KBOX Administrator Guide 3.3

A D M I N G U I D E

Administrator Guide for KBOX 1000 Series

Version 3.3

© 2004-2007 Kace Networks, Inc. All rights reserved. Welcome to KBOX 1000 ownership!

Welcome to version 3.3 of the KBOX 1000 Series appliance. This Administrator Guide is designed to help you install, configure, use, and maintain your KBOX 1000 Series appliance. KACE is dedicated to cus-tomer success with our primary goal being your ability to quickly utilize your KBOX 1000 Series appli-ance to save time and eliminate the tedious task of manual inventory, software, and desktop management.

If at any time you experience a problem, or have a question regarding your KBOX 1000 Series appliance, please contact one of our support representatives for assistance.

Support Contact:

KACE Technical Support(888) 522-3638 for support select option 2http://www.kace.com/support

Company Contact:

Kace Networks, Inc.1616 North Shoreline Blvd.Mountain View, California 94043(888) 522-3638 office for all inquiries(650) 649-1806 fax

mailto:[email protected]

http://www.kace.com/support

Contents

About this guide viiiHow this guide is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

Additional resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

Contacting Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xThe KBOX 1000 Series JumpStart Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiKACE Professional Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Ch. 1 Getting Started with KBOX 1000 Series . . . . . . . . 1

Introduction to KBOX 1000 Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Solution Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Organizational Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Software Deployment Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Setting Up Your New KBOX server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Setting up your first KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Alternative Deployment Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Key Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Configuring General settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Configuring KBOX Network settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Ch. 2 Agent Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Single Machine Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Provisioning Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Provisioning Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

KBOX Agent Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

KBOX Agent Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Ch. 3 Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Overview of the Inventory Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Using Advanced Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Creating Search Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Creating Computer Notifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Filtering Computers by Organizational Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Understanding Computer Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Computer Identity Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Help Tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Operating System Info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34User Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Manufacturer and BIOS Info. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Administrator Guide for KBOX 1000 Series, version 3.3 i

Processor and Computer Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Network Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Drive Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Motherboard and related Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Process List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Installed Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Installed Patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Startup Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Harmful Items (Threat Level 5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Printer List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Uploaded Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Custom Inventory Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Customer Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Asset Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Asset History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36KBOX Agent Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Portal Install Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Scripting Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36OVAL Vulnerability Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Failed Managed Installs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Failed Patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36To Install List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Adding computers to inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Adding computers automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Adding computers manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Software Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Adding Software to Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Adding Software Automatically. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Adding Software Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Creating Software Asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Custom Data Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Attaching a Digital Asset to a Software Title . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Monitoring out-of-reach Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Creating Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Viewing Computer Details by Label . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Deleting labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Software Metering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Adding a Software Meter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Editing Software Meter Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Deleting a Software Meter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Configuring the Software Metering Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Software Lookup Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Enabling Software Lookup Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Viewing Software Lookup Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Administrator Guide for KBOX 1000 Series, version 3.3 ii

Ch. 4 Asset Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Overview of Asset Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Managing Asset Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Asset Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Managing Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Generating Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Importing Asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Ch. 5 IP Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

IP Scan Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Viewing List of Scheduled Scans. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Creating an IP Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Ch. 6 Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Distribution Feature Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Types of Distribution Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Distributing Packages through KBOX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Distributing Packages through an Alternate Location . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Managed Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Creating a Managed Installation for Windows Platform . . . . . . . . . . . . . . . . . . . . . . . . . 75Sharing Managed Software Installation Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Examples of Common Deployments on Windows . . . . . . . . . . . . . . . . . . . . . . . . 79Standard MSI Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Standard EXE Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Standard ZIP Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Examples of Common Deployments on Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Standard RPM Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Standard TAR.GZ Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Examples of Common Deployments on Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . 87Standard TAR.GZ Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Examples of Common Deployments on Macintosh(r) . . . . . . . . . . . . . . . . . . . . 91

File Synchronizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Creating a file synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Creating a Replication Share. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Viewing Replication Share Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Ch. 7 Wake-on-LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Wake-on-LAN Feature Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Issuing a Wake-on-LAN Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Troubleshooting Wake-on-LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Administrator Guide for KBOX 1000 Series, version 3.3 iii

Ch. 8 Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Scripting Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Using Scripts that are Installed with KBOX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Creating and Editing Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Adding Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Editing Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108Importing scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Duplicating scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Using the Run Now Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Run Scripts using the Run Now tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Run Now from the Script Detail page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Monitoring Run Now status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112Run Now Detail Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Searching Scripting Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Configuration Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115Enforce Registry Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Remote Desktop Control Troubleshooter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Enforce Desktop Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117Desktop Shortcuts Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117Event Log Reporter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118MSI Installer Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118UltraVNC Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Un-Installer Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121Windows Automatic Update Settings policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Ch. 9 Patching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Overview of Patching feature. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Bulletin Management workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Downloading patch bulletins. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Reviewing & approving bulletins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Deploying bulletins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128Reporting patching results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130Creating a Replication Share for patches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130Create new Windows Update Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Updating Patch definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Ch. 10 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Security Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133About OVAL and CVE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

OVAL Tests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Running OVAL Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135OVAL Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

OVAL Settings and Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

OVAL Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Creating Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139Enforce Internet Explorer Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139Enforce XP SP2 Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Administrator Guide for KBOX 1000 Series, version 3.3 iv

Enforce Disallowed Programs Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141Enforce McAfee AntiVirus Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142McAfee SuperDAT Updater . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Enforce Symantec AntiVirus Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Quarantine Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144Lift Quarantine Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Ch. 11 User Portal and Help Desk . . . . . . . . . . . . . . . . . . . . . . . . . 146

Overview of the User Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147End user view of the User Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Administrator view of the User Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Understanding the Software Library feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149Creating a software library to deploy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Using the Knowledge Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Adding Knowledge Base articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Editing and deleting Knowledge Base articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Managing Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Adding users manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Adding users automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154LDAP Browser Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Importing users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Overview of the Help Desk Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Configuring basic Help Desk settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Customizing Help Desk fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Creating and editing Help Desk Tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166Submitting Help Desk tickets through email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167Editing Help Desk tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167Searching Help Desk tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Managing Help Desk tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169Understanding the escalation process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169About the satisfaction survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Running Help Desk Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Ch. 12 Server Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

KBOX 1000 Series maintenance overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Backing up KBOX 1000 Series data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174Backing up KBOX 1000 Series manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174Downloading backup files to another location. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Restoring KBOX 1000 Series Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176Restoring from most recent backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176Uploading files to restore settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Updating KBOX 1000 Series software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177Verifying minimum server version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177Updating the license key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177Applying the server update. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178Verifying the update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178Rebooting and shutting down KBOX 1000 Series appliance. . . . . . . . . . . . . . . . . . . . . 178

Administrator Guide for KBOX 1000 Series, version 3.3 v

Updating OVAL definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Troubleshooting the KBOX 1000 Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180Accessing KBOX 1000 Series logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180Downloading log files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180Understanding disk log status data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Ch. 13 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

KBOX 1000 Series Reports overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184Types of Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185Running Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190Creating and editing reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Alert Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Creating alert messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Email Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194Creating Email Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

KBOX 1000 Series Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195Client Check-In Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195Distributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196Software Threat Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197License Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197KBOX Network Load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198Managed Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198Computer statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199Software statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199Software Distribution Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199Alert Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199Patch Bulletin Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200OVAL Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200Network Scan Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

LDAP Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Appendix A Adding steps to a Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Steps for Task sections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Appendix B Database tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

KBOX 1000 Series database tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Appendix C Manual Deployment of KBOX Agent . . . . . . . . . . . . . . . . . . . 216

Manual Deployment of KBOX Agent on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . 217Installing and Configuring the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217Upgrading the KBOX Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217Removing the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217Verifying Deployment of the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Manual Deployment of KBOX Agent on Solaris . . . . . . . . . . . . . . . . . . . . . . . . . 219Installing and Configuring the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219Upgrading the KBOX Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Administrator Guide for KBOX 1000 Series, version 3.3 vi

Removing the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219Verifying Deployment of the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

Manual Deployment of KBOX Agent on Macintosh . . . . . . . . . . . . . . . . . . . . . . 221Installing and Configuring the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221Upgrading the KBOX Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221Removing the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222Verifying Deployment of the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Appendix D Agent Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

Agent Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

Appendix E Warranty, Licensing, and Support . . . . . . . . . . . . . . . . . . . . . . 227

Warranty and Support Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

Administrator Guide for KBOX 1000 Series, version 3.3 vii

P R E F A C E

About this guideThis chapter provides an overview of this Administrator Guide and provides links to other resources you might find helpful in administering your KBOX 1000 Series appliance.

