Managed device help

The Agent configuration window (Tools > Configuration > Agent configuration) is where you customize device agent configurations. Use the Agent configuration dialog box to specify the agents you want to install and the options for those agents. You can create as many agent configurations as you want. Only one configuration can be the default. You can use this window to create Windows, Macintosh, Linux, and server agent configurations.

To create a configuration

1. Click Tools > Configuration > Agent configuration.
2. Click the New button to create a new Windows configuration. Click the New Mac button to create a new Macintosh configuration.
3. Complete the Agent configuration dialog box as described in the following sections. Click Help on a page for more information.

NOTE: If you use the Agent configuration dialog box to create a new default agent configuration, be aware that all devices that are configured by WSCFG32 using login scripts will be automatically reconfigured with the new default configuration settings the next time a user logs in, even if their current settings match the new default settings.

The following sections describe the Agent configuration dialog box pages.

About the Start page

The Agent configuration dialog box's Start page contains the following options:

• Configuration name: This option appears above all dialog box pages. Enter a name that describes the configuration you're working on. This can be an existing configuration name or a new one. This name appears in the Agent configuration window.
• Default configuration: When selected, makes this configuration the default configuration that gets installed when no other configuration is specified.

Agent components to install (Standard):

• Standard LANDesk agent: Installs the standard LANDesk agent that forms the basis of communication between devices and the core server. This option is required. You can't disable it, but you can customize the components associated with it. (Note that the security scanner is automatically installed with the standard LANDesk agent, but you configure it with the options on the security and patch scan page below.)
• Custom data forms: Presents a form to users for them to complete. You can query the core database for the data users enter. Use this to retrieve customized information from users directly.
• Remote control: Lets you take control of a device or server from across the network. Minimizes the time it takes to resolve customer issues from a centralized help desk. Use this to provide remote management of devices across the LAN/WAN.

Power Management:

• Power Management: Allows you to control the power consumption on your managed computers from a central location. You can easily create and deploy power management policies and generate reports to evaluate financial and power savings. You control the conditions under which computers and monitors stand by, hibernate, or power down. However, users can delay specific power management actions using a client-side user interface to ensure that unsaved data is protected.

Distribution:

• Software distribution: Automates the process of installing software applications or distributing files to devices. Use this to install applications simultaneously to multiple devices or to update files or drivers on multiple devices.

Security:

• LANDesk Antivirus: Installs the Antivirus agent on managed devices. Antivirus uses the security scanner (installed with the standard LANDesk agent) to scan for and identify viruses on managed devices, and to provide options for handling infected files and folders. Administrators download virus definition updates and configures virus scans at the console, including how the Antivirus client displays on managed devices and which options are available to the end user. You must first select the Antivirus agent check box on the Agent configuration's Start page in order to configure the Antivirus page under Security.
• Endpoint Security: Installs the Endpoint Security agent on managed devices. Endpoint Security protects your managed devices from zero-day attacks, firewall intrusions, and unauthorized device connections. Endpoint Security services is comprised of three separate and complementary components: HIPS, Firewall, and Device Control.

Real-time Inventory and Monitoring:

Provides several methods to monitor a device’s health status. While alert rulesets are defined at the Core Server Console and deployed to multiple devices, on individual devices you can define performance monitoring counters to monitor specific performance issues.

• Baseline components: Installs an agent that monitors system hardware such as fan speeds, disk space, and overall temperature of the device.
• Extended components: Installs an agent that monitors system process, services, and overall performance.

Other options:

• Select all: Selects all available agents in the Agents to install list.
• Clear all: Clears all available agents in the Agents to install list, except for the Standard LANDesk agent, which is mandatory.
• Defaults: Selects all agents in the Agents to install list, except for the security agents.
• Perform full Inventory scan during installation: After this configuration is installed on clients, do a full inventory scan. The default is checked.
• Show start menu on end user device: When checked, creates Windows Start menu entries for installed agents that have a user interface. Clearing this option installs the agents but doesn't create any Start menu entries.
• Temporary install directory: Specifies the temporary folder used on managed devices during agent installation. This folder must be writeable for agent installation to succeed.

Deploying the standard LANDesk agent

All Management Suite components require the standard LANDesk agent (formerly known as CBA), which is installed by default on all device installations. Among other things, the standard LANDesk agent provides device discovery and manages core server/device communication.

By default, the standard agent includes the LANDesk Security Suite security scanner.

Use the Standard LANDesk agent pages to configure the Standard LANDesk agent, which includes these components and settings:

• Inventory scanner
• Local scheduler
• Bandwidth detection
• Device reboot options

About the Standard LANDesk agent page

Use this page to configure certificate-based security and what scope devices using this configuration will have.

Trusted certificates

Select the core server certificates you want devices to accept. Devices will only communicate with cores and consoles they have certificates for. For more information on certificates and copying them from other core servers so you can select them here, see Agent security and trusted certificates.

Below the trusted certificates box you can modify the core server that devices using this agent configuration will communicate with. By default, this box contains the current core server. The core name can either be a Windows computer name, an IP address, or fully-qualified domain name. A fully-qualified domain name for a core may be necessary if you'll be pushing agent configurations to devices in multiple domains or anytime a device can't resolve the core name unless it is fully-qualified. Managed devices will use the information you enter here to communicate with the core server, so make sure the name you enter is resolvable from all devices that will receive this configuration.

The core name you enter here as part of an agent configuration is added to a device's registry under:

• HKLM\Software\Intel\LANDesk\LDWM\CoreServer

Once you've selected trusted certificates, and changed the core name if necessary, you can test them. When you click Test, a message box appears indicating whether the device name or IP address you entered was resolvable. Note that the Test button doesn't ping the device you entered or verify that the name or IP address belongs to a core server.

Location (scope)

If you want devices to be included in scopes that are based on custom directories, enter a directory path in the Path field. The path you enter here defines the device's computer location inventory attribute. Scopes are used by Management Suite role-based administration to control user access to devices, and can be based on this custom directory path.

