Unmanaged device discovery

The Unmanaged device discovery (UDD) tool provides a way for you to find devices on your network that haven't submitted an inventory scan to the LANDesk core database. Additionally, Extended device discovery (XDD) uses an agent installed on managed devices to find other devices sending network ARP broadcasts, as well as wireless access point (WAP) devices.

Read this chapter to learn about:

• Unmanaged device discovery overview
• Discovering unmanaged devices with UDD
• Using extended device discovery (ARP and WAP)
  • Configuring devices to use extended device discovery (ARP and WAP)
  • Understanding IP address filtering with XDD
  • Working with devices found through XDD
• What happens when a device is discovered
• Deploying LANDesk agents to unmanaged devices
• Restoring client records

Unmanaged device discovery overview

Unmanaged device discovery (UDD) provides many ways to scan for and detect unmanaged devices on your network.

Here are the basic UDD scanning methods:

• Network scan: Looks for computers by doing an ICMP ping sweep. This is the most thorough search, but also the slowest. You can limit the search to certain IP and subnet ranges. By default this option uses NetBIOS to try and gather information about the device.
• • IP OS fingerprinting: Use nmap to try and discover more about a device, such as what operating system it is running.
  • SNMP: UDD uses SNMP to discover devices. Click Configure to enter information about SNMP on your network.
• Standard LANDesk agent: Looks for the standard LANDesk agent (CBA) on computers. This option discovers computers that have the LANDesk products installed.
• NT domain: Looks for devices in a domain you specify. Discovers members whether the computer is on or off.
• LDAP: Looks for devices in a directory you specify. Discovers members whether the computer is on or off.

• IPMI: Looks for servers enabled with the Intelligent Platform Management Interface, which allows you to access many features regardless of whether the server is turned on or not, or what state the OS may be in.
• Intel vPro/AMT: Looks for devices with Intel vPro or Intel AMT (Active Management Technology).These devices appear in the Intel vPro folder.
• Virtual hosts: Looks for servers running VMware ESX Server. These servers appear in the Virtual hosts folder.

To automate unmanaged device discovery, you can schedule UDD scans to occur periodically. For example, you could divide your network into thirds and schedule a ping sweep for one third each night.

If you schedule a discovery, the core server does the discovering. Unscheduled discoveries happen from the console that starts them.

Extended device discovery

The UDD tool also supports extended device discovery (XDD) scanning. XDD relies on a device agent (deployed via an agent configuration) that listens for ARP broadcasts and WAP signals on your LANDesk network. The XDD agent on a configured device then checks to see if the broadcasting device has the standard LANDesk agent installed. If the standard LANDesk agent doesn't respond, an ARP discovered device displays in the Computers group with reported information in the item list view, and a WAP device displays in the Wireless Access Points group with reported information in the list view.

Extended device discovery is ideal in situations involving firewalls that prevent devices from responding to the normal ping-based UDD discovery methods.

NOTE: Use extended device discovery to discover firewalled devices
Be aware that the normal unmanaged device discovery methods usually can't discover devices that use a firewall, such as the Windows firewall that is built into Windows XP. The firewall typically prevents the device from responding to the discovery methods that unmanaged device discovery uses. Extended device discovery helps solve this problem by using network ARP traffic to discover devices.

Discovering unmanaged devices with UDD

It's easy to discover unmanaged devices with the basic UDD scan methods.

To discover unmanaged devices with UDD

1. In the unmanaged device discovery window (Tools > Configuration > Unmanaged device discovery), click the Scan network button.
2. Click More >> and select the discovery options you want. The default discovery type uses a standard network scan with IP OS fingerprinting of discovered devices.
3. Enter a starting and ending IP range for the scan. You must enter a range for Standard LANDesk agent discovery (CBA) or Network discovery to work. The range is optional for NT domain and LDAP.
4. Enter a Subnet mask.
5. Click the Add button to add the scan you just configured to the task list.
6. In the task list at the bottom of the dialog, select the scans you want to run and click the Scan now button to scan immediately, or the Schedule task button to run the scans later or on a recurring schedule. The Scan now and Schedule task buttons only run scans you've added to the task list and that are selected.
7. Watch the Scan Status dialog for scan status updates. When the scan finishes, click Close in the Scan Status and Scanner Configuration dialog boxes.
8. Click Computers in the UDD tree to view the scan results.

