About Ivanti EPM Distribution and Patch settings

The Distribution and Patch Settings are at the core of the patching process. These settings are stored on the core server and are updated automatically when vulscan runs. That means if you change the Distribution and Patch Settings that are configured for a device, the next time it runs vulscan it will update and use the new settings.

Each client machine has an "installed" Distribution and Patch Setting. That means that it is the default configuration that will be used on any tasks that don't have an assigned Distribution and Patch Setting. The currently "installed" settings can be found in the client machine inventory at: Computer - LANDESK Management - Vulnerability Scan - Settings - Distribution and Patch Settings Name. The "installed" settings can be changed using a "Change settings..." task found the the "Create a task" drop-down in the Security and Compliance tool.

Each of the settings and its effects can be found below.

• General settings
  • Policy sync schedule
  • Notification
    • User message
• Distribution-only settings
• Offline
• Logged off user options
• Download options
• Patch-only settings
  • Do not disturb
  • Scan options
    • Schedule
    • Frequent scan
    • Pilot configuration
    • Spyware scanning
  • Install/remove options
    • Continuation
    • Maintenance window
    • Pre-repair script
    • Post-repair script
  • MSI information
  • Branding

General settings

On the General settings page, enter a name that will be associated with the settings you specify on all of the pages in this dialog. This name will appear in the Agent settings list in the console.

Network settings

Use this page to customize how distribution packages will impact your network traffic. For more information, see About file downloading.

• Attempt peer download: Allow packages to download if they are already on a peer in the same subnet. This will reduce network traffic. For example, if you have several satellite offices, you could select one device at each office to receive the package over the network. Then, the other devices at each office would get the package directly from the first device instead of downloading it from the network.
• Attempt preferred server: Allow automatic redirection to the closest package shares. This will reduce the load on the core server.
• Allow source: Download from the core server if the files aren't found on a peer or preferred server. If the files are not in one of those locations and this option is not selected, the download will fail.
• Use multicast: Uses targeted multicast to send files to multiple devices simultaneously. Enter a value for the amount of time to wait on each subnet before the download begins.
• Bandwidth used from core or preferred server: Specify the percentage of bandwidth to use so you don't overload the network. You can limit bandwidth by adjusting the maximum percentage of network bandwidth to use for the distribution. The slider adjusts the priority of this specific task over other network traffic. The higher the percentage slider is set, the greater the amount of bandwidth being used by this task over any other traffic. WAN connections are usually slower, so it is most often recommended to set this slider at a lower percentage.
• Bandwidth used peer-to-peer: Specify the percentage of bandwidth to use locally. This value is typically higher than the bandwidth used from core or preferred server because of physical proximity.
• Send detailed task status: Click to send information about the task to the core server. This increases network traffic, so if you select this option to help troubleshoot a particular issue, you may want to clear it once you resolve the issue.

Policy sync schedule

Use the Policy sync schedule page to specify when the client will check the core to see if there are any packages available for download.

• Policy sync schedule
  • Event-driven
    • When user logs in: Click to run policy sync once a user has logged in.
    • When IP address changes: Click to run policy sync when the IP address changes.
      • Max random delay: Specify an amount of time to delay the scan in order to avoid downloading the package on all of the devices at the same time, which could flood the network.
  • Schedule-driven
    • Use recurring schedule: Click to only download distribution packages during a specified time frame. The default is to check once a day.
    • Change settings...: Click to open the Local scheduler command dialog, where you can create a different schedule.

Notification

Use the Notification page to specify what information to display to the user and what actions the user can take.

• Notification options before installing/removing
  • Automatically begin downloading: Begins the download of the distribution package without notifying the user.
  • Notify user before downloading: Notifies the user before a managed device initiates download of the package. This option is particularly useful for mobile users if used with deferral options to prevent a user from being forced to download a large application over a slow connection.
  • Automatically begin installing/removing: Begins the installation of the distribution package without notifying the user.
  • Notify user before installing/removing: Displays the installation or removal dialog before a managed device initiates installation or removal of the package.
  • Only notify user if processes must be stopped: Only displays a dialog if a process must be stopped before the managed device initiates the installation or removal of the package.
  • Kill processes that need to be stopped before starting the update: Click to shut down any processes that must be stopped before installing the package.
  • Prevent those same processes from running during the update: Click to ensure the processes are not allowed to restart until after the package has finished installing.
  • If deferring until lock/logoff: Specify how long to wait before the package will install.
• Progress options
  • Show progress: Select whether to never show the installation progress, to only show it when installing or removing files, or to show it when installing or removing and when scanning files.
    • Allow user to cancel scan: If you choose to always show the progress to the user, this option will be enabled. Click to give the user the ability to cancel the scan.
• No response timeout options: These options are enabled if you allow the user to defer or cancel.
  • Wait for user response before repair, install or uninstall: If you allow the user to defer or cancel, this option will be enabled. Click to force the agent to wait for a user response before continuing. This may cause the task to timeout.
  • After timeout, automatically: Click to automatically start, defer, or cancel the task after the amount of time you specify.