Custom directory paths use a format that's similar to a file path, but with forward slashes as separators. If you want to use custom directory-based scopes, first decide how you want to categorize your devices for role-based administration. You might categorize devices by geographic locale, department or group name, or any other organizational detail you prefer.

Directory paths you enter here as part of an agent configuration are added to a device's registry under:

• HKLM\Software\Intel\LANDesk\Inventory\ComputerLocation

You don't have to fill in this field. If you leave it blank, the device's computer location attribute is defined by its Active Directory or eDirectory path.

When the inventory scanner is run on a device, it records the device's computer location inventory attribute. If you entered a custom directory path in the Path field, that path is the directory the scanner records. If you left the custom directory path blank, the scanner tries to populate the computer location inventory attribute with the device's Active Directory or NetWare eDirectory path. If neither a custom directory path or an LDAP-compliant directory is found, the computer location attribute isn't defined. However, the device can still be accounted for in both query scopes or device group scopes.

For more information on how scopes are used in Management Suite role-based administration, and how you can define a scope using custom directory paths, see Role-based administration.

About the Inventory scanner page (under Standard LANDesk agent)

The Agent configuration dialog box's Inventory scanner page contains the following features:

• Manual update: The software list used to exclude titles during software scans is loaded down to each remote device. Each time the software list is changed from the console, you must manually resend it to remote devices.
• Automatic update: Remote devices read the software list from the core server during software scans. If this option is set, each device must have a drive mapped to the ldlogon directory on the core server so they can access the software list. Changes to the software list are immediately available to devices.
  • Update using HTTP: Beginning with Management Suite 8, the inventory scanner can use HTTP for LdAppl3.ini file transfers. This allows the scanner to support Targeted Multicast features like polite bandwidth and peer download. Peer download allows devices needing Ldappl3.ini updates to check with the core server for the latest version's date, then broadcast to peers on their subnet to see if a peer has the update in its multicast cache. If a peer has the update, the file transfer happens on the local subnet without generating network traffic across routers or WAN links.

Run Inventory Scans: 

• Event-driven scans: Configures the inventory scanner schedule on the managed device. By default the scan is set for once a day to scan the device and report back to the core server.
• When user logs in: Runs the inventory scanner when the user logs into the managed device.
• Max random delay: Specifies a time range during which the task may run. This delay allows tasks that run on login to not run all at the same time, assuming the delay interval is long enough.
• When IP address changes (mini scan only): The IP address trigger only sends a mini scan to the core server, which makes the inventory much faster in IP address changes.
• Change settings: Changes settings and configures a custom schedule based on time, day of week, or month, whether a user is logged in, on IP address changes, and available network bandwidth. The default schedule is to run a scan every day with a random delay of up to one hour.

About the Local scheduler page (under Standard LANDesk agent)

The local scheduler agent enables Management Suite to launch device tasks based on a time of day or bandwidth availability. The local scheduler agent is most useful for mobile computers that may not always be on the network or may connect to the network via a dial-up connection. For example, you can use the local scheduler to allow mobile computer package distribution only when those devices are on the WAN.

When you schedule software packages for distribution, or when you create application policies, you can specify which bandwidth the packages or policies require before they are applied.

The local scheduler runs as a service on Windows devices.

The Local scheduler page contains the following features:

• Frequency at which the agent polls the local registry for tasks: How often the local scheduler checks for tasks. The default is 10 seconds. The polling interval you select is stored on the local computer.
• Bandwidth detection frequency: How often the local scheduler should check bandwidth. The default is 120 seconds. Bandwidth checks happen only when there's a pending scheduled task.

About the Alerting page (under Standard LANDesk agent)

Alert rulesets define which events require immediate action or need to be logged for your attention. A ruleset contains a collection of alert rules, each of which has a corresponding alert action. When you define an alert ruleset you can deploy it to one or more devices to monitor the items that are important for that kind of device.

You can deploy one of the predefined rulesets or you can deploy rulesets you've created inside the alerting tool.

The Alerting page contains the following features:

• Add: Click Add to add an existing ruleset to the Selected alert ruleset list. Rulesets in this list will be deployed to devices receiving this agent configuration.
• Remove: Click a ruleset and click Remove to remove it from the Selected alert ruleset list.

About the Bandwidth detection page (under Standard LANDesk agent)

Bandwidth detection enables bandwidth detection between devices and the core server. You can limit Management Suite actions such as software distribution based on available bandwidth. Use this option if you have remote devices or devices that connect to the network via a slow link.

The Agent configuration dialog box's Bandwidth detection page contains the following features:

• Choose bandwidth detection method: Select whether to use ICMP or PDS for bandwidth detection. ICMP sends ICMP echo requests of varying sizes to the remote device and uses the round trip time of these echo requests/responses to determine the approximate bandwidth. ICMP also distinguishes between LAN (high speed) and WAN (slow, but not dial-up connections). However, not all routers or devices support ICMP echo requests.
  If your network isn't configured to allow ICMP echo requests, you can select PDS. The PDS bandwidth tests aren't as detailed, but they detect either a LAN or a low-bandwidth RAS (typically dial-up connection). The PDS method only works if the PDS service is running on the package server. You can install this service by deploying the standard LANDesk agent to the package server.
• LAN threshold, in bits per second: The threshold that classifies a connection as WAN rather than LAN. The default is 262144 bps.

About the Device reboot options page (under Standard LANDesk agent)

Once you install Management Suite agents on devices, they may need a reboot to complete the agent configuration. The Agent configuration dialog box's Device reboot options page contains the following features:

• Do not reboot devices after configuration: Devices won't reboot, even if the selected components require a reboot. If a reboot is necessary, components won't work correctly until the device reboots.
• Reboot devices if necessary: Reboots devices only if a selected component requires a reboot.
• Reboot with user option to cancel: If a selected agent requires a reboot, users will have the option to cancel the reboot. If a reboot is necessary, components won't work correctly until the device reboots. You can select how long the reboot prompt stays on the user's screen before the computer reboots. This timeout is useful for users that are away from their computers when the device deployment happens.
• Allow user to cancel reboot within this time period: If you want to give users a chance to cancel the reboot before it happens automatically, enter how long you want the reboot prompt to appear.