Configuring Windows NT domain discovery

The Windows NT domain discovery option won't work unless you configure the scheduler service to log in to the domain with a domain administrator account.

To configure the Scheduler login account

1. Click Configure > Services and click the Scheduler tab.
2. Click Change login.
3. Enter a domain administrator user name and password.
4. Click OK
5. Restart the scheduler service so the change takes effect. On the Scheduler tab, click Stop, and once the service has stopped click Start.

Using extended device discovery (ARP and WAP)

Extended device discovery (XDD) works outside the normal scan-based UDD discovery methods. The XDD agent can be configured and deployed to managed devices to use the ARP and/or WAP discovery methods. This section describes both discovery methods.

ARP discovery method

Managed devices configured with the XDD discovery agent for ARP discovery listen for ARP (Address Resolution Protocol) broadcasts and maintain a cache (both in memory and in a file on the local drive) of devices that make them. Networked devices use ARP to associate a TCP/IP address with a specific device network hardware MAC address. This communication happens at a very low level and doesn't rely on devices responding to pings or agent communication on specific network ports. Even heavily firewalled devices rely on ARP. Because of this, extended device discovery can help you find devices that normal discovery scans won't find.

When a new ARP broadcast is recognized by a device configured with the extended device discovery agent, the agents that heard the ARP broadcast wait two minutes for the detected device to boot and then each agent waits a random amount of time. The agent with the shortest random wait time pings the new device first, checking for LANDesk agents, and then the agent sends a UDP broadcast to the subnet to let the other agents know that it took care of the ping for that new discovered device. If you have multiple extended device discovery agents installed, this prevents devices from generating excess traffic by all pinging at the same time.

The ARP tables stored by the extended device discovery agent timeout after 48 hours by default. This means that every network device will be pinged once per timeout period. Even devices that generate a lot of ARP traffic are only pinged once per timeout period.

Devices with LANDesk agents on them are assumed to be managed and aren't reported to the core server. Devices without LANDesk agents are reported to the core server as unmanaged devices. These devices appear in the Unmanaged device discovery window's Computers list. ARP-discovered devices show True in the ARP Discovered column. For ARP discovered unmanaged devices, XDD reports back the following information in the list view columns:

• IP Address
• MAC address
• First scanned
• Last scanned
• Times scanned

WAP discovery method

You can also configure managed devices to listen for wireless access point (WAP) devices on your network, and add any discovered WAP devices to the Wireless Access Points group in the Unmanaged device discovery tool.

For discovered WAP devices, XDD reports back the following information in the list view columns:

• Device name
• MAC address
• First scanned
• Last scanned
• Times scanned
• WAP status (Allowed, Rogue, Active exception)
• Signal strength (use to determine the approximate location of the WAP device)
• Encryption level (the encryption scheme used by the WAP device)
• Manufacturer

NOTE: Reporting the MAC address
XDD uses the wireless detection API on devices running Windows Vista to obtain the device MAC address and display it in the list view. However, this capability is not supported on devices running Windows XP/SP2.

Configuring devices to use extended device discovery (ARP and WAP)

You can use the Agent configuration tool to configure some of your managed devices with the extended device discovery (XDD) agent so they can act as discovering devices that listen for ARP and WAP signals on the network.

You don't have to deploy extended device discovery to every managed device, though you can if you want to. Deploying the XDD agent to several devices on each subnet should give enough coverage.