User message

Use this page to create a custom message that the user will see if you select Notify user before downloading or Notify user before installing/removing on the Notification page. When you schedule a task, there is an option to override this message.

Distribution-only settings

Use the Distribution-only settings page to select the download location, deferral and installation feedback options when dealing with SWD packages.

• Feedback
  • Display full package interface: Select this option to let the user handle the whole installation process manually.
  • Show successful or failed status to end user: Select this option to only let the user know whether an unattended installation that took place in the background failed or succeeded.
• Defer until next logon: Quite self explanatory. Select to have the installation started only once the currently connected user logs off and back on again (or just log on if there was nobody connected). (I'll clarify how this works exactly on servers, where there are multiple people connected at once)
• When the user chooses to defer package installation: You need to allow the user to defer the SWD task in the Notification settings section to enable this section.
  • Defer for a specific amount of time: This will require an extra step and may cause delays or network issues.
  • Limit number of user deferrals: This will reschedule the download. Select this option if bandwidth is an issue.
  • Maximum deferrals allowed: .
• Select the location to store Ivanti virtualized applications: Set the slider to specify whether to allow low or high CPU utilization during a scan.
• Enable LDAP group targeting: Specify which information the scanner sends to the core. For example, if you are experiencing an issue, you may wish to send debug information to try to troubleshoot the problem.

Offline

Use this page to specify mission-critical processes so that a scan will not occur if those processes are running. For example, to ensure that the scanner will not run during a presentation, you could apply the filter so that a reboot could occur.

• If a managed device cannot contact the core server when installing a package
  • Wait until the device can contact the managed core server: Select this option to let the user handle the whole installation process manually.
  • Install package(s) offline: Select this option to only let the user know whether an unattended installation that took place in the background failed or succeeded.

Logged off user options

Use this page to specify mission-critical processes so that a scan will not occur if those processes are running. For example, to ensure that the scanner will not run during a presentation, you could apply the filter so that a reboot could occur

• Logged off user behavior
  • Continue installation
  • Fail installation
  • Run at next logon

Download options

Use this page to specify mission-critical processes so that a scan will not occur if those processes are running. For example, to ensure that the scanner will not run during a presentation, you could apply the filter so that a reboot could occur

• Run from source (execute on share)
• Download and execute

Patch-only settings

Use the Patch-only settings page to select reboot and alternate core options when scanning, repairing, and downloading files.

• When no reboot is required
  • Require end-user input before closing: Select this option for the notification dialog to remain visible until the user responds to it.
  • Close after timeout: Select this option to close the notification dialog after a specified countdown.
• Alternate core
  • Communicate with alternate core server: Click to select a server to use if the default core server is unavailable.
• When installing via CSA: Click an option in the drop-down list to specify how the scanner will install via the portal Cloud Service Appliance (formerly known as Gateway). This is helpful if you have people who are outside the network, such as employees who are on the road, who need to communicate with the core.
  • Download patches from core as usual: This will require an extra step and may cause delays or network issues.
  • Do not download patches. Fail the request: This will reschedule the download. Select this option if bandwidth is an issue.
  • Download patches from manufacturer. Fall back to core on failure: This will attempt to download the patch directly from the manufacturer, such as Microsoft, before going through the core server. This will use less bandwidth on your own network.
  • Download patches from manufacturer. Do not fall back on failure: This will attempt to download the patch directly from the manufacturer, such as Microsoft. If it is unable to download the patch, it will reschedule the download.
• CPU utilization when scanning: Set the slider to specify whether to allow low or high CPU utilization during a scan.
• Scheduled task log: Specify which information the scanner sends to the core. For example, if you are experiencing an issue, you may wish to send debug information to try to troubleshoot the problem.

Do not disturb

Use this page to specify mission-critical processes so that a scan will not occur if those processes are running. For example, to ensure that the scanner will not run during a presentation, you could apply the filter so that a reboot could occur with PowerPoint open but not if PowerPoint was running full screen.

• Add defaults: Populates the list with the default processes.
• Add...: Opens the Specify process filter dialog box, where you can enter the name of the process and specify whether to apply the filter any time the process is running or only when the process is running full screen.
• Edit...: Opens the Specify process filter dialog box, where you can change the filter for a process that is already in the list.
• Delete...: Removes a process from the list.
• Legacy Mac agent user interruption settings If you have upgraded your Mac client, all of the settings on the Do not disturb page are supported. However, if you have not upgraded your Mac client, you can use the following options:
  • Hide scan progress dialog when a presentation is running: Click to keep the scan progress dialog in the background so that it does not interrupt a presentation.
  • Defer repairing when a presentation is running: Click to postpone any repairs until the presentation is over.