About the Software usage monitoring page (under Standard LANDesk agent)

The Software usage monitoring page is used to track usage statistics for Software License Monitoring. This feature collects information on three types of data: usage statistics from software license monitoring, additional inventory information, and application blocking capabilities.

The Software usage monitoring page contains the following options:

• Monitor software usage: Enables tracking of software through software licensing monitoring, inventory scans, and application blocking through the application blocker feature.

Deploying custom data forms

You can create and distribute custom data forms to collect device information that will supplement the standard information available in the core database. The forms you create using the form designer can be distributed by a device deployment service or by using the Agent configuration dialog box.

Customize the forms that are distributed to devices in your management domain using the form designer. For more information, see Using custom data forms.

About the Custom data Forms page

The custom data forms section consists of two pages. The Custom data forms page contains the following features:

• Manual update forms: Selected forms are sent to each device. If the forms change or new forms are added, you must manually resend the forms to remote devices.
• Automatic update: Remote devices check the core server for updated forms each time the inventory scanner is run, such as at startup. Each device must have a drive mapped to the ldlogon directory on the core server to access the updated forms.
• Display forms to end user: Choose how remote devices access custom forms:
  • On startup: The selected forms run automatically at startup on each device.
  • When inventory scanner runs: The selected forms run only when the inventory scanner is run on each device. The inventory scanner runs automatically on startup, and can be run manually by devices at any time.
  • When launched from the LANDesk program folder: The selected forms appear as items in the device's LANDesk Management folder. They aren't automatically run.

About the Agent configuration dialog box's Forms sent with agent page

The Forms sent with agent page lists all defined custom data forms. Select which forms are made available to devices receiving this configuration task. You'll have to create forms ( Tools > Configuration > Custom Data Forms) before they can appear in this list.

Deploying software distribution

Software distribution automates the process of installing software applications and distributing files to devices. Use this agent to install applications simultaneously to multiple devices or to update files or drivers on multiple devices.

Software distribution uses a Web or file server to store packages. Devices access this package server when downloading a package. You'll need to configure a package server as described in the software distribution chapter in the User's Guide. You can deploy the software distribution agent to devices before you set up a package server. For more information, see Software distribution.

About Software distribution page

The Agent configuration dialog box's Software distribution page contains the following features:

• Client destination: The location where deployed virtualized applications are stored on managed devices. This option has no effect if you aren't distributing virtualized applications created with the LANDesk Application Virtualization add-on.
• Enable LDAP group targeting: Allows virtual access to virtual applications to be assigned to specific OUs or groups from an Active Directory.

About the Policy options page (under Software distribution)

The policy-based distribution agent enables you to automatically install sets of applications on groups of devices. Use this agent to manage groups of devices that have common software needs.

The LANDesk software deployment portal runs on managed devices and shows available software for that managed device. To display available software, the software deployment portal needs to get policy information periodically from the core server. Policy updates happen when:

• A user launches the LANDesk software deployment portal from the Windows Start menu.
• At logon if the run at logon LANDesk software deployment portal option is selected.
• At logon if the run at logon Update policy information from core option is selected.
• At the local scheduler interval you specify when you click the Change settings button. By default, managed devices use the local scheduler to get policy updates once a day.

The Policy options page contains the following features:

• When user logs on: If checked, the managed device updates policy information after a user logs on. The Max random delay lets the user delay the update by the time entered (in hours).
• When IP address changes: If selected, the managed device updates policy information when the IP address changes.
• Change settings: Use this to change how often and when the local scheduler will look for policy updates. This schedule is in addition to any of the run at logon options you select.

About the LaunchPad page (under software distribution)

Use this page to configure what LaunchPad customization end users can do. The LaunchPad organizes links to deployed software on managed devices. Deployed software can be local, hosted, or just-in-time installed applications. The LaunchPad page contains the following features:

• Allow users to size LaunchPad panes: Lets users move and resize the panes.
• Allow users to move and dock LaunchPad panes: Lets users dock panes in any part of the desktop.

About the Portal page (under software distribution)

The Portal page lists all software distribution package tasks that have been distributed using a policy-based delivery method. Use this page to customize the Portal window's appearance.

A policy-based delivery method behaves differently from a push in that it requires the managed device to initiate the request for the policies. This means the package isn't pushed to the device from the core server, but its details are stored in the database on the core server until the managed device queries the core server for any policy-based software distribution tasks assigned to it. When the portal is opened it automatically launches the policy sync tool to update its list with any new tasks that have been assigned to the managed device.

The Portal page contains the Optional columns and Display columns and order for Application fields. These fields are used to lay out the options for customizing additional information about all packages in the LANDesk Desktop Manager Software Deployment Portal window on the managed device. The Software Deployment Portal window contains the Available and History tabs that are set up in the Agent configuration Portal page. The Optional columns field lets you arrange the Application and History columns that appear on the tabs and group the information in a logical way.

The Portal page contains the following features:

• Application: Displays packages that are currently listed for optional or recommended user initiated software deployment.
• History: Displays all packages that have been already attempted or installed though a policy using the portal.
• Optional columns: The columns that appear in the Application and History tabs on the LANDesk Desktop Manager Software Deployment Portal window on the managed device.
  • Size: Displays the physical size of the package to inform the user before proceeding the download of a large application.
  • Group: Allows LANDesk administrators to specify a group in each individual distribution package task to applications which will enable the end user to sort the application list by, for example, type of application, vendor, or category. Groups are assigned in each individual software distribution scheduled task.
  • Description: Displays the description from the properties of the distribution package.
  • Status: Indicates whether the installation was successful or failed.
  • Last Run: Indicates the date and time of the last attempt to install the package.
  • Type: Indicates whether the package is required, recommended, or optional.
• Display columns and order for Application/History: Displays the default columns in the Application and History tabs on the LANDesk Desktop Manager Software Deployment Portal window on the managed device. The default list contains the following:
  • Name (required): Displays the name of the distribution package.
  • Description (optional)
  • Status (optional)
  • Last Run (optional)
  • Type (optional)
  • Use the Up and Down buttons to rearrange the order in which the columns appear.