To deploy the extended device discovery agent for ARP and/or WAP discovery

1. Click Tools > Configuration > Agent configuration.
2. Click the New toolbar button.
3. Enter a Configuration name.
4. In the Agent configuration dialog box's Extended device discovery page, select one or both of the discovery methods you want to deploy.
5. Specify a setting for the discovery methods you've selected. You can select an existing setting from the list, or click Configure to edit a setting or create a new one for this agent configuration.
6. Finish specifying options on the agent configuration. For more information about any page, click Help.
7. Click Save.
8. Deploy the agent configuration to desired target devices on each subnet.

You can configure various extended device discovery settings for devices with the extended device discovery agent. This agent periodically synchronizes its settings with the core server.

To configure extended device discovery agent settings for ARP and/or WAP discovery

1. Click Tools > Configuration > Unmanaged device discovery.
2. Click the Configure extended device discovery toolbar button, and select which type of discovery method settings you want to configure (ARP or WAP).
3. Specify the discovery method scan options. For more information, click Help.
4. Click OK when done. The next time extended device discovery agents synchronize with the core server, your changes are applied.

Understanding IP address filtering with XDD

We don't recommend that you install extended device discovery on notebook computers, since they may connect to other networks that you don't want to monitor, such as hotel or airport networks. To help prevent discovery of devices that aren't on your network, the core server ignores IP addresses where the first and second IP address octets are plus or minus 10 from that of the core server. For example, if your core server's IP address is 192.168.20.17, extended device discovery on the core server will ignore addresses above 203.179.0.0 and addresses below 181.157.0.0.

You can disable this feature by adding the following DWORD registry key to the core server and setting its value to 0:

• HKEY_LOCAL_MACHINE\SOFTWARE\LANDesk\ManagementSuite\XDD\Filter

You can set the Filter value to 1 to enable filtering again.

You can adjust the first and second octet monitoring ranges by adding the following DWORD registry keys to the core server and setting their values to the numeric range that you want monitored (the default is 10 for the first and second octets):

• HKEY_LOCAL_MACHINE\SOFTWARE\LANDesk\ManagementSuite\XDD\FilterThreshold1
• HKEY_LOCAL_MACHINE\SOFTWARE\LANDesk\ManagementSuite\XDD\FilterThreshold2

FilterThreshold1 contains the range for the first octet and FilterThreshold2 contains the range for the second octet.

Working with devices found through XDD

Unmanaged devices found through extended device discovery's ARP discovery method appear in the Unmanaged device discovery window's Computers list. WAP Devices found through extended device discovery's WAP discovery method appear in the Unmanaged device discovery window's Wireless Access Points list.

From these lists you can perform the normal UDD options, such as moving them to other groups. Right-click a device to access its shortcut menu and use the available options.

You can also import and export extended device discovery exceptions. An exception is a device on the network that isn't manageable or that the administrator knows about but doesn't want extended device discovery to report on.

These exceptions are in a text CSV file format that consists of comma-separated IP and MAC addresses, in that order, one pair per line. The exceptions export includes all exceptions stored in the database. The exceptions import replaces all exceptions stored in the database with the exceptions you include in the import file.

To export all extended device discovery exceptions

1. Click Tools > Configuration > Unmanaged device discovery.
2. Click the Export extended device discovery exceptions to CSV file toolbar button.
3. Choose a folder and give the file a name.
4. Click Save.

To import all extended device discovery exceptions

1. Create or update a comma-separated CSV file that contains the exceptions you want.
2. Click Tools > Configuration > Unmanaged device discovery.
3. Click the Import extended device discovery exceptions from CSV file toolbar button.
4. Click Open.

Maintaining ARP discovered device records

UDD stores devices found through extended device discovery in the core server's database. If you have a lot of unmanaged devices on your network, this data can grow very quickly. By default, this data is kept for 24 hours. You can customize how long devices found through extended device discovery stay in the database. After the number of days you specify, devices that haven't been rediscovered within that period will be deleted.

