line interface.
Starting and Stopping the KBOX Agent 1. Open Terminal from the Applications/Utilities folder. 2. Type cd Library/KBOXAgent/Home/bin, and then press ENTER. 3. To start the KBOX agent, type ./kagentctl start, and then press ENTER. To stop the KBOX agent, type ./kagentctl stop, and then press ENTER.
Checking Whether the Agent is Running 1. Open Terminal from the Applications/Utilities folder. 2. To check if the kagentd process is running enter the command ps aux | grep kagentd, and then press ENTER. The process is running if you see the following result: root 2159 0.0 1.1 94408 12044 p2 S 3:26PM 0:10.94 /Library/KBOXAgent/Home/bin/kagentd
Checking the Version of the KBOX Agent 1. Open Terminal from the Applications/Utilities folder. 2. Type cat Library/KBOXAgent/Home/data/version, and then press ENTER.
Performing an Inventory 1. Open Terminal from the Applications/Utilities folder. 2. Type sudo Library/KBOXAgent/Home/bin/inventory, and then press ENTER. If you want to save the inventory results to a file, type sudo Library/KBOXAgent/Home/bin/ inventory > computer_name.txt. Replace computer_name with the name of your computer, and then press ENTER. This command saves the inventory results to a file named computer_name.txt, where computer_name is the computer name that you specified.
Enabling Debugging 1. Open Terminal from the Applications/Utilities folder. 2. Type sudo touch /var/kace/kagentd/debug_agent.tag, and then press ENTER. 3. Type sudo /Library/KBOXAgent/Home/bin/kagentctl stop, and then press ENTER. 4. Type sudo /Library/KBOXAgent/Home/bin/kagentctl start, and then press ENTER. The debug_agent.log file contains debug logs.
Administrator Guide for KBOX 1000 Series, version 3.3
222
Administrator Guide for KBOX 1000 Series, version 3.3
223
A P P E N D I X D
Agent Customization This appendix explains the procedure to create a self-executing zip file that includes custom installation items like non-standard path or custom server name. “Agent Customization,” on page 225
Agent Customization You can create a self-executing zip file that includes custom installation items like non-standard path or custom server name.
To create a self-executing zip that includes custom installation: 1. Copy the necessary files for your customization. You will need the following files: 7zip-v442.exe, available at \\kdisk\kace_corporate\software\7-Zip\7zip-v442.exe 7zip-v442_extra.zip, available at \\kdisk\kace_corporate\software\7-Zip\7zip-v442_extra.zip The KInstallerSetup.exe, from the client version you want to customize. This file is available at the KACE Support Website. 2. Install 7-zip. 3. Unzip the 7zip_v442_extra.zip file into the directory where the 7-zip is installed. (by default the directory is C:\Program Files\7-Zip). Ensure that the file 7zS.sfx is in the top-level directory. 7-Zip-install path is used for this location. This file is important because it has the actual executable stub for a self-extracting installer executable. 4. Start the 7-Zip File Manager from the start menu. 5. Select the KInstallerSetup.exe executable for the client version to customize using the 7-Zip File Manager. 6. Click the extract button to extract it into a directory of your choice. Keep the Current Pathnames selected in the Path mode box. The Overwrite without prompt option can be selected for the Overwrite Mode. Do not specify a password. 7. Navigate to that folder and edit the kinstaller.exe.config file with a text editor to change any settings for customization. The display_mode can have the values interactive, quiet, and silent. server_name is the hostname of the server. 8. Save your changes. Execution of the kinstaller.exe file in this directory installs with the settings as specified in the .config file. 9. Open the 7-Zip File Manager and select kinstaller.exe, kinstaller.exe.config, es-ES and install_files. 10. Click the Add button. The archive format is 7z, Create SFX archive in the options box is cleared. 11. Save the .7z file and note down the path. I'll call my file "jkboxInstaller.7z" and the path to it will be <<jkbox-installpath>> 12. Create a text file - config.txt - which includes the settings for the self-executing zip. Ensure that the file is saved with UTF-8 encoding. The file should contain the following commands, which will indicate to 7-zip that the kinstaller should run when the self-executing zip runs: ;!@Install@!UTF-8! Progress="no" RunProgram="kinstaller.exe" Directory="" ;!@InstallEnd@! 13. Open a new command-line window. 14. Execute the following command to create a self-executing file from the .7z file.
Administrator Guide for KBOX 1000 Series, version 3.3
225
15. Copy /b "<<7-Zip-install>>\7zS.sfx" + "<
Administrator Guide for KBOX 1000 Series, version 3.3
226
A P P E N D I X E
Warranty, Licensing, and Support “Warranty and Support Information,” on page 228.
Warranty and Support Information Information concerning hardware and software warranty, hardware replacement, product returns, technical support terms and product licensing can be found in the KACE End User License agreement accessible at: HTTP://WWW.KACE.COM/LICENSE/STANDARD_EULA
Administrator Guide for KBOX 1000 Series, version 3.3
228
Related Documents
Kbox Administrator Guide 3.3
August 2019 38
Administrator Guide
August 2019 35
Administrator Guide
December 2019 28
Administrator Guide
November 2019 28
Protectionls Administrator Guide
April 2020 8