Deploying remote control

When deploying remote control, you need to consider which security model you want to use. You have these choices:

• Local template: This is the most basic security that uses whatever remote control settings are specified on the device. This model doesn't require any other authentication or group membership.
• Windows NT security/local template: This security model uses a Windows NT Remote Control Operators group. Members of this group are allowed to remote control devices. Permitted users still use the device's remote control settings, such as permission required.
• Integrated security: This is the most secure option and is the default. Integrated security is described in the next section.

About Integrated security

Integrated security is the new default security model. Here's an outline of the integrated security remote control communication flow:

1. The remote control viewer connects to the managed device's remote control agent, but the agent replies that integrated security authentication is required.
2. The viewer requests remote control rights from the core server.
3. The core server calculates remote control rights based on the viewer's scope, role-based administration rights, and Active Directory rights. The core server then creates a secure signed document and passes it back to the viewer.
4. The viewer sends this document to the remote control agent on the managed device, which verifies the signed document. If everything is correct, the agent allows remote control to begin.

NOTE: Warning: Integrated security requires the core server
With integrated security remote control, if the core server isn't available, consoles won't be able to remote control devices. Integrated security remote control requires the core server to work.

Using Windows NT security/local template with Windows XP devices

For Windows NT security/local template authentication to work with Windows XP devices, you must configure devices so that the Windows XP sharing and security model for local accounts is classic (local users authenticate as themselves). If you don't do this, the default guest-only authentication won't work with remote control's Windows NT security.

To set the Windows XP security model to classic

1. On the Windows XP device, click Start > Control Panel.
2. In the Administrative Tools, Local Security Policy applet, click Security Options > Network access: Sharing and security model for local accounts, and set it to Classic - local users authenticate as themselves.

About the Remote control page

The Agent configuration dialog box's Remote control page contains the following features:

• Local template: Uses only the local device simple permissions set from the remote control Permissions page.
• Windows NT security\local template: Allows only members of the Remote Control Operators group to initiate remote control connections from the console to remote devices. Permitted users are still required to use the permissions set from the Remote Control Settings page of this dialog box.
  Since the Remote Control Operators group is a local group, each device has its own copy of the group. To avoid managing each device's Remote Control Operators group individually, include global (domain level) groups with each local group.
  Permitted users still use the device's remote control settings, such as permission required.
• Integrated security: This is the default security model and is described earlier in this section. Permitted users are still required to use the permissions set from the Permissions page.

Adding users to the Remote control operators group and the View only group

If you select Windows NT security/local template as your security model, the Remote control operators group and View only group boxes list the users for the console or for the selected Windows NT domain. The users you select here will have remote control access to the devices that receive the settings defined in this configuration settings file. View only group users can only view remote devices. They can't take over the mouse or keyboard.

When adding users to one of the remote control groups, the console uses the logged-on user's Windows credentials, not the LANDesk console user's credentials, to list the users in a domain. If the List users from box isn't showing the domain you want, log in to Windows as a user with rights on that domain.

To choose from an existing server or domain

1. In the Remote control page, click Windows NT security/local template and click the Add button.
2. In the List names from box, select either the core server name or a Windows NT domain name containing user accounts.
3. In the user list, select one or more users and click Insert to add them to the Inserted names list.
4. Click OK to add the selected names to the Remote Control Operators group on each device that receives these configuration settings.
5. If you want any of these users to be in the View only group, select them and move them over. Users can only be in one group.

To manually enter names

You can enter names manually by clicking in the Inserted names list and using any of the following formats to enter names. Use semicolons to separate names.

• DOMAIN\username where DOMAIN is the name of any domain accessible to the target device.
• MACHINE\username where MACHINE is the name of any device in the same domain as the target device.
• DOMAIN\groupname where DOMAIN is the name of any domain accessible to the target device, and groupname is the name of a management group in that domain.
• MACHINE\groupname where MACHINE is the name of any device in the same domain as the managed node, and groupname is the name of a management group on that device.

If you don't specify a domain or device name, it is assumed that the user or group specified belongs to the local device.

Click OK to add the names to the Remote Control Operators user group on the target device.

About the Permissions page (under Remote control)

The Remote control section's Permissions page contains the following features:

• Remote control: Grants permission to control the device.
• Chat: Grants permission to chat with the device.
• File transfer: Grants permission to transfer files to and from the device's local drives.
• Draw: Grants permission to use the viewer window's drawing tools on the device.
• Reboot: Grants permission to reboot the device.
• View only: Remote control operators can only view the device, they can't interact with it remotely.
• Run programs on remote device: Grants permission to run programs on the device.
• Specify remote control settings: Configures and sets up permissions for remote control users. Customized messages can be created when asking for permissions to perform the difference commands that remote control offers. 
  • Close inactive session after: Allows the remote session to disconnect automatically due to inactivity. If a value of 0 is entered, the console won't automatically disconnect the remote session due to inactivity.
  • End user must grant permission for remote control session: Allows a user that is logged onto a remote control managed device to respond affirmatively to the request before control of their managed device is taken.
  • Only when the user is logged on: Prompts the user currently logged on for permission. If nobody is logged on, remote control doesn't require permission.
  • Ask permission to use all features at one time: Allows permissions to be required once per session as opposed to requiring permission for each feature (file transfer, remote execute, etc.) If this check box is selected, the user is prompted for permissions only once during the remote control session, regardless of the processes that are performed.
  • Display a custom message: Prompts the user with a custom message created here for permission to do one of the following:
    • Remote control
    • Chat
    • Remote execute
    • File transfer
    • Reboot
    • All permissions
  • Close permission message box after: Allows the user to accept or deny permission (in seconds) to the managed device. This is a configurable time setting for how long the permission window remains open when asking permission to remotely control a managed device.