To configure the ARP discovery history

1. Click Tools > Configuration > Unmanaged device discovery.
2. Click the Configure ARP discovery history toolbar button.
3. Change the options you want. Click Help for more information.
4. Click OK when done.

Extended device discovery reports

There are several XDD reports in the Reports window (Tools > Reporting / Monitoring, click Reporting > Management Suite > Unmanaged Devices) that you can view.

Extended device discovery reports include:

• ARP discovered device history: History of unauthorized devices.
• Current ARP discovered devices without the agent: Current devices where the LANDesk agent is either disabled or not working.
• History of ARP discovered devices without the agent: History of devices where the LANDesk agent is either disabled or not working.
• Unmanaged devices: Devices on the network that aren't assigned to a core server.
• Wireless devices: History of all wireless devices that have been discovered.

What happens when a device is discovered

When UDD or XDD finds an unmanaged device for the first time, it tries to identify the device type so it can add the device to one of the following groups:

• Computers: Contains devices discovered by UDD scanning methods (and the XDD agent's ARP discovery method)
• Infrastructure: Contains routers and other network hardware.
• Intel vPro: Contains Intel vPro-enabled devices.
• IPMI: Contains servers that have the Intelligent Platform Management Interface.
• Other: Contains unidentified devices.
• Printers: Contains printers.
• Virtual hosts: Contains virtual hosts.
• Wireless Access Points: Lists discovered WAP devices (found by the XDD agent).

These groups help keep the UDD list organized so you can more easily find the devices you're interested in. You can sort the device lists by any column heading when you click on a heading.

NOTE: Moving devices to different groups
UDD may not categorize devices correctly and place them in the appropriate device groups in every instance. If this happens, you can easily drag misidentified devices to the correct group.

UDD tries to discover and report basic information about each device, including the following data that appears in the item list view in the right-hand pane of the tool window:

• Device name: The discovered device name, if available.
• IP address: The discovered IP Address. UDD always shows this. XDD does not.
• Subnet mask: The discovered subnet mask. UDD always shows this.
• OS description: The discovered OS description, if available.
• MAC address: The discovered MAC address, usually returned if the device has the standard LANDesk agent, NetBIOS, or if the device is on the same subnet as the core server or console that's doing the discovery.
• Group: The UDD group the device belongs to.
• Standard LANDesk agent: Shows whether the device has CBA on it. You can deploy other LANDesk agents directly to managed devices with CBA loaded.
• All users: Users logged in at the device being scanned, if available.
• Group/Domain: The group/domain the device is a member of, if available.
• First scanned: The date UDD first scanned this device.
• Last scanned: The date UDD last scanned this device. This column helps you find unmanaged devices that may not be on the network any more or that were recently found.
• Times scanned: The number of times UDD scanned this device.
• Intel vPro: Whether the device supports Intel vPro.
• ARP discovered: Whether the device was discovered via ARP.
• XDD exception: Whether the device is an XDD exception.
• IPMI GUID: The IPMI GUID of the device, if available.

Depending on the device, UDD may not have information for all columns. When UDD finds a device for the first time, it looks in the core database to see if that device's IP address and name are already in the database. If there's a match, UDD ignores the device. If there isn't a match, UDD adds the device to the unmanaged device table. Devices in the unmanaged table don't use a LANDesk license. A device is considered managed once it sends an inventory scan to the core database. You can't drag devices from UDD into the main console network view. Once unmanaged devices submit an inventory scan, they'll be removed from UDD and added to the network view automatically.

You can create custom groups to further categorize unmanaged devices. If you move a device to another group, UDD will leave that device in that group if UDD detects the device again later. By keeping the main Computers group organized and by moving devices you know you won't be managing with LANDesk into subgroups or other categories, you can easily see new devices in the Computers group. If you delete a group that contains devices, UDD moves the devices to the Other group.