“How this guide is organized,” on page ix

“Additional resources,” on page x

“Contacting Support,” on page x

iii

How this guide is organizedThis Administrator Guide is designed to provide all of the information that you’ll need to install configure and deploy the KBOX 1000 Series appliance. This guide is organized into the following top-level section:

Orientation and Setup

Chapter 1,“Getting Started with KBOX 1000 Series,” starting on page 1

Chapter 2,“Agent Provisioning,” starting on page 14

Chapter 3,“Inventory,” starting on page 26

Chapter 4,“Asset Management,” starting on page 56

Chapter 5,“IP Scan,” starting on page 66

Chapter 6,“Distribution,” starting on page 71

Configuration

Chapter 7,“Wake-on-LAN,” starting on page 98

Chapter 9,“Patching,” starting on page 123

Chapter 8,“Scripting,” starting on page 102

Chapter 10,“Security,” starting on page 132

Maintenance and Support

Chapter 11,“User Portal and Help Desk,” starting on page 146

Chapter 12,“Server Maintenance,” starting on page 173

Reference

Chapter 13,“Reporting,” starting on page 183

Appendix A,“Adding steps to a Task,” starting on page 203

Appendix B,“Database tables,” starting on page 209

Appendix C,“Manual Deployment of KBOX Agent,” starting on page 216

Appendix D,“Agent Customization,” starting on page 224

Appendix E,“Warranty, Licensing, and Support,” starting on page 227

In addition, the symbol to the left denotes an item of interest. These include common configuration questions, specific KBOX behavior, or items that deserve particular attention.

Administrator Guide for KBOX 1000 Series, version 3.3 ix

\\kace\corporateshare\setup.exe

ConventionsThis guide uses the following formatting conventions.

Additional resourcesIn addition to this Administrator Guide, KACE also provides the following resources to assist you in installing, configuring, and maintaining the KBOX 1000 Series.

Silent Mode Installation Tips and Tricks - http://www.kace.com/support/customer/doc/SilentInstallationWhitepaper.pdf

Installation and Scripting resources - http://www.kace.com/support/customer/additional_resources.php

Tutorial Videos - http://www.kace.com/support/customer/training.php

Contacting SupportAt KACE, customers are our highest priority, and we structure our support policies and procedures accordingly. Your purchase of the KBOX 1000 Series includes software updates, telephone support, and access to an on-line support portal, which includes:

The most up-to-date software and documentation

Knowledge base of frequently asked questions

Details on the most common software package installation switches

Other IT management information.

The KACE support team is dedicated to helping you make the most efficient use of your KBOX 1000 Series appliance for your organization. KACE and KACE Certified Partners can help you get the most out of your KBOX 1000 Series appliance with the KBOX™ JumpStart Program and KACE Professional Services.

Format Description

Bold Represents buttons, tab labels, and menu selec-tions.

| (pipe) Separates multiple selections. For example, Inventory | Software.

Table 1-1: Formatting Conventions

A user name and password may be required to access these resources.

Administrator Guide for KBOX 1000 Series, version 3.3 x

http://www.kace.com/support/customer/doc/SilentInstallationWhitepaper.pdf

http://www.kace.com/support/customer/doc/SilentInstallationWhitepaper.pdf

http://www.kace.com/support/customer/additional_resources.php

http://www.kace.com/support/customer/additional_resources.php

http://www.kace.com/support/customer/training.php

[email protected]

The KBOX 1000 Series JumpStart ProgramThe KBOX 1000 Series JumpStart Program guarantees that your KBOX 1000 Series appliance will be properly installed and configured for your environment. With the JumpStart Program, you and your team will get custom-tailored, hands-on training to immediately get the maximum value from your investment, with the least amount of time committed from your team.

The KBOX 1000 Series JumpStart Program includes:

Installation Assistance - Install and configure your KBOX™ 1000 Series appliance; Network scan; learn best practices for use of the KBOX 1000 Series appliance in your environment.

Deployment Assistance - Your custom rollout plan includes deployment up to 150 KBOX Agent agents on your network.

SW Distribution & Patch Management Assistance - Customized training and one managed installation created.

Advanced topics - LDAP or Active Directory integration; ODBC integration with your standard reporting tools.

Additional Module training - additional set-up and training is provided for each KBOX 1000 Series module you purchase.

To learn more about support services, contact KACE customer support.

KACE Professional ServicesDelivered by a KACE Partner or KACE engineers, professional services can help you improve your organization's IT efficiency, compliance and security. Professional services are custom tailored to meet your needs. Some common KBOX 1000 Series services include but are not limited to:

Custom script development

Custom software packaging

Application integration

Advanced training

Security audit analysis

Advanced installation and KBOX Agent deployment

Managed services.

To learn more about professional services, contact your Kace account manager.

Administrator Guide for KBOX 1000 Series, version 3.3 xi

http://www.kace.com/partners/list.php

1

C H A P T E R 1

The KBOX 1000 Series appliances are easy-to-deploy Systems Management Appliances that deliver all of the powerful features you would expect from a distribution management system and more. This chapter provides guidance on installing and setting up the KBOX 1000 Series appliance to work in your environment.

“Introduction to KBOX 1000 Series,” on page 2

“Setting Up Your New KBOX server,” on page 4

“Setting up your first KBOX Agent,” on page 6

“Alternative Deployment Options,” on page 9

“Key Configuration Settings,” on page 10

Getting Started with KBOX 1000 Series

Introduction to KBOX 1000 SeriesIn general, the administrative operation of the KBOX 1000 Series system management appliance is intuitive and user friendly; however, a review of the basic procedures will likely help new users avoid common pitfalls and internalize KBOX 1000 Series best practices for software management. This section provides an introduction to the components and concepts of your KBOX 1000 Series appliance, and provides an overview of the KBOX 1000 Series workflow for total software management.

Solution ComponentsThe KBOX 1000 Series solution is comprised of four primary points of human interface:

The Box - The KBOX 1000 Series Systems Management Appliance itself is a high-performance server including (depending on configuration) dual on-board Xeon processors, dual NIC controllers, 1 GB of memory (or more), 3 X 150 GB hard drives (or more) with on-board RAID I support and on-board nightly back up.

Administrator Console - The administrator console is a web-based interface that systems administrators use to access and direct the functionality and capabilities within the KBOX 1000 Series. The administrator console supports five primary tasks: Inventory Management, Software Distribution, User Portal, Reporting and, KBOX Settings. Depending on your KBOX 1000 Series configuration you may also have Asset, Scripting, Security, and Help Desk tabs. These are add-on modules. For more information contact the KACE sales team at [email protected] or via phone at 1-888-522-3638.

User Portal - The User Portal provides an innovative method for administrators to make software titles available to users on a self-service basis. The end-user portal is not intended to replace traditional push software distribution (as is handled by the Administrator Console and the KBOX Agent). However, the User Portal provides an elegant repository for software titles that are not required by all users. If you have installed the optional Help Desk module, the User Portal also provides a way for users to submit and track help desk tickets.

KBOX Agent - The KBOX Agent is the KBOX 1000 Series technology that sits on each desktop that the KBOX 1000 Series manages. The KBOX Agent includes an application component that manages downloads, installations, and desktop inventory. The KBOX Agent also includes the KBOX Agent Management Service that initiates scheduled tasks such as inventory or software update tasks.

Organizational ComponentsKACE Networks recognizes that a large part of IT management is tied into data management. As such, KBOX 1000 Series supports a flexible data model for managing computers, software, users and license keys:

LDAP Support - The KBOX 1000 Series includes the ability to auto-discover information via the KBOX Agent or to interface with Active Directory or LDAP organizational units.

Filters - Filters enable administrators to manage computers and users based on specified filter criteria.

Labels - The KBOX 1000 Series offers advanced labeling capability that puts ad-hoc organizational capabilities in the hands of the software administrator.

Administrator Guide for KBOX 1000 Series, version 3.3 2



Software Deployment ComponentsThe KBOX 1000 Series supports several types of distribution packages including:

Managed Installations can be configured by the administrator to run silently or in the forefront of the user’s desktop view. Within a “Managed Installation Definition” the administrator can define install, uninstall, or command-line parameters. See “Managed Installations,” on page 74 for detailed information on Managed Installations.

File Synchronization is a different way to distribute content to computers with the KBOX agent software. Unlike Managed Installations, File Synchronization is used to distribute files that needs to be placed on a users’ machine without running an installer.See “File Synchronizations,” on page 89 for detailed information on File Synchronization.

User Portal Packages are earmarked by administrators for user self-service. Many KACE customers use the portal for handling occasional use applications, print drivers and so on. You also can use the User Portal to resolve Help Desk issues by allowing users to download and install fixes. See “Overview of the User Portal,” on page 147 for detailed information on User Portal Packages.

KBOX Agent is a special tab in the interface for managing the KBOX Agent. See the Chapter 2,“Agent Provisioning,” starting on page 14 for details on how to configure and carry out these tasks.

The sections that follow describe how to configure the KBOX 1000 Series to meet the needs of your organization.


Setting Up Your New KBOX serverWhile setting up your new KBOX server, perform the following steps.

1. Unpacking the Appliance

Make sure that the box in which the appliance was shipped is unpacked and is undamaged in any way. The box should include one set of inner and outer rail assemblies and the mounting screws that you need to install the system into the rack.