About the Indicators page (under Remote control)

The Remote control section's Indicators page contains the following features:

• Floating desktop icon: Displays the remote control agent icon on the device screen at all times or only when being remotely controlled. When being controlled by the console, the icon changes to show a magnifying glass and the icon's title bar turns red.
• System tray icon: Places the remote control agent icon in the system tray. Again, the icon can be visible all the time or only while being remotely controlled.
• Use mirror driver: Selected by default, this option uses the remote control mirror driver on devices for faster remote control performance.
• Use screen blanking driver: Selected by default, this option uses a special driver that can tell the target device's display driver to turn off the monitor. When active, this driver filters commands going to the real display driver to prevent them from turning the monitor back on. Remote control operators can turn screen blanking on or off from the remote control viewer application. If you're having compatibility problems with this driver, you can clear the check box to use a more compatible but possibly less effective mode of screen blanking. If you don't use the screen blanking driver, the alternative mode of screen blanking may cause some screen flicker on the target device during remote control. This option requires the mirror driver.
• Lock the remote control computer when the session ends: Locks the managed device to secure mode whether the user is logged in or not.

Deploying Security services

The security scanner (patch and compliance scanner) is installed by default with the standard LANDesk agent. However, you need to use the options on the specific Security and patch scan page when creating device agent configurations in order to configure certain aspects of how and when the security scanner runs on managed devices. You can also enable and configure custom variable override settings, frequent security scans, real-time spyware, and application blocking.

The security scanner allows you to scan managed devices for known OS and application vulnerabilities and other security risks, such as spyware, viruses, unauthorized applications, software and driver updates, system configuration security threats, custom security definitions, and more. The content of your security scan depends on your Security Suite content subscription and which security type definitions you've downloaded. You can also remediate detected problems via autofix, repair tasks, and repair policies. For details on these procedures, see Patch and Compliance.

Information about the following security-related pages can be found below. Click a link to go to that section.

• About the Patch and Compliance Scan page
• About the Custom Variables page
• About the Frequent Security Scan page
• About the LANDesk Antivirus page
• About the Spyware page
• About the Application Blocker page
• About the Windows Firewall page
• About the Endpoint Security page
• About the Agent Watcher page
• About the LANDesk 802.1x Support page
• About the Extended device discovery page

About the Patch and Compliance Scan page

Use this page to configure how the security scanner (i.e., patch and compliance scanner) is launched and how it behaves on managed devices with this agent configuration. (NOTE: You can also run security scans as scheduled tasks and policies from the console, or manually at a managed device.)

This page contains the following options:

• Event-driven scan:
  • When user logs in: Places the security scanner in the Windows registry's run key which causes the scanner to launch whenever a login occurs on managed devices with this agent configuration.
• Schedule-driven scan:
  • Change settings: Opens the Schedule security and patch scan dialog box, where you can configure scheduling settings for security scans that are launched by the local scheduler. The local scheduler automatically launches a security scan on a recurring basis, at the earliest opportunity within the time period and restrictions you specify. You can also configure options for running the security scanner when a device meets certain conditions, such as: only when a user is logged in, only if a specified minimum bandwidth is available, and any time a device's IP address changes. Once you've configured these scheduling settings for the security scanner, simply click Save to return to the main page where the scheduling criteria now appears.
• Global settings: Applies to all devices with this agent configuration, overriding task-specific settings.
  • Never reboot: Ensures devices with this agent configuration won't reboot when the security scanner is running. This is a global setting for all devices with this agent configuration, which means it overrides any end user reboot settings that are applied to either a security scan or repair task. In other words, regardless of the end user reboot settings used by a security task, this global setting will take precedence. Check this option if you know you don't want devices to reboot during any security scanner operation, and leave it clear if you want to be able to configure the reboot options with the Patch and Compliance tool.
  • Never autofix: Ensures devices with this agent configuration won't allow a security and patch scan to perform an auto fix when remediating detected vulnerabilities, even if the vulnerability has autofix enabled. As a global setting for all devices with this agent configuration, this setting overrides any end user auto-fix setting you've applied to a security scan task. Use this setting if you want to guarantee that devices can't have detected vulnerabilities automatically remediated by a security scan.
• Scan and repair settings: Determines the information displayed by the security scanner on managed devices, end user interaction, reboot operation, and content settings when the scanner is launched on managed devices with this agent configuration by the method selected above (run key during login, local scheduler, or both). Select a scan and repair setting from the drop-down list to apply it to the configuration you're creating. You can also click Configure to create and apply a new scan and repair setting or to edit an existing one.

About the Custom Variables page

Use this page to assign a custom variable override setting to devices with this agent configuration.

The security scanner can utilize custom variables (editable values included in certain security types' definitions) to scan for and modify specific settings, and to implement standard system configuration settings to managed devices. You can change the value of a setting and select whether to override the current value with the new value, and then use this agent configuration to apply the configuration to target devices. In some situations you may want to ignore a custom variable setting, or in other words create an exception to the rule. Custom variable override settings let you decide which custom variables to essentially ignore when scanning devices so that they are not detected as vulnerable and are not remediated even if they meet the actual conditions of a definition's detection rules.

A custom variable override setting is not required with an agent configuration.

You can select an existing setting from the Custom variable settings list, click Configure to create a new setting, or leave the field blank.

This page contains the following options:

• Custom Variable settings: Specifies custom variable override settings used on target devices when they're scanned for security definitions that include custom variables (such as security threats and viruses). Custom variable override settings let you specify setting values you want to ignore or bypass during a security scan. This is very useful in situations where you don't want a scanned device to be identified as vulnerable according to a definition's default custom variable settings. Select a setting from the list. From the list, you can also remove the custom variable override settings from target devices. The Remove custom variable settings option lets you clear a device so that custom variable settings are in full affect. Click Edit to modify the options for the selected setting. Click Configure to create a new setting. For more information, see About the Custom variable override settings dialog box.

About the Frequent Security Scan page

Use this page to enable and configure a recurring security scan for a specific collection of high-risk vulnerabilities or other security definitions on devices with this agent configuration. A frequent security scan is useful if you need to regularly scan devices for particularly aggressive and harmful security attacks.

NOTE: Group scans only
Frequent security scans are based on the security definitions contained in a group you've selected from predefined security content groups.