You can quickly find devices matching search criteria you specify by using the Find toolbar field. You can search for information in a particular column, or in all columns. Search results appear in the Find results category. For example, use Find to group unmanaged computers that have CBA by searching for "Y" in the Standard LANDesk agent field.

You can also create an alert when UDD finds unmanaged devices. In Alerting (Tools > Configuration > Alerting, click Core alert ruleset) the alert name to configure is Unmanaged Device discovery - unmanaged device found.

Troubleshooting inaccurate OS version results

In some environments, an nmap mapping on an IP address that isn't in use will return a response on specific ports, confusing nmap. The ports that do or don't respond vary in different environments. If nmap isn't returning accurate OS version results, or as a best practice, nmap should be tuned to the customer environment.

To tune nmap

1. Determine several IP addresses that aren't in use in the environment.
2. At a command prompt on the core server, use the following command line to manually scan the IP addresses:
   
   nmap -O -sSU -F -T4 -d -v <targets> -oX test.xml > test.txt
   
   
3. Review the results and see if there are any ports that consistently respond on IP addresses that aren't in use.
4. Open Management Suite's nmap-services document (C:\Program Files\LANDesk\Management Suite\nmap\nmap-services) and comment out the ports with a hash (#) character that consistently respond.

Deploying LANDesk agents to unmanaged devices

After you've discovered unmanaged devices using the scan and discovery methods described above, you can deploy LANDesk agents to those devices using one of the following methods:

• Push-based deployments using scheduled tasks and a domain administrative account you've configured for the scheduler.
• Push-based deployments using the standard LANDesk agent. If the devices have the standard LANDesk agent, you can do a push-based deployment.
• Pull-based deployment using a login script.

For more information on deploying devices, see the LANDesk User Community at http://community.landesk.com.

When organizing devices for agent deployment, you may find it easier to sort the unmanaged device list by the standard LANDesk agent to group for standard LANDesk agent device deployments and to sort by domain for scheduled task deployments.

NOTE: When deploying to Windows devices
The Windows default setting forces network logins that use a local account to log in using the guest account instead. If you aren't using a domain-level administrative account and are using a local account for the scheduler service, scheduled tasks will fail because the scheduler service won't be able to authenticate.

To deploy LANDesk agents to unmanaged devices

1. Click Tools > Configuration > Agent configuration and create a new configuration or use an existing one. From that configuration's shortcut menu, click Schedule.
2. Click Tools > Configuration > Unmanaged device discovery, and select the devices you want to deploy to. Drag the devices onto the Scheduled tasks window. If the Scheduled tasks window is a minimized tab, you can drag devices onto the Scheduled tasks tab, which opens the Scheduled tasks window.
3. If the devices don't have the standard LANDesk agent, click Configure > Services, and click the Scheduler tab. Make sure the scheduler account is one that will have administrative privileges on the devices you're deploying to.
4. Double-click the deployment script and set a start time. Click OK when you're done.
5. Watch the Scheduled tasks window for updates.

Restoring client records

Should you ever reset your core database and need to restore device data, you can use UDD to discover all devices on the network. You can then use the discovery results as the target for the "Restore client records" scheduled task.

If the devices have the standard LANDesk agent on them, this task has the devices send a full inventory scan to the core database that each device is locally configured for. The result of this task is that those devices that have already been configured will be rescanned backed into the database and the devices will still be pointing to their correct managing core server. The task will fail on devices that haven't been managed by a core server.

To restore client records

1. Use UDD to discover unmanaged devices, as described earlier.
2. Click Tools > Distribution > Scheduled tasks.
3. In the Scheduled tasks window, click the Schedule custom script button.
4. Click Restore client records, and from its shortcut menu click Schedule.
5. From the UDD Find results tree, drag the computers you want restored onto the Restore client records task in the Scheduled tasks window.
6. From the Restore client records task's shortcut menu, click Properties and configure the task.
7. Watch the Scheduled tasks window for updates.