2. Updating DNS

The KBOX requires its own static IP address. By default, the KBOX will have a hostname of “kbox.” It is highly recommended that you create a record for kbox in your domain corresponding to its static IP before starting the server and client configuration.

3. Setup Location

Determine the placement of the appliance in the rack before you install the rails. The appliance should be situated in a clean, dust-free, and well ventilated area. Avoid areas where heat, electrical noise, and electromagnetic fields are generated. Place the appliance near a grounded power outlet. Use a regulating uninterruptible power supply (UPS) to protect the server from power surges, voltage spikes and to keep your system operational in power failures. Leave approximately 30 inches of clearance in the back of the rack for sufficient airflow and ease in servicing.

4. Server Network Configuration

Attach a power cord, keyboard, and monitor, but do not connect a network cable at this time. Turn on the KBOX. The first time boot may require 5 to 10 minutes. At the login prompt enter:

Login: konfig

Password: konfig

Using UP and DOWN arrows, modify the static IP address, subnet mask, default gateway, and DNS settings to match your network.

Field Suggested Value Notes

KBOX Server (DNS) Hostname

Web Server Name

Defaults to kbox

Defaults to kbox

It is recommended that you add a static IP entry for “kbox” to your DNS, and use the default Hostname and Web Server Name. The fully-qualified domain name of the KBOX on your network is the value of Hostname concatenated with Domain (for example, kbox.kace.com). Clients will connect to KBOX using the Web Server Name, which can be the hostname, fully-qualified domain name, or IP address (for example, kbox).

Static IP Address The IP address of the KBOX server

lDomain The domain that the KBOX is on

Defaults to corp.kace.com

Subnet mask Your subnet mask Defaults to 255.255.255.0

Default gateway The network gate-way for the KBOX server


5. After entering all values, click Apply. Then reboot the KBOX.

Log in to confirm web access to the KBOX

While the KBOX reboots, plug the Ethernet cable into the port closest to the KBOX power supply, and connect it to a router or hub on your network. Verify the KBOX is now online by browsing to http://kbox/admin on another computer. If this URL doesn’t open KBOX, try http://defaultip/admin, where default ip is the static IP address that you have assigned to the KBOX.

After accepting the EULA (End User License Agreement), log in using the credentials admin/admin. If you can access the KBOX Management Center successfully, it indicates that the KBOX network settings are entered correctly.

Primary DNS The primary DNS server the KBOX should use to resolve hostnames


Setting up your first KBOX AgentIn order for workstations of servers in your environment to connect to the KBOX, they must have the KBOX agent software installed. In this section, you’ll learn how to use the KBOX to install the agent software on a machine in your environment through the KBOX interface.

1. To enable Agent Provisioning functionality:

a To go to the KBOX Management Center Web page, go to http://kbox/admin in your web browser. On the KBOX Management Center Web page, click Settings | Network.

b The KBOX Settings: Network page appears. Fields are grayed out. Click Edit Mode to edit the field values.

c Under Optional File Share Settings at the bottom of the Web page, select the File Share Enabled check box for Agent Provisioning to work from the KBOX.

d Click Apply. On clicking Apply, the KBOX will be restarted and you will lose connection to the KBOX.

2. To set up a Provisioning Configuration for a Windows PC:

a To go to the KBOX Management Center Web page, go to http://kbox/admin in your web browser. On the KBOX Management Center Web page, click Distribution | KBOX Agent.

b Click Provisioning Setup. The Provisioning Setup page appears.

c In the Choose action box, select Add New Item.

d Under Windows Platform Provisioning Settings, select the Provision this platform check box.

e Enter the suggested values in the corresponding fields, as shown in the following table. For more detailed information on all of the options available and detailed instructions, refer to the chapter Agent Provisioning.


Config Friendly Name

My First KBOX agent installation

This is the identifying name that you will see in lists of available configurations.

Provision IP Range Enter the IP of a Windows PC that you have access to

Your own PC would be a great example, but you can choose any machine that is accessible on the network and for which you have administrative credentials.

Under “Windows Network Administrative Credentials”

Domain (or work-group)

The domain or work-group associated with the credentials you are using

User name An administrative account with access to the target machine

The installation requires an account with administrative privileges to work. Generally, this will be a domain administrator but it could also be a local administrator account.


f Click Save to save the new configuration.

3. To set up a Provisioning Configuration for a Linux, Macintosh, or Solaris PC:

a To go to the KBOX Management Center Web page, go to http://kbox/admin in your web browser. On the KBOX Management Center Web page, click Distribution | KBOX Agent.

b Click Provisioning Setup. The Provisioning Setup page appears.

c In the Choose action box, select Add New Item.

d Under Unix (Linux, MacOSX, Solaris) Platform Provisioning Settings, select the Provision this platform check box.

e Enter the suggested values in the corresponding fields, as shown in the following table. For more detailed information on all of the options available and detailed instructions, refer to the chapter Agent Provisioning.

f Click Save to save the new configuration.

4. To Provision your machine:

a On the resulting page, you can see the name of the Provisioning Configuration you just created and saved. Select the check box next to your Provisioning Configuration, and then select Run Select Configurations Now in the Choose action box.

b The resulting page displays the machine that you have selected to receive the agent. On clicking the Refresh button at the bottom of the page, you can see the column under DNS Lookup update from (unknown) to In progress… to the IP or hostname when it has completed installing.

5. To verify your agent has checked in to the KBOX:

a After the installation is completed, the new KBOX agent checks into the KBOX within two minutes, at which time it will provide inventory information about the machine and its software to the KBOX.

Password The password for the account entered above


Config Friendly Name

My First KBOX agent installation

This is the identifying name that you will see in lists of available configurations.

Provision IP Range Enter the IP of a Linux, Macintosh, or Solaris PC that you have access to

Your own PC would be a great example, but you can choose any machine that is accessible on the network and for which you have administrative credentials.

Under “Network Root Credentials”

User name An administrative account with access to the target machine

The installation requires an account with administrative privileges to work. Generally, this will be a domain administrator but it could also be a local administrator account.

Password The password for the account entered above


b Click Inventory at the top of KBOX Management Center Web page to see a list of machines that have checked in to the KBOX. The most recent machine that has checked in will be at the top of the list, so you should see the hostname of your installed agent.

6. After following the steps above, you should now have one KBOX agent installed and checking in to the KBOX successfully. You could deploy multiple machines simultaneously by creating a configuration that identifies an IP range rather than a single IP.

For more detailed information on different options and other platforms, refer to the Chapter 2,“Agent Provisioning,” starting on page 14.


Alternative Deployment OptionsKBOX 1000 Series customers have successfully deployed the KBOX Agent using many different approaches. In addition to installing clients through KBOX Agent Provisioning as outlined above, other approaches are outlined below. For these options or to install manually on the local machine, you can find the installer files for all supported platforms on the KBOX (if you have enabled the file share) at \\kbox\client\agent_provisioning\.

Email:An email notification may be sent to your users either containing the install file itself or pointing to the KBOX 1000 Series or other Web location to retrieve the required installation file. Users can click on the link and install the appropriate file.

Log-in Script:Some companies use log-in scripts that provide a great mechanism for deploying the KBOX Agent at login time. If you use log-in scripts, simply post the appropriate file in an accessible directory and create the appropriate script for KBOX Agents to retrieve the file at log-in time.

Below is a sample Windows login script which checks for the presence of Microsoft’s .NET framework on the client machine, and installs the appropriate components in order to deploy the KBOX Agent:

----------------------------------------------------------------------------------------------------@echo offif not exist "%windir%\microsoft.net" goto neednetecho .NET already installed.goto end :neednet start /wait \\location\ dotnetfx.exe /q:a /c:"install /l /q" :end if not exist "C:\Program Files\KACE\KBOX" goto needkbox echo KBOX Agent already installed. goto end :needkbox MsiExec.exe /qn /l* kbmsi.log /I \\location\KInstallerSetupSilent.msiALLUSERS=2 :end-----------------------------------------------------------------------------------------------


Key Configuration SettingsBefore you begin inventorying and actively managing the software on your network, it is important to properly configure the server. You may also want to look at the Agent Provisioning chapter for details on agent connection settings.

Configuring General settingsThis section covers the general server configuration settings you should modify before you begin using your KBOX 1000 Series appliance on your network.

To configure General Server settings:

1. Select Settings | General.

The KBOX Settings: General page appears. If fields are grayed out, you may need to click [Edit Mode] before you can edit the field values.

2. In the General Options area, specify the following settings:

3. Click Set Options, to save your changes.

4. In the Clock Settings area, verify that the clock is set to the correct time, then click Set Date and Time.

It is very important to keep the time of the KBOX 1000 Series accurate, as most time calculations are made on the server and is used in the Inventory tab to reflect when computers have checked into the KBOX 1000 Series. For more information, see Chapter 3,“Inventory,” starting on page 26. Note that changing the server time will require the Web server to re-initialize. This may disrupt KBOX 1000 Series operation for 10 to 15 seconds.