This page contains the following options:

• Use the frequent security scanner: Enables a frequent security scan on devices with this agent configuration.
• Scan only when a user is logged in: Restricts the frequent security scan so that it runs only if a user is logged into the target device.
• Every: Specifies the time interval for a the frequent security scan.
• Choose a scan and repair setting: Specifies the scan and repair settings that control the security scanner for frequent security scans. Scan and repair settings determine whether the security scanner displays on devices while running, reboot options, and user interaction. The setting you select must be configured to scan a group, not a type. You can also click Configure to create a new scan and repair setting that is associated with a group.

About the LANDesk Antivirus page

Use this page to select an antivirus setting that applies to devices with this agent configuration, and to select whether to remove any existing antivirus products from those devices when they are configured.

In order to select an antivirus setting, you must first select the LANDesk Antivirus agent's check box on the Start page.

Antivirus settings let you control how the antivirus scanner operates on target devices. You can define antivirus scan parameters such as files and folders to be scanned or excluded, manual scans, real-time scans, scheduled scans, quarantine and backup options, virus pattern file update options, and the information and interactive options that display on end user devices during the antivirus scan.

NOTE: Deploying LANDesk Antivirus to devices that already have an antivirus product installed
If another antivirus product is installed on target devices, you can have it removed automatically during agent configuration by selecting the Remove existing antivirus product option. If you choose not to remove the other antivirus product during agent configuration, LANDesk Antivirus is disabled until you manually remove the other product. However, you can still deploy the service to target devices.

For a current list of antivirus products that can be removed from devices, see List of third-party antivirus products that can be automatically removed.

This page contains the following options:

• Remove existing antivirus product: Automatically removes other antivirus software that might already be installed on devices before installing LANDesk Antivirus. (NOTE: You can also remove existing antivirus software from managed devices when creating an Install or update Antivirus task.)
• LANDesk Antivirus settings: Antivirus settings determine whether the Antivirus icon appears in the device system tray, availability of interactive options to end users, e-mail scan and real-time protection enabling, file types to scan, files and folders to exclude, infected file quarantine and backup, scheduled antivirus scans, and scheduled virus definition file updates. Select a setting from the list. Click Configure to create a new setting.

About the Spyware page

Use this page to enable real-time spyware detection and notification on devices with this agent configuration.

Real-time spyware detection checks only for spyware definitions that reside in the Scan group, and that have autofix turned on. You can either manually enable the autofix option for downloaded spyware definitions, or configure spyware definition updates so that the autofix option is automatically enabled when they are downloaded.

Real-time spyware detection monitors devices for new launched processes that attempt to modify the local registry. If spyware is detected, the security scanner on the device prompts the end user to remove the spyware.

This page contains the following options:

• Enable real-time spyware blocking: Turns on real-time spyware monitoring and blocking on devices with this agent configuration.
  
  NOTE: In order for real-time spyware scanning and detection to work, you must manually enable the autofix feature for any downloaded spyware definitions you want included in a security scan. Downloaded spyware definitions don't have autofix turned on by default.
  
  
• Notify user when spyware has been blocked: Displays a message that informs the end user that a spyware program has been detected and remediated.
• If an application is not recognized as spyware, require user's approval before it can be installed: Even if the detected process is not recognized as spyware according to the device's current list of spyware definitions, the end user will be prompted before the software is installed on their computer.

About the Application Blocker page

Use this page to enable real-time unauthorized application blocking and notification. Real-time application blocker checks only for applications that reside in the Scan group.

With real-time application blocking, remediation isn't a separate task. Application blocking takes place as part of the security scan itself, by editing the registry on the local hard drive to disable user access to those unauthorized applications. Security services uses the softmon.exe feature to deny access to specified application executables even if the executable file name has been modified, because softmon.exe reads the file header information.

This page contains the following options:

• Enable blocking of unauthorized applications: Turns on real-time application blocking on devices with this agent configuration.
• Notify user when an application has been blocked: Displays a message that informs the end user they have attempted to launch an unauthorized application and access has been denied.

About the Windows Firewall page

Use this page to enable and configure the Windows firewall on managed devices with this agent configuration. You can enable/disable the firewall, as well as configure firewall settings including exceptions, inbound rules, and outbound rules (for services, ports, and programs).

You can use this feature to deploy a configuration for the Windows firewall on the following Windows versions:

• Windows 2003
• Windows XP (SP2 or later)
• Windows Vista

This page contains the following options:

• Configure Windows Firewall: Enables automatic Windows firewall configuration on devices with this agent configuration.
• Windows Firewall settings: Specifies the Windows firewall settings deployed on target devices with this agent configuration. Select a setting from the list to apply it to the configuration you're creating. You can also click Configure to create and apply a new scan and repair setting or to edit an existing one.

About the Endpoint Security page

Use this page to select an Endpoint Security setting for managed devices with this agent configuration. Endpoint Security includes three components: HIPS, Firewall, and Device Control.

In order to select an Endpoint Security setting, you must first select the Endpoint Security agent check box on the Start page.

This page contains the following options:

• Endpoint Security settings: Specifies the Endpoint Security settings for managed devices with this agent configuration. Endpoint Security settings determine general Endpoint Security operation (such as location awareness, administrator password, end user stop option, and pop-up messages), as well as which security policies are deployed for HIPS, LANDesk Firewall, and Device Control. You can also click Configure to create a new setting.
• Update configuration from core: Lets you update Endpoint Security settings on target devices configured with this agent configuration.

About the Agent Watcher page

Use this page to enable and configure the LANDesk Agent Watcher utility on devices with this agent configuration.

Agent Watcher allows you to actively monitor devices for selected LANDesk agent services and files. Agent watcher restarts agent services that have been stopped and resets the startup types for services that have been set to automatic. The utility also removes monitored agent files from lists of files to be deleted on reboot, in order to prevent deletion. Additionally, Agent Watcher alerts you when agent services can't be restarted, when agent files have been deleted, and when agent files are scheduled to be deleted on reboot.