Scan options

Use this page to specify whether the security scanner will scan by group or by type of vulnerability.

• Scan for
  • Group: Select a custom, preconfigured group from the drop-down list.
    • Immediately repair all detected items: Indicates that any security risk identified by this particular group scan will be automatically remediated.
  • Type: Specifies which content types you want to scan for with this scan task. You can select only those content types for which you have a Ivanti EPM Security Suite content subscription. Also, the actual security definitions that are scanned for depends on the contents of the Scan group in the Patch and Compliance window. In other words, if you select vulnerabilities and security threats in this dialog box, only those vulnerabilities and security threats currently residing in their respective Scan groups will be scanned for.
• Enable autofix: Indicates that the security scanner will automatically deploy and install the necessary associated patch files for any vulnerabilities or custom definitions it detects on scanned devices. This option applies to security scan tasks only. In order for autofix to work, the definition must also have autofix enabled.

Schedule

Use this page to specify the time frame during which the security scanner will run as a scheduled task. After you select the settings, this page displays a summary of the schedule.

• Event-driven
  • When user logs in: Click to scan and repair definitions once a user has logged in.
    • Max random delay: Specify an amount of time to delay the scan in order to avoid simultaneously scanning all of the devices, which could flood the network.
• Schedule-driven
  • Use recurring schedule: Click to only scan and repair definitions during a specified time frame.
  • Change settings...: Opens the Local scheduler command dialog box where you can define the parameters for the security scan. This dialog box is shared by several Ivanti EPM Management tasks. Click the Help button for details.

Frequent scan

Use this page to enable the agent to check definitions in a specific group more frequently than usual. This is helpful when you have a virus outbreak or other time-sensitive patch that needs to be distributed as soon as possible. For example, you may want a client to scan every 30 minutes and at every login for a specific group that may contain critical vulnerabilities. The frequent scan is optional.

• Enable high frequency scan and repair definitions for the following group: Enables the frequent security scan features. Once you've checked this option, you need to select a custom group from the drop-down list.
  • Immediately install (repair) all applicable items: Click to enable the agent to install a patch if it locates one in the folder that you specify.
• Schedule
  • Event-driven
    • When user logs in: Click to scan and repair definitions once a user has logged in.
      • Max random delay: Specify an amount of time to delay the scan in order to avoid simultaneously scanning all of the devices, which could flood the network.
  • Schedule-driven
    • Use recurring schedule: Click to only scan and repair definitions during a specified time frame.
    • Change settings...: Opens the Local scheduler command dialog box where you can define the parameters for the security scan. This dialog box is shared by several Ivanti EPM management tasks. Click the Help button for details.
• Override settings: From the drop-down box, select the settings that you wish to override with the settings that you specify in the Distribution and Patch dialog.
  • Edit...: Click to open the Distribution and Patch settings dialog for that particular setting.
  • Configure: Click to open the Configure distribution and patch settings dialog. For more information, click Help.

Pilot configuration

Use the Pilot configuration page to test security definitions on a small group before performing a wider deployment on your entire network. For example, you may wish to install a new Microsoft patch on the devices in only the IT group to make sure that it doesn't cause any issues before it goes out to everyone in the organization. Using a pilot group is optional.

• Periodically scan and repair definitions in the following group: Enables the pilot security scan features. Once you've checked this option, you need to select a custom group from the drop-down list.
• Schedule
  • Event-driven
    • When user logs in: Click to scan and repair definitions once a user has logged in.
      • Max random delay: Specify an amount of time to delay the scan in order to avoid simultaneously scanning all of the devices, which could flood the network.
  • Schedule-driven
    • Use recurring schedule: Click to only scan and repair definitions during a specified time frame.
    • Change settings...: Opens the Local scheduler command dialog box where you can define the parameters for the security scan. This dialog box is shared by several Ivanti EPM management tasks. Click the Help button for details.

Spyware scanning

Use this page to replace or override spyware settings from a device's agent configuration.Real-time spyware detection monitors devices for new launched processes that attempt to modify the local registry. If spyware is detected, the security scanner on the device prompts the end user to remove the spyware.

• Override settings from client configuration: Replaces existing spyware settings on devices initially configured via an agent configuration. Use the options below to specify the new spyware settings you want to deploy to target devices.
• Settings
  • Enable real-time spyware blocking: Turns on real-time spyware monitoring and blocking on devices with this agent configuration.
    
    NOTE: In order for real-time spyware scanning and detection to work, you must manually enable the autofix feature for any downloaded spyware definitions you want to be included in a security scan. Downloaded spyware definitions don't have autofix turned on by default.
    