Company-Institution Name

Enter the name of your com-pany.

This name appears in any pop-up windows or alerts displayed to your users.

Organization Name Enter the name of your divi-sion or organization.

User Email Suffix Enter the domain to which your users send email.

For example, kace.com.

Administrator Email Enter the email address of the KBOX 1000 Series administra-tor.

This address will receive system-related alerts, including any critical messages.

Send crash report to KACE

Select this check box to send a report to KACE in the event of a KBOX 1000 Series crash.

This option is recommended, since it pro-vides additional information to the Kace technical support team in case you need assistance.

Enable KACE Soft-ware Lookup Service (SLS)

Select this check box to be able to access online data about common software appli-cations and how to deploy/remove them and share anon-ymous information about the software on machines in your environment.


5. Select the appropriate time zone from the drop-down list, then click Adjust Time Zone.

6. In the Logo Overrides area, specify the images to display in the following areas, then click Upload Logos:

7. Machine Actions allow you to define one-click actions to carry out against KBOX Agent machines. To customize which action will be carried out, choose an action next to either Action #1 or Action #2, then click Set Actions to save the changes.

You can run these Machine Actions by clicking either (Machine Action 1) or (Machine Action 2) next to the computer record on the Inventory | Computers tab. For more information, see “Overview of the Inventory Feature,” on page 27.

8. In the Network Scan Options, select the Show unreachable devices in scan inventory check box if desired, then click Set Scan Options.

9. In the Optional Ignore Client IP Setting, enter any IP addresses you would like ignored as the client IP and then click Save List. This might be appropriate in cases where multiple machines could report themselves with the same IP address, like a proxy address.

Configuring KBOX Network settingsThe key KBOX network settings were mostly configured when you first logged into the KBOX using the konfig/konfig credentials, but an administrator can verify or change the settings at any time on the KBOX 1000 Series.

When updating the time zone, the KBOX 1000 Series Web Server will be restarted in order for it to reflect the new zone information. Active connections may be dropped during the restart of the Web server. You may need to manually refresh this page in the browser in order to display the new zone settings.

User Portal Appears at the top of the User Portal page.

Report Appears at the top of reports generated by the KBOX 1000 Series.

KBOXClient Appears in the KBOX Agent.

Any changes made to the Network settings on this page will force the KBOX to reboot after saving. Total reboot downtime should be 1 to 2 minutes provided that the changes result in a valid configuration.


To configure KBOX network settings:

1. Select Settings | Network.

The KBOX Settings: Network page appears. Fields are grayed out. Click [Edit Mode] to edit the field values.

2. Under the Optional Network Time settings, indicate whether the KBOX should consult a Network Time Server and what the server’s hostname is.

3. In the Optional Proxy Settings area, specify the following proxy settings, if necessary:

Specify the proxy type, either HTTP or SOCKS5 in the Proxy Type list.

Specify the name of the proxy server in the Proxy Server field.

Specify the port for the proxy server, the default port is 8080 in the Proxy Port field.

Select the Proxy (Basic) Auth check box to use the local credentials for accessing the proxy server.


KBOX Server (DNS) Hostname

kbox As noted above, we recommend adding a static IP entry for “kbox” to your DNS, and using the default Hostname and Web Server Name. The fully-qualified domain name of the KBOX on your network is the value of Hostname concat-enated with Domain (for example, kbox.kace.com). Clients will connect to KBOX using the Web Server Name, which can be the hostname, fully-qualified domain name, or IP address (for example, kbox).

KBOX Web Server Name

Static IP Address The IP address of the KBOX server

Be extremely careful when changing this set-ting. If the IP is entered wrongly, the KBOX could become difficult to locate on the net-work.

Domain The domain that the KBOX is on

Defaults to corp.kace.com

Subnet mask Your subnet mask Defaults to 255.255.255.0

Default gateway Your default gateway

Primary DNS The primary DNS server the KBOX should use to resolve hostnames

Secondary DNS The secondary DNS server the KBOX should use to resolve hostnames

The secondary DNS server is optional.

Network Speed Your network speed

SMTP Server To enable email notifica-tions through an external SMTP server, set the server name here.

The server named here must allow anonymous (non-authenticated) outbound mail transport.

SSH enabled Unchecked It is more secure to leave this option turned off unless Kace technical support needs remote access to the KBOX.


Specify the user name for accessing the proxy server in the Proxy Username field.

Specify the password for accessing the proxy server in the Proxy Password field.

4. In the Optional SSL Settings area, specify the following SSL settings, if desired:

a Select the SSL Enabled on port 443 check box to have clients check in to the KBOX server using https.

A properly signed SSL Certificate is required to enable SSL. Certificates should be supported by a valid Certificate Authority. SSL settings should only be adjusted after you have properly deployed the KBOX 1000 Series on your LAN in non-SSL mode. If you are enabling SSL, you will need to identify the correct SSL Private Key File and SSL Certificate File.The files must be in Privacy Enhance Mail (PEM) format, similar to those used by Apache-based Web servers and not in the PCKS-12 format used by some Web servers. It is possible to convert a PCKS-12 certificate into a PEM format using software like the OpenSSL toolkit. Please contact KACE Technical Support if you wish to enable SSL on you KBOX.

b Clear the Enable port 80 access check box.When you activate SSL, port 80 will continue to be active, unless you uncheck this option. By default, the standard KBOX Agent installers will attempt to contact the KBOX via port 80, then switch to SSL over port 443, after getting the server configuration. If you disable port 80, you will need to contact KACE support to adjust the agent deployment scripts to handle SSL. For ease of agent deployment, leaving port 80 active is suggested.

c In the Set SSL Private Key File field, browse for the SSL Private Key file. To enable SSL, you need to identify the correct SSL Private Key file.

d In the Set SSL Certificate File field, browse for the signed SSL Certificate. To enable SSL, a signed SSL Certificate is required.

5. In the Optional File Sharing Settings area, turn on the server’s File Share by selecting the File Share Enabled check-box. The default password for this share is admin. Files in this share are available at \\kbox\client\. Typically, this is used to access agent provisioning files. If you are not provisioning clients, it is recommended that you leave this option disabled.

6. In the Optional Security Settings area, specify the following security settings:

a Clear the Enable backup via ftp check box.Nightly the KBOX creates a backup of the database and the files stored on it. By default, the KBOX allows you to access these files via a read-only ftp server. This would allow you to create a process on another server that pulls this information off the physical KBOX. If you do not need this feature and would prefer to disable the FTP server, you can turn off this option.

b Clear the Enable SNMP monitoring check box.SNMP is a network / appliance monitoring protocol that supported by many third party products. If you do not want to expose the KBOX SNMP data, turn off this option.

c Clear the Enable database access check box.The KBOX database is accessible via port 3306, to allow you to run reports via an off board tool like Access or Excel. If you do not need to expose the database in this way, you can uncheck this option.

7. In the Network Utilities area, select the desired network utility option from the drop-down list, and then click Test.

8. Click Apply to save any settings on this page, at which time the KBOX will reboot.


14

C H A P T E R 2

The Agent Provisioning feature enables you to install the KBOX agent on machines in your environment directly from the KBOX. You could deploy multiple machines si-multaneously by creating a configuration that identifies an IP range rather than a single IP. The procedure for Agent Provisioning varies for Windows and non-Windows oper-ating systems.

This chapter contains the following sections:

“Single Machine Provisioning,” on page 15

“Provisioning Setup,” on page 16

“Provisioning Results,” on page 21

“KBOX Agent Settings,” on page 22

“KBOX Agent Update,” on page 24

Agent Provisioning

Single Machine ProvisioningSingle Machine Provisioning provides an easy way for first time deployment of KBOX Agent Technologies to target managed computers.

It assumes some default values for settings such as TCP ports, Time outs, KBOX sever name, etc.

To quickly deploy KBOX Agent Technologies on a single machine:

1. Select Distribution | KBOX Agent. The KBOX Agent Distribution & Management page appears.

2. Click Single Machine Provisioning. The Single Machine Provisioning page appears.

3. Enter the details as shown in the following table.

4. Click Run Now to first save the current configuration with a default name as Simple configuration - IP Address and immediately run the configuration against the targeted IP.

Target IP Enter the IP address of the target machine.

Action Click Install Agent to install the Agent or click Remove Agent to remove the Agent.

Platform Click the appropriate platform.

KBOX Agent Version This field displays the KBOX Agent version number.

Domain (or Workgroup) Enter the domain or workgroup name associated with the cre-dentials you enter below.Note: This field is available only if the platform selected is Win-dows.

User Name (admin level) Enter a username that will have the necessary privileges to install on the targeted machines.

Password Enter the password for the account listed above.