This page contains the following options:

• Use the Agent Watcher: Enables the Agent Watcher utility on devices with this agent configuration.
• Agent Watcher settings: Specifies Agent Watcher settings deployed on target devices with this agent configuration. Agent Watcher settings determine which services and files are monitored, how often, and whether the utility remains resident on the device. Select a setting from the list. Click Configure to create a new setting.

About the LANDesk 802.1x Support page

Use this page to enable the LANDesk 802.1x NAC solution. You can use 802.1x to enforce your compliance security policy on managed devices that support 802.1x, by running compliance security scans, granting or blocking access depending on device health status (compliance), putting unhealthy (non-compliant) devices in quarantine, and performing remediation.

NOTE: Enabling and configuring 802.1x NAC with an agent configuration
In order to enable 802.1x NAC and configure the options on this page, you must first select the Enable 802.1x Radius Server option on the 802.1x Configuration dialog box in the Network Access Control tool (Tools > Security > Network Access Control > Configure 802.1x > Radius Server). After you select that option, you can use this page to configure 802.1x with an agent configuration.

This page contains the following options:

• Enable LANDesk 802.1x support: Turns on 802.1x NAC on devices with this agent configuration. 802.1x NAC uses the EAP type specified in the NAC tool. The EAP type setting is core-wide. In other words, all devices configured with this agent configuration will be configured with the EAP type specified in the console.
• Configure PEAP settings: Opens a dialog box where you can specify server and trusted certification authority settings.
• Quarantine network address:
  • Use IP in self-assigned range: Specifies that devices determined to be unhealthy (non-compliant), based on the compliance security policy, will be sent to a quarantine network area using the TCP/IP protocol's built-in self-assigned IP address range functionality.
  • Use DHCP in quarantine network: Specifies that devices determined to be unhealthy (non-compliant), based on the compliance security policy, will be sent to a quarantine network area using a DHCP server and remediation server you've configured.
    • Select primary remediation server: Specifies the remediation server you want to use for repairing unhealthy devices so that they can be scanned again and allowed access to the corporate network.
    • Remediation backup server: Lets you configure a backup server for remediation, in case the primary remediation can't be accessed. Click Configure to add a remediation server.
• Quarantine client if no health scan has been performed within: Use this option to automate device quarantine by specifying a maximum period of time a device can be considered healthy without having a compliance security scan run on it. If this time expires without a scan, the device is automatically placed in the quarantine network area.

Deploying Extended device discovery

About the Extended device discovery page

Use this page to enable and configure extended device discovery on managed devices with this agent configuration.

Extended device discovery is an extension of the Unmanaged device discovery tool. It finds devices on your network that haven't submitted an inventory scan to the core database. With extended device discovery, you can use one or both of the following discovery methods: ARP (address resolution protocol) discovery, and WAP (wireless access point) discovery.

With ARP discovery, the extended device discovery agent listens for network ARP broadcasts. The agent then checks any ARP-discovered devices to see whether they have the standard LANDesk agent installed. If the LANDesk agent doesn't respond, the ARP-discovered device displays in the Computers list. Extended device discovery is ideal in situations involving firewalls that prevent devices from responding to the normal ping-based UDD discovery methods.

Keep in mind that you don't have to deploy the extended device discovery agent to every managed device on your network, though you can if you want to. Deploying this agent to several devices on each subnet should give enough coverage.

This page contains the following options:

• Use Address Resolution Protocol (ARP): Enables extended device discovery using the address resolution protocol (ARP) discovery method on devices with this agent configuration.
• Choose an ARP discovery setting: Specifies the ARP setting that controls the extended device discovery agent when performing ARP discovery on your network. ARP settings determine the discovery scan frequency and logging level. Select a setting from the list to apply it to the configuration you're creating. You can also click Configure to create and apply a new setting or to edit an existing one
• Use Wireless Access Point discovery (WAP): Enables extended device discovery using the wireless application protocol (WAP) discovery method on devices with this agent configuration.
• Choose a WAP discovery setting: Specifies the WAP setting that controls the extended device discovery agent when performing WAP discovery on your network. WAP settings determine the discovery scan frequency and logging level. Select a setting from the drop-down list to apply it to the configuration you're creating. You can also click Configure to create and apply a new setting or to edit an existing one.
• Configuration download frequency (in minutes): Specifies how often managed devices with the extended device discovery agent installed check with the core server for an updated extended device discovery configuration. The agent always updates its configuration from the core when it first loads. The default value is 720 minutes (12 hours). If you set this value too high, it will take a long time for configuration changes to propagate to devices. If you set this value too low, there will be more load on the core server and the network.

Deploying power management

About the Power Management page

Use the Power Management page to select the power policy to be distributed out to the client device. LANDesk Power Management functionality allows administrators to centrally control end-node power consumption by facilitating the creation, financial evaluation, and deployment of power management policies. While administrators centrally control the conditions under which computers and monitors stand by, hibernate, or power down, users can forestall specific Power Management actions on the client side if needed. In addition, a “soft” shutdown option protects unsaved user data. A pre-populated database of OEM wattage consumption values is matched to actual hardware inventory data, and available custom wattage settings allow high levels of precision in the estimation of financial and power savings.

The Power Management window contains the following features:

• Use power policy on client: Enables power management in this agent configuration.
• Power policy settings: Selects a power policy that has been created and configured to be used on managed devices.
• Choose a power policy: Specifies the power policy that will be sent out with the agent configuration. By default one power policy is available or none.
• Collect the client usage info: Collects power usage from the individual client usage. This information is used to create more accurate reports of power usage and to know the exact power demands of the managed devices and the monitors that are connected to them.
• Configure: Lets you create, edit, copy, or delete power management profiles.

Deploying Desktop Manager

About the Desktop Manager page

Desktop Manager enhances the end-user experience by providing a consolidated desktop client UI that includes access to both the Software Deployment Portal and the LaunchPad console from a single shortcut off the Start menu.

Use the Desktop manager pages to configure how Desktop Manager looks.