    
  • Notify user when spyware has been blocked: Displays a message that informs the end user a spyware program has been detected and remediated.
  • If an application is not recognized as spyware, require user's approval before it can be installed: Even if the detected process is not recognized as spyware according to the device's current list of spyware definitions, the end user will be prompted before the software is installed on their machine.

Install/remove options

Use the Install/remove options to specify what the agent should do once it determines the need for a patch.

• Reboot is already pending: Click this option if you want to start a patch installation regardless of whether the device has requested a reboot.

Continuation

Use the continuation page to enable the agent to immediately install or remove patches as soon as it meets the specified criteria. For example, if you need to install ten patches to remove a single vulnerability, continuation provides a way to install them one after another.

• Automatically continue install/remove actions after prerequisites are met: Click to allow the agent to automatically install or remove patches once it meets any prerequisites.
  • Additional automatic repair count: The default is to allow 5 automatic repairs, which balances the urgency of getting the patch installed with allowing users complete their work.

Maintenance window

Use this page to specify the parameters for when the agent can perform any install, repair, or remove actions.

• Machine must be in this state: Click to specify whether the user must be logged off or the device must be locked for the specified amount of time.
  • Delay: Use this option if you want to delay the action for several minutes to ensure that the user is not returning to the device.
• Machine must be in this time window: Click to configure the maintenance window by setting a detailed schedule. Specify the time of day, days of the week, and days of the month. The agent will only run when it meets all criteria.

Pre-repair script

Use the Pre-repair script page to execute a custom command before installing a patch. For example, if you want to get the environment ready for the patch by turning off a particular service, you can use a script.

• Abort patch install or uninstall if this script fails: Specify whether to cancel the patch installation if the script does not run.
• Insert sample script...: Click to select a VBScript, PowerShell script, or batch file to include in the pre-repair script.
• Insert method call...: Click to open a list of method calls that you can add to the pre-repair script. Click a method call in the list to move it to the Script Content box.
• Use editor...: Click to open Notepad, where you can write your custom script.

Post-repair script

Use the Post-repair script page to execute a custom command after installing a patch. For example, if you used a script to shut off the AV service before installing a patch, you can use the post-repair script to turn it back on.

• Run this script even if pre-repair fails: Specify whether to uninstall the patch if the post-repair script does not run.
• Insert sample script...: Click to select a VBScript, PowerShell script, or batch file to include in the post-repair script.
• Insert method call...: Click to open a list of method calls that you can add to the post-repair script. Click a method call in the list to move it to the Script Content box.
• Use editor...: Click to open Notepad, where you can write your custom script.

MSI information

Use this page if a patch file needs to access its originating product installation resource in order to install any necessary supplemental files. For example, you may need to provide this information when you're attempting to apply a patch for Microsoft Office or some other product suite.

• Original package location: Enter the UNC path to the product image.
• Credentials to use when referencing the original package location: Enter a valid user name and password to authenticate to the network share specified above.
• Ignore the /overwriteoem command-line option: Indicates the command to overwrite OEM-specific instructions will be ignored. In other words, the OEM instructions are executed.
• Run as Information: Credentials for running patches: Enter a valid user name and password to identify the logged in user for running patches.

Branding

The Branding page allows you to customize the status dialog that will notify the user of a scan or other scheduled task. For information on how to hide or display the dialog, see Notification.The Branding dialog box contains the following options:

• Customize window caption: Enter a title for the dialog.
• Preview...: Click to see the dialog box with the custom icon and banner that the user will see.

Distribution-only settings

Use the Distribution-only settings page to select download location, deferral and installation feedback options when dealing with SWD packages.

·        Feedback

·        Display full package interface: Select this option to let the user handle the whole installation process manually.

·        Show successful or failed status to end user: Select this option to only let the user know whether an unattended installation that took place in the background failed or succeeded.

·        Defer until next logon: Quite self explanatory. Select to have the installation started only once the currently connected user logs off and back on again (or just log on if there was nobody connected). (I'll clarify how this works exactly on servers, where there are multiple people connected at once)

·        When the user chooses to defer package installation: You need to allow user to defer the SWD task in the Notification settings section to enable this section.

·        Defer for a specific amount of time: This will require an extra step and may cause delays or network issues.

·        Limit number of user deferrals: This will reschedule the download. Select this option if bandwidth is an issue.

·        Maximum deferrals allowed: .

·        Select the location to store LANDESK virtualized applications: Set the slider to specify whether to allow low or high CPU utilization during a scan.

·        Scheduled task log: Specify which information the scanner sends to the core. For example, if you are experiencing an issue, you may wish to send debug information to try to troubleshoot the problem.