Provisioning SetupKBOX Agent Provisioning provides a method for the first time deployment of KBOX Agent software to targeted computers. A provisioning configuration identifies one or more IP addresses for the first time deployment or removal of the KBOX Agent. The target IP address is tested for the existence of an agent and if none, will execute a remote install of the agent directly from the KBOX.

The provisioning installers are located on the KBOX in the following network share:

\\KBOX\client\agent_provisioning

where "KBOX" is defined as the hostname of your KBOX (e.g. "kbox" by default);

The provisioning files are located in their respective "platform" subdirectories (e.g. Windows files located in the "windows_platform" directory).

IMPORTANT: To activate provisioning functionality you must enable the KBOX's file share via the Network Settings Page. Additionally, for the Windows target platform the following must be configured:

On Windows XP, "Simple File Sharing" must be turned off. KBOX Provisioning requires standard file sharing with its associated security model. Having "Simple File Sharing" enabled could cause a "LOGON FAILURE" as simple file sharing does not support administrative file shares and associated access security.

If Windows Firewall is turned ON, "File and Print Sharing" must be enabled in the Exceptions list of the Firewall Configuration.

By default the KBOX will verify the availability of ports 139 and 445 on each target machine before attempting to execute any remote installation procedures.

You can choose either Auto Provisioning or Manual Provisioning. Auto Provisioning allows you to provide target IP Range for Provisioning. Manual Provisioning allows you to enter IPs manually and also pick up machines from IP Scan and Inventory.

To Add a New Item to Provisioning Setup using Auto Provisioning:


2. Click Provisioning Setup. The Provisioning Setup page appears.

3. In the Choose action box, select Add New Item. The Provisioning Configuration page appears.

4. Under the General Settings area, select the Auto Provisioning option.

5. Enter the general settings details as shown in the following table.

Config Friendly Name Enter a name for your agent provisioning configuration. Make sure that your configuration names are very specific so that you can differentiate between different configurations.

Provisioning IP Range Enter IP or IP range. Use hyphens to specify individual IP class ranges, for example, 192 168 2-5 1-200.

Configuration Enabled Select this check box to enable the configuration.

KBOX Server Name By default, this is the name of the KBOX you are provisioning agents from. Under normal circumstances, there would be no reason to change this value. If you have multiple KBOX servers, then you could enter another KBOX server name here.

DNS Lookup Enabled Select this check box to enable DNS lookup.


6. If the targeted machine(s) are operating on the Windows platform, then enter details as shown in the following table.

If the targeted machines are operating on the Linux, Macintosh, or Solaris platform, then enter details as shown in the following table.

Name Server for Lookup This field will default to the DNS server that the KBOX has entered as its primary DNS server under Network settings. Enter the name of another DNS server here, if needed.

Lookup Time Out Enter the time period after which a DNS lookup will time out

Provision this platform Select this check box.


Agent Identification Port The agent identification port is a port that installed agents would already have open and in use, indicating that we should not try to install the agent again. By default that port number is 52230. If you are using a different port number for this, you can change the port number listed here.

Required open TCP Ports Enter the list of required open TCP ports. These are the ports the KBOX will use to access the target machine for installation of the KBOX Agent.

Port Scan Time Out Enter a time period in seconds.

Bypass Port checks Select this check box to avoid port checks. Selecting this indi-cates that the KBOX should simply try to install, without check-ing ports listed above.

Enable Debug Info Select this check box to enable debug info. By enabling this check box more debug info will be displayed in the machine’s provisioning results.

Remove KBOX Agent Selecting this check box reverses the logic of this provisioning config, indicating you will use it to remove the KBOX agent from machines rather than installing those agents.

Remove Config.xml file Select this check box to remove the Config.xml file while remov-ing the Agent.

Domain (or Workgroup) Enter the domain or workgroup name associated with the credentials you enter below.

User Name (Admin level) Enter a username that will have the necessary privileges to install on the targeted machines.






7. Under Scheduling, select the appropriate check box and schedule to run the configuration. By choosing a regular schedule, the KBOX will periodically check machines in this IP range to make sure that they have the KBOX agent and install/reinstall as appropriate.

8. To save the Provisioning Configuration, click Save. On clicking Save, the Provisioning Results page appears. You can also click Run Now to save the current configuration and immediately run the configuration against the defined IP range. To cancel the configuration, click Cancel.

You can also deploy the KBOX agent manually. For more information on the manual deployment of the KBOX agent on Linux, Solaris, and Macintosh, see Appendix C,“Manual Deployment of KBOX Agent,” starting on page 216.

To Add a New Item to Provisioning Setup using Manual Provisioning:


2. Click Provisioning Setup. The Provisioning Setup page appears.

3. In the Choose action box, select Add New Item. The Provisioning Configuration page appears.

4. Under the General Settings area, select the Manual Provisioning option.

5. Enter the general settings details as shown in the following table.

Bypass Port Checks Select this check box to avoid port checks. Selecting this indi-cates that the KBOX should simply try to install, without check-ing ports listed above.


User Name (admin level) Enter a user name that will have the necessary privileges to install on the targeted machines.


Deleting a configuration will delete all associated target machines in the provisioning inventory list. Altering or updating a configuration will reset the data in the associated target machine list to the default settings until the subsequent provisioning run.

Config Friendly Name Enter a name for your agent provisioning configuration. Make sure that your configuration names are very specific so that you can differentiate between different configurations.

Target IPs Enter the IP address of the target machine or click Help me pick machines.

Provisioning IP Range Enter IP or IP range. Use hyphens to specify individual IP class ranges, for example, 192 168 2-5 1-200.Click Add All to add all machines in the specified range.

IP Scan Computers From the IP Scan Computers drop-down list, select a machine to add to the Target IPs list. This drop-down list is populated from the Network Scan Results. You can filter the list by entering any filter options. Click Add All to add all machines displayed in the list.


6. If the targeted machine(s) are operating on the Windows platform, then enter details as shown in the following table.

Inventory Computers From the Inventory Computers drop-down list, select a machine to add to the Target IPs list. This drop-down list contains all the computers in the inventory. You can filter the list by entering any filter options. Click Add All to add all machines displayed in the list.

Configuration Enabled Select this check box to enable the configuration.

KBOX Server Name By default, this is the name of the KBOX you are provisioning agents from. Under normal circumstances, there would be no reason to change this value. If you have multiple KBOX servers, then you could enter another KBOX server name here.

DNS Lookup Enabled Select this check box to enable DNS lookup.

Name Server for Lookup This field will default to the DNS server that the KBOX has entered as its primary DNS server under Network settings. Enter the name of another DNS server here, if needed.

Lookup Time Out Enter the time period after which a DNS lookup will time out.



Agent Identification Port The agent identification port is a port that installed agents would already have open and in use, indicating that we should not try to install the agent again. By default that port number is 52230. If you are using a different port number for this, you can change the port number listed here.




Enable Debug Info Select this check box to enable debug info. By enabling this check box more debug info will be displayed in the machine’s provisioning results.


Remove Config.xml file Select this check box to remove the Config.xml file while removing the Agent.

Domain (or Workgroup) Enter the domain or workgroup name associated with the credentials you enter below.

User Name (admin level) Enter a username that will have the necessary privileges to install on the targeted machines.



7. If the targeted machines are operating on the Linux, Macintosh, or Solaris platform, then enter details as shown in the following table.

8. Under Scheduling, select the appropriate check box and schedule to run the configuration. By choosing a regular schedule, the KBOX will periodically check machines in this IP range to make sure that they have the KBOX agent and install/reinstall as appropriate.

9. To save the provisioning configuration, click Save. On clicking Save, the Provisioning Results page appears. You can also click Run Now to save the current configuration and immediately run the configuration against the defined IP range. To cancel the configuration, click Cancel.






User Name (admin level) Enter a user name that will have the necessary privileges to install on the targeted machines.


Deleting a configuration will delete all associated target machines in the provisioning inventory list. Altering or updating a configuration will reset the data in the associated target machine list to the default settings until the subsequent provisioning run.


Provisioning ResultsProvisioning Results shows you a list of computers which match Agent Provisioning Configurations that you currently have. This list could include machines that have had the Agent installed or which have been discovered by the Configuration. You can view target provisioning and configuration information.

Target info results from the most recent provisioning configuration run or execution. Provisioning execution targets the various IP addresses and for each target (node) the execution evaluates the IP addresses availability, agent status, port configuration, etc. The results and logs of each provisioning step are displayed.

To View Provisioning Results:


2. Click Provisioning Results. The Provisioning Results page appears.

3. To view provisioning target information and provisioning configuration information, click the IP Address of the required machine. The KBOX Agent Provisioning page appears.

4. You can view computer inventory by clicking computer inventory under Provisioning Target Info. For more information on computer inventory, see “Adding computers to inventory,” on page 37.

5. To view the DNS lookup details, click the required DNS Lookup on the List Page. If selected, live addresses will be checked against the DNS server to see if they have agent provisioning configured.

You can take print outs of this page. Click Printer Friendly Version to see a print view of the page.


KBOX Agent SettingsThe KBOX Agent Settings options configure the KBOX to properly operate in your computing environment. These options specify how often the client runs on the user desktop and within that run how often a full desktop computer inventory is performed.

The "KBOX Agent" options specify how often a KBOX Agent will check in to the KBOX and how often that agent will perform a full computer inventory. For example, a default Run Interval of 30 minutes means that those computers with KBOX Agents installed will check in to the KBOX 1000 Series appliance every 30 minutes.

To Configure KBOX Agent:


2. Click KBOX Agent Settings. The KBOX Agent Settings page appears showing your current agent setting details. These settings are what control the schedule and frequency of your KBOX agents checking in.

3. To edit agent settings, click [Edit Mode]. The KBOX Agent Settings page appears in edit mode.

4. Specify the following agent options

Field Suggested Setting Notes

Communications Window

12:00 am to 12:00 am

The interval during which the KBOX Agent is allowed to communicate with the KBOX 1000 Series appliance. For example, to allow the KBOX Agent to connect between 1 AM and 6 AM only, select 1:00am from the first drop-down list, and 6:00am from the second.

Agent “Run interval” 1 hours The interval that the KBOX Agent will check in to the KBOX 1000 Series. Each time a KBOX Agent connects, it will reset its connect interval based on this setting. The default setting is once per hour.

Agent “Inventory Interval”

0 The interval (in hours) that the client KBOX 1000 Series appliance will inventory the computers on your network. If set to zero, the KBOX 1000 Series will inventory clients at every Run Interval.

Agent “Download Throttle”

100 The maximum number of desktop clients that can be downloading packages at one point in time. Packages will not be deployed on machines after the Package Download Throttle has been reached. For example, if the throttle is set to 100 and 100 clients are connected and receiving a deployment, the 101st client will be deferred until another connection point.

Agent “Splash Page Text”

KBOX is verifying your PC Configu-ration and man-aging software updates. Please Wait...

The message that appears to users when communicating with the KBOX 1000 Series.


5. Click Save to save the KBOX agent settings configuration. On clicking Save, the KBOX Agent Settings page appears in read only mode. These changes will be reflected by agents as of the next time they check into the KBOX.

Scripting Update Interval

15 minutes How often the KBOX Agent should download new script definitions. The default interval is 15 minutes.

Scripting Ping Inter-val

600 seconds How often the KBOX Agent should test the connection to the KBOX 1000 Series appliance. The default interval is 600 seconds.

Agent Log Retention Agent Log Retention disallows the server to store the scripting result information that comes up from the agents. The default is to store all the results. This can have a performance impact on the KBOX. Turning this off, gives you less information about what each client is doing, but will allow the agent checkins to process faster.


KBOX Agent UpdateThe KBOX Agent Update feature allows you to automatically update the KBOX Agent software for some or all machines that are checking in your KBOX. KBOX Agent deployments are automatically updated as new agent updates are posted to this area. The KBOX Agent package that you post to the server from this page should be an official KBOX Agent Release received from KACE directly.

Before updating KBOX Agent, make sure that you have downloaded and saved locally the following files:

update_3.1.XXXX.bin for WINDOWS, where XXXX is the build number.

update_mac_3.1.XXXX.bin for Macintosh, where XXXX is the build number.

update_linux_3.1.XXXX.bin for Linux, where XXXX is the build number.

update_solaris_3.1.XXXX.bin for Solaris, where XXXX is the build number.

To Update KBOX Agent Automatically:


2. Click KBOX Agent Update. The KBOX Agent Automatic Update page appears.

3. Specify the agent updates as shown in the following table.

4. To save the new agent updates, click Save.

You can update agents on all platforms at once using a client bundle.

To update agents using a client bundle:

1. Download the kbox_patch_agents_xxx.bin file and save it locally.

2. Select Settings | Server Maintenance.

3. Scroll down and click the [Edit Mode] link.

4. Under Update KBOX, click Browse, and locate the update file you just downloaded.

5. Click Update KBOX.

Notes & Version Info Enter any release notices or version information about the agent.

Enabled Select this check box to upgrade the Agent the next time the machines check in to KBOX.

Update broken clients Select this check box to update those machines that are running checking in with the KBOX for new agent versions, but are unable to successfully report inventory information to KBOX. This setting overrides the Limit Update to: settings. From a broken client like this, you could force it to check for a new version of the Agent software by running kupdater.exe manually.

Limit Updates to Specify a label for automatic upgrades. The upgrades will only be distrib-uted to machines assigned to those labels, except if they are identified as a “broken client” above.

Microsoft Windows/Apple Mac/Linux/Solaris

Click Browse to upload the KBOX Client Patch. This file name should be something like update_3.3.8872.bin, although the exact name will depend on which operating system you are updating. Anything other than an offi-cial update bin file will fail to properly deploy. The Update Version ID appears on uploading the file.


Do not install the client bundle in the KBOX Agent Update link of the KBOX Agent tab. The client bundle must be installed in the Settings | Server Maintenance | Update KBOX section of the Administrator console.


26

C H A P T E R 3

The KBOX 1000 Series Inventory feature lets you identify machines and software on your network and organize computers by using labels and filters.

“Overview of the Inventory Feature,” on page 27

“Using Advanced Search,” on page 29

“Understanding Computer Details,” on page 34

“Adding computers to inventory,” on page 37

“Software Inventory,” on page 38

“Monitoring out-of-reach Computers,” on page 42

“Labels,” on page 43

“Software Metering,” on page 45

“Processes,” on page 48,”

“Startup,” on page 50,”

“Service,” on page 51”

“Software Lookup Services,” on page 52

Inventory

Overview of the Inventory FeatureInventory is collected by the KBOX Agent and reported when computers check in with the KBOX 1000 Series. The data is then listed on one of the Inventory tabs: Computers, Software, or MIA. The inventory data is collected automatically according to the schedule specified under the Distribution |KBOX Agent | Provisioning Results.

Although it is presented under the Inventory tab, the IP Scan feature is discussed in its own chapter. For information about this feature, see Chapter 5,“IP Scan,” starting on page 66.

Figure 3-1: Inventory - Computers tab

The Computer Search & Filter page displays the computer’s IP address and the user connected to it. Clicking the blue icon beside the IP address invokes a remote desktop connection if the computer is online and if remote desktop is configured.

From the Computers tab you can:

Search by keyword or invoke an Advanced Search

Create a Filter to apply labels to computers automatically

Create Notifications based on computer attributes

Add/delete new computers manually

Filter the Computer Listing by label

Click to create notification filter

Click to run Machine Action

The computer’s machine name and labels to which the computer

The last time the machine checked in

Use drop-down to filter view by label

Click to create search filter


Apply or remove labels

Show or hide labels

To view details about a computer click the machine name.


Using Advanced SearchAlthough you can search computer inventory using keywords like Windows XP, or Acrobat, those types of searches might not give you the level of specificity you need. Advanced search, on the other hand, allows you to specify values for each field present in the inventory record and search the entire inventory listing for that value. This is useful, for example, if you needed to know which computers had a particular version of BIOS installed in order to upgrade only those affected machines.

To specify advanced search criteria:

1. Click the Advanced Search tab.

2. Select a field from the drop-down list.

3. Specify the search parameters, then enter the value to search for.

4. Click Search.

Creating Search FiltersFiltering provides a way to dynamically apply a label based on search criteria. It is often helpful to define filters by inventory attribute. For example, you could create a label called “San Francisco Office” and create a filter based on the IP range or subnet for machines in San Francisco. Whenever machines check in that meet that attribute, they would receive the San Francisco label. This is particularly useful if your network includes laptops that often travel to remote locations.

The table below lists some examples of useful filters that could be applied to a machine based on its inventory attributes:

This feature assumes that you have already created labels to associate with a filter. For information about creating labels, see “Labels,” on page 43.

Filter Examples

Sample Label Name Sample Condition

XP_Low_Disk Windows XP Machine with less than 1 GB of free hard disk at last connection

XP_No_HF182374 Windows XP Machine without Hotfix 18237 installed at last connection

Building 3 Machine connecting to the KBOX 1000 Series is detected in a specified IP range known to originate in building 3.

CN_sales Computers connecting where computer name contains the letters “sales”.

Table 3-2: Filter Examples


To create a filter:

1. Select Inventory | Computers, then click the Create Filter tab.

The Filter criteria fields appear.

2. Specify the search criteria.

3. Choose the label to associate with the filter.

4. To see whether the filter produces the desired results, click Test Filter.

5. Click Create Filter to create the filter.

Now, whenever machines that meet the specified filter criteria check into the KBOX 1000 Series, they will automatically be assigned to the associated label. You can modify or delete a filter after it has been created on the Reporting | Filters tab.


Creating Computer NotificationsYou can also use the Notification feature to search the inventory for computers that meet certain criteria, such as disk capacity or OS version, and then send an E-mail automatically to an administrator. For example, if you wanted to know when computers had a critically low amount of disk space left, you could specify the search criteria to look for a value of 5MB or smaller in the Disk Free field, and then notify an administrator who can take appropriate action.

To create a notification:

1. Select Inventory | Computers, and then click the Create Notification tab.

2. Specify the search criteria.

3. Specify a title for the search.

4. Enter the mail address of the recipient of the notification.

5. To see whether the filter produces the desired results, click Test Notification.

6. Click Create Notification to create the notification.

Now, whenever machines that meet the specified notification criteria check into the KBOX 1000 Series, an mail will automatically be sent to the specified recipient. You can modify or delete a notification after it has been created on the Reporting | Email Alerts tab.

Filtering Computers by Organizational Unit If you want to filter computers based on an Organizational Unit found in LDAP or AD, you can create LDAP Filters to do this from the Reporting | LDAP Filters tab.

LDAP Filters allow the automatic labeling of machine records based on LDAP or Active Directory interaction. The search filter will be applied to the external server and should any entries be returned then automatic labeling results.

Figure 3-3: LDAP Filters tab

You may bind to an LDAP query based on the following KBOX 1000 Series variables:

Computer Name

Computer Description

Computer MAC

IP Address

User Name

User Domain

Domain User.

If the external server requires credentials for administrative login (aka non-anonymous login), supply those credentials. If no LDAP user name is given, then an anonymous bind will be attempted. Each LDAP filter may connect to a different LDAP/AD server.


To create an LDAP Filter:

1. Select Reporting |LDAP Filters.

2. Select Add New Item from the Choose action drop-down list.

The LDAP Filter: Edit Detail page appears.

3. Enter the following information:

If you are unable to fill in the information for Search Base DN and Search Filter, you can use the LDAP Browser Wizard. For more information on how to use the LDAP Browser Wizard, refer to “LDAP Browser Wizard,” on page 155.

4. Click Save.

Each time a machine checks into the KBOX 1000 Series, this query will run against the LDAP server. The admin value in the 'Search Filter' will be replaced with the name of the user that is logged onto this machine. If a result is returned, then the machine gets the label specified in the Associated Label field.

Enabled Select this check box to enable.

Filter Type Select the filter type.

Associated Label Name Select the label to associate with this filter.

Associated Label Notes If any notes were entered in the label definition, those would appear here under Associated Label Notes.

Server Host Name Specify the IP or the Host Name of the LDAP Server.Note: For LDAPS, use the IP or the Host Name, as ldaps://HOSTNAME

LDAP Port Number Specify the LDAP Port number which could be either 389 / 636 (LDAPS).

Search Base DN Specify the Search Base DN.

For example:

CN=Users,DC=kace,DC=com

Search Filter Specify the Search Filter.

For example: (&(sAMAccountName=admin)(memberOf=CN=financial,DC=kace,DC=com))

LDAP Login Specify the LDAP login.

For example:

LDAP Login: CN=Administrator, CN=Users,DC=kace=com

LDAP Password Specify the password for the LDAP login.

NOTE: To test your Filter, click the Test button and review the results.


You can also create an LDAP Filter using the LDAP Browser.

To create an LDAP Filter using the LDAP Browser:

1. Select Reporting |LDAP Filters.

2. Select Add New Item Using LDAP Browser from the Choose action drop-down list. The LDAP Filter: Edit Detail page appears.


4. Click Next to configure the LDAP settings. The LDAP Browser Wizard is displayed. For more information on how to use the LDAP Browser Wizard, refer to “LDAP Browser Wizard,” on page 155.

Enabled Select this check box to enable.

Filter Type Select the filter type.

Associated Label Name Select the label to associate with this filter. This field is manda-tory.


Understanding Computer DetailsFrom the Computers tab, you can select a computer in inventory and view its details. The Computer Detail page provides details about a computer’s hardware, software, install, patch, help desk, and OVAL vulnerability history, among other attributes.

The following sections describe each of the detail areas on this page. To expand or collapse the sections, click the + sign next to the section headers.

Computer Identity InformationThis section provides information to help identify the computer on your network, including its name, description, IP address and KACE ID, among other attributes. You also can see the last time this computer checked in to the KBOX 1000 Series, and the last time the computer record was changed.

Help TicketsThis section provides a list of the Help Desk Tickets associated with this machine. These can either be Tickets assigned to the machine owner or Tickets submitted by the machine owner. To view a Help Desk Ticket’s details, click the Ticket ID (for example, TICK:0032).

Operating System InfoThis section provides details about the computer’s operating system including installed OS and service packs, OS version number and build, and the date and time of OS installation. The Current Uptime and Last System Reboot fields tell you at a glance, whether the machine has been rebooted recently, which could indicate whether or not OS updates have been applied.

User InformationBecause many computers can be used by more than one individual, the User Information section provides details about the most recent user of this computer, including his or her user name and domain.

Manufacturer and BIOS InfoThis section displays the computer’s make and model, as well as its BIOS details, such as name, version, and serial number. If the computer is manufactured by Dell, there also is a hot button link directly to the Dell Web site where you can view the support record for this computer, including the days left on the support agreement, and also compare the original and current system configurations.

Processor and Computer MemoryThis section displays the processor type and speed, total and used RAM, and current and maximum registry size.

Network InterfacesThis section displays the type and version of NIC card installed in the computer, as well as the computer’s MAC and IP addresses, and indicates whether or not DHCP is enabled.


Drive InformationThis section specifies the configuration of drives installed on the computer (e.g., CD/DVD-ROM drive), and displays the total and used disk space amounts for each hard disk installed.

Motherboard and related HardwareThis section displays information about the computer’s motherboard, as well as other hardware details like sound card and video controller(s).

Process ListThis section lists all of the processes that are currently running on this computer. This list is the same as would be displayed on the computer’s Task Manager | Processes tab.

Installed ProgramsThis section displays the titles and versions of software programs installed on this computer. The programs listed here are the same as would be listed on the computer’s Add/Remove Programs List.

Installed PatchesThis section lists all of the Microsoft patches that have been installed on this computer.

Startup ProgramsThis section displays all of the programs that are configured to launch when this computer starts up. These are the same programs listed in the computer’s Start | All Programs | Startup menu.

ServicesThis section displays all of the services that are running on this machine. On clicking any of the services the service: edit service detail page is displayed. The fields on this page represent the service detail information that is automatically discovered and communicated from the KBOX Agent.

Harmful Items (Threat Level 5)This section displays the items that have threat level 5. Whenever you set threat level 5 – harmful to any software, process, startup item and service associated with this machine, it is displayed in this list.

Printer ListThis section displays all of the printers that this computer is configured to use. This is the same information that is located in the computer’s Start | Printers and Faxes window.

Uploaded FilesThis section displays a list of the files that have been uploaded to the KBOX 1000 Series from this machine using the “upload a file” script action.

Custom Inventory FieldsThis section lists any Custom Inventory fields that were created for this machine, along with the field name and value.


Customer InformationThis section contains notes entered during the creation of the computer’s inventory record, and is the only editable section on this page. You can append or delete any notes in this field. Click Save after editing this field.

Asset InformationThis section displays the details of the Asset that is associated with that machine. Details such as the date and time when the Asset record was created, the date and time when it was last modified, type of the asset and name of the asset are displayed.

Asset HistoryThis section displays the changes done to the Asset of that machine. It lists all the changes along with the date and time when each change was done.

KBOX Agent LogsThis section displays the logs for the KBOX Agent application, updates to scripts run on this machine, and the current status, if available, of any activity currently in progress. A question mark (?) in the status column indicates that the KBOX Agent hasn’t checked in yet, therefore its status is unknown.

Portal Install LogsThis section provides details about User Portal packages installed on this machine.

Scripting LogsThis section lists the Configuration Policy scripts that have been run on this computer, along with the status, if available, of any scripts in progress.

OVAL Vulnerability ResultsThis section displays the results of OVAL Vulnerability tests run on this machine. Only tests which failed on this computer are listed by the OVAL ID and marked as Vulnerable. Tests which passed are grouped together and marked as Safe.

Failed Managed InstallsThis section displays a list of Managed Installations that failed to install on this machine. To access details about the Managed Installation, click the link to view the Managed Software Installation detail page.

LabelsThis section displays the label assigned to that machine. Labels are used to organize and categorize machines

Failed PatchesThis section displays a list of any patch bulletins that failed to install on this machine. To access more details about the patches click the link to view the bulletin detail page.

To Install ListThis section lists the Managed Installations that will be sent to the machine the next time it connects.


Adding computers to inventory The KBOX 1000 Series provides the convenience of adding computers to inventory automatically, which is especially useful when you maintain a large number of computers on your network. However, the KBOX 1000 Series also provides the flexibility to add computers to inventory manually should you need to. For example, you can track computers that do not currently have KBOX Agent support or computers that are not available on your LAN.

Adding computers automaticallyTo add computers automatically, you can perform a IP scan, which will gather data about all of the computers on your network, including software installed on them, and create inventory records for them. In addition, installing the KBOX Agent on the computers on your network will cause them to check in to the KBOX 1000 Series and upload all of the available inventory data. For more information about IP Scans, see Chapter 5,“IP Scan,” starting on page 66.

Adding computers manuallyIf you have machines on your network that are not connected to your LAN, but you still want to be able to maintain inventory data in one central place, you can add those computers to the KBOX 1000 Series manually from the Inventory | Computer tab.

To add a computer to inventory manually:

1. Select Inventory | Computers tab.


The Computer: Edit Computer Detail page appears.

3. Specify the requested computer details.

For an example of the requested information, view the computer record of a machine that is already listed in inventory.

4. If you prefer, you can import the machine.xml file for this computer.

The KBOXClient.exe can take an optional command line parameter -inventory. To configure this, type:

KBOX Agent/exe-inventory

The KBOX Agent collects the inventory data and generates a file called machine.xml, which you can upload here. If you choose this option, the KBOX 1000 Series ignores all other field values on this screen.


Software InventoryIn addition to the computers on your network, the KBOX 1000 Series Inventory feature also keeps an inventory of the software titles installed on each of the computers in inventory. From the Inventory | Software tab you can see at a glance all of the software installed across your network.

By default, the Software List shows only the first 100 (in alphabetical order) software titles detected. To view all software installed, click the Show All link.

From the Software List page you can:

Add or delete software

Add or remove labels

Sort the view by label.

To view the details of a software title, click the linked name.


Adding Software to InventoryAs with computers, you can add software to inventory either automatically or manually. The KBOX 1000 Series provides the convenience of adding software titles to inventory automatically, which is especially useful when you maintain determine all of the titles installed on all of the machines in your network. However, the KBOX 1000 Series also provides the flexibility to add software titles to inventory manually should you need to. For example, you can add a title that is not yet installed on your network so that you can create a managed installation from it and deploy it to the computers on your network at one time.

Adding Software AutomaticallyTo add software automatically, you can perform a IP scan that gathers data about all of the software titles on your network and creates inventory records for them. In addition, installing the KBOX Agent on the computers on your network will cause them to check in to the KBOX 1000 Series appliance and upload all of the available software inventory data. For more information about IP Scans, see Chapter 5,“IP Scan,” starting on page 66.

Adding Software ManuallyAlthough the KBOX creates inventory records for the software titles found on your network, there might be

applications you want to add to inventory manually.

To add software to inventory manually:

1. Select Inventory | Software.

2. Select Add New Item in the Choose Action drop-down list. The Software : Edit Software Details page appears.

3. Enter the general software details.

Be sure to create the Display Version, Vendor, and Software Title information consistently across software inventory in order to assure proper downstream reporting.

4. Upload or specify links to available information files associated with the software.

5. In the Assign To Label field, select the labels to assign.

6. Enter any other details in the Notes field.

Specify the Custom Inventory ID (rule), for example, C:\RegistryValueGreaterThan(SOFTWARE\Network Associates\TVD\Shared Components\VirusScan Engine\4.0.xx,szDatVersion,4.0.44).

Before sending any software to a remote client, KBOX verifies whether or not that file is present on the target machine. If it is detected, then it is not sent to the machine a second time. In some instances, installed programs do not register in add/remove programs or in standard areas of the registry. In such cases, KBOX may not be able to detect the presence of the application without additional information from the administrator and, therefore, KBOX may repeat the install each time the client connects.

The Custom Inventory ID rule must have three values separated by commas, not

include neither single nor double quotes, contain a key that exists under LocalMachine.

Failure to follow these specifications will result in a FALSE test result, and the install

would proceed. For more information, see “Custom Data Fields,” on page 38.


7. Select the supported operating systems in the Supported Operating Systems field.

8. In the Custom Inventory ID (rule) field, enter the Custom Inventory ID.

9. Beside the Upload & Associate File, click Browse, and then click Open.

10. Under Metadata, specify the following information:

11. Click Save

Creating Software AssetYou can create a software asset using the Inventory | Software tab.

To create a software asset:


2. Select the appropriate software and then select Create Asset from the Choose Action drop-down list. The Assets page appears.

Custom Data FieldsYou can create custom data fields in order to read information from a target machine and report it in the Computer Inventory manifest. This is useful for reading and reporting on information in the registry and elsewhere on the target machine. For example, DAT file version number from the registry, file created date, file publisher, or other data.

To create a custom data field:



3. Specify a Display Name for the field.

4. In the Custom Inventory (ID) rule area, enter the appropriate syntax according to the information you want to return:

To return a Registry Value, enter RegistryValueReturn(string absPathToKey, string valueName, string valueType), replacing valueType with either “TEXT”, “NUMBER”, or “DATE”. Note that NUMBER is specifically an integer value.

Example: RegistryValueReturn(HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\Virusscan Online,SourceDisk, TEXT)

To return File Information, enter FileInfoReturn(string fullPath, string attributeToRetrieve, string valueType)

Example: FileInfoReturn(C:\Program Files\Internet Explorer\iexplore.exe, Comments,TEXT)

Category Select the desired category.

Threat Level Select the threat level.

Hide from Software Lookup Service

Select this check box if you want to hide this infor-mation from the Software Lookup Services.

The software detail page displays license information for the software. You can also view the license asset detail by clicking on the license link.


You can retrieve the following attributes from the FileInfoReport() function:

Attaching a Digital Asset to a Software TitleWhether you add the software to inventory automatically or manually, after a particular software title is in inventory, you will need to associate the files required to install the software before distributing a package to users for installation. To associate multiple files, create a .zip file and associate the resulting archive file.

To attach digital asset to a software title:


2. Click the linked name of the software title.

The Software: Edit Software Detail page appears.

3. Beside Upload & Associate File, click Browse.

4. Locate the file to upload, then click Open.

5. Modify other details as necessary, then click Save.

Comments LanguageCompanyName LegalCopyrightFileBuildPart LegalTrademarksFileDescription OriginalFilenameFileMajorPart PrivateBuildFileMinorPart ProductBuildPartFileName ProductMajorPartFilePrivatePart ProductMinorPartFileVersion ProductNameInternalName ProductPrivatePartIsDebug ProductVersionIsPatclhed SpecialBuildIsPreRelease CreatedDateIsPrivateBuild ModifiedDateIsSpecialBuild AccessedDate.

5. Click Save.

The Software-To-Computer Deployment Detail table at the bottom of the Software | Edit Software Detail page shows which computers have the software title installed.


Monitoring out-of-reach ComputersThe KBOX 1000 Series MIA tab, gives you a way to view the machines that haven’t checked in to KBOX 1000 Series in some time. You can filter the MIA view by machines that have missed the last 1, 5, or 10 syncs, or which have not communicated with KBOX 1000 Series in the last 1-90 days. The MIA tab also displays the IP and MAC Addresses of the computers.

From the MIA tab you can remove the computers from the KBOX 1000 Series inventory, as well as assign them to labels to group them for management action.


LabelsIn many areas of the KBOX 1000 Series you will see a labels select list, which allows you to constrain the action to a specific label or group of labels. There are several ways to group machines with the KBOX 1000 Series. Once grouped by a label, software, scripts, reports, or software deployments can all be managed on a per label basis.

The label functionality can be manually applied from the Inventory | Labels tab, or automatically, via LDAP or Active Directory, (Reporting | LDAP Filters tab), or even applied by machine attribute, as we saw earlier from the Computers | Create Filter functionality.

On the Label Management page you can add or delete labels, search labels, as well as see how many computers belong to a particular label.

Creating LabelsLabels can be used to organize and categorize software, people, and machines. Labels are intended to be used in a flexible manner and how you use labels is completely customizable. For example, Labels can reflect corporate structures, organizations, processes, or geographical locations like "Engineering", "Staging", "Building A", etc. Labels can be used to identify deployment groups and target machines for distribution packages. All items that support "labeling" can have none, one, or multiple labels.

To create a label:

1. Select Inventory | Labels.


The Labels : Edit Detail page appears.

3. Enter a name for the label in the Label Name field.

4. Enter any relevant notes about the label in the Notes field.

5. If necessary, enter a value for KACE_ALT_LOCATION.

This allows you to define what should replace the string in the KACE_ALT_LOCATION in the Alternate Download Location value in Managed Installs and File Synchronizations. You should not have a machine in two labels that both specify an alternate location value.

6. Specify the Username and Password for the KACE_ALT_LOCATION.

7. Click Save.

Viewing Computer Details by LabelAfter you’ve created a label, you can view details about the computers on your network that belong to that label. From the Label Detail view you can see:

The IP addresses and machine names of the computers in the label

The number of Managed Installations and File Synchronizations deployed to the label

The number of network scans and scripts run on the machines in the label

The number of alerts, portal