The Desktop manager page contains the following features:

• Available applications: Lists the applications that can be configured for access through Desktop Manager. Available applications include:
  • LaunchPad: A console that provides access to packages, executables, URLs and process manager links that have been individually configured for a managed device. LaunchPad provides one-click access to local, hosted, or just-in-time applications, which aren't installed until the icon is clicked by an end-user.
  • Software deployment portal: Displays all software distribution packages that have been deployed using an optional or recommended policy based delivery method.
• Show in Desktop Manager: Displays the applications that will be displayed and accessed through Desktop Manager. Use the >> and << to select or deselect desired applications. By default both LaunchPad and Software Deployment Portal are included.

About the Customization page (under Desktop manager)

Use the Customization page to configure shortcut location selections for Desktop Manager and start up and shut down preferences.

The Customization page contains the following features:

• LANDesk program group: Creates a Start menu in the LANDesk program group.
• Windows desktop: Creates a shortcut on the desktop.
• Windows Start menu: Creates a Start menu entry.
• Run Desktop Manager when the user logs on: Automatically runs the Desktop Manager when a user logs on to the managed device.
• Do not allow Desktop Manager to be closed: Prevents end users from closing the Desktop Manager window.

About the Branding page (under Desktop manager)

Use the Branding page to customize the content and appearance of Desktop Manager.

The Branding page contains the following features:

• Application title: Allows for customization of the application window's title. The default is LANDesk Desktop Manager.
• Your message: Allows an Administrator to enter a custom message to be displayed in the bottom-center of the Desktop Manager window. By default no message displays.
• Corporate icon: Add a company icon file to replace the default icon on Desktop Manager. The selected icon appears in the upper left corner next to “Software Deployment Portal”.
• Corporate logo: Adds a company logo to display at the bottom left corner of the window. The LANDesk logo always appears in the bottom right corner.

Using the Client Setup Utility

About the Client Setup Utility dialog box

The Agent configuration utility dialog box displays the status of a scheduled device configuration task as the task is processed. This dialog box is for information only; the devices to be configured were selected when the task was scheduled.

The Agent configuration utility dialog box contains the following features:

• Clients to configure: Lists the devices scheduled to receive these configuration settings.
• Clients being configured: Lists the devices that have been contacted by the console and are in the process of being configured with this settings file.
• Clients completed: Lists the devices that the console has configured during this scheduled session. If the configuration attempt was successful, the status is Complete. If the configuration attempt failed for any reason, the status is Failed. These statuses are mirrored in the Scheduled Tasks window when this task is selected.
• Creating configuration files: Displays a status bar indicating the completion status of the entire configuration task.

Deploying to NetWare servers

You can install the inventory scanner to NetWare servers. The NetWare agent configuration utility will modify the AUTOEXEC.NCF file to load the scanner on startup. You must have the NetWare client loaded on the console you're installing the agent from and you must have write access to the NetWare server you want to install the agents on.

To install remote control and inventory on a NetWare server

1. In the Management Suite console, click Configure > Deploy LDMS client to NetWare server.
2. Enter the NetWare server name. Click Install, and then click OK. This installs the agents to the NetWare server.

About the Add a bare metal server dialog box

Use the Add a bare metal server dialog box to add devices to the queue so they can have provisioning tasks run on them. This is particularly helpful for the initial provisioning of new devices. Devices are added to the holding queue by using an identifier. A server identifier is a piece of information that can be used to uniquely identify a server. A server identifier may be a MAC address (most common), a vendor serial number, an IPMI GUID, or an Intel vPro GUID. In all cases, the identifier must be able to be queried by an agent running in the preboot environment on the target server.

You can add devices one at a time or many at a time. If you add many devices, you need to create a text file in CSV format with data for the devices. You'll import this file to add the devices to the queue.

To add a single device

1. In the Network view, expand the Configuration group. Right-click Bare metal server and click Add devices.
2. Click Add. Type a descriptive name in the Name text box. While the display name is optional, it is highly recommended. On a bare-metal device, the display name is the only differentiator in the Provisioning view.
3. Select an identifier type from the Identifier type list (Mac address, serial number, IPMI GUID, or Intel vPro GUID), and enter the value in the Identifier text box. Click Add.
4. Repeat steps 2-3 to add other devices. You can also add other identifiers for the device; just add another identifier with the same display name.
5. Click OK.

To add multiple devices

1. In the Network view, expand the Configuration group. Right-click Bare metal server and click Add devices.
2. In the Identifier type list, select an identifier type that matches the data you will import.
3. Type the location of a text file (CSV) which contains the identifier information in the text box (or click Browse to find the file), and click Import.

Each identifier should be separated by a comma in the CSV file. The import file format is identifier; display name.

Deploying to Linux and UNIX servers

You can use the console's agent configuration tool to deploy agents to supported Linux and UNIX operating systems. For more information on Linux agent deployment, see Configuring Linux and UNIX device agents.

About the Start page (under Linux agent configuration)

The Linux Agent configurationStart page has these options:

• Configuration name: Enter a name that describes the configuration you're working on. This can be an existing configuration name or a new one. This name appears in the Agent configuration window.
• Standard LANDesk agent, Remote control, and Software distribution: These options install by default and you can't disable them.
• LANDesk vulnerability scanner: Installs the Linux version of the vulnerability scanner. The scanner only reports on problems, it doesn't remediate them.
• Real-time inventory and monitoring: Installs an agent which supports real-time inventory and monitoring from the LANDesk Management console.
• Defaults: Resets the options to the default (disables the LANDesk vulnerability scanner option).

About the Standard LANDesk agent page (under Linux agent configuration)

The Linux Agent configuration's Standard LANDesk agent page has these options:

• Trusted certificates for agent authentication: certificates control which core servers can manage devices. Check the core server certificates that you want installed with this configuration. For more information, see Agent security and trusted certificates.
• The other options on this page are dimmed and don't apply to Linux agent configurations.

About the Inventory scanner page (Under Linux Agent configuration)

The Linux Agent configurationInventory scanner page has these options:

• Start inventory scan: You can select Daily, Weekly, or Monthly. The option you select adds a command to the server's cron.daily, cron.weekly, or cron.monthly file that runs the inventory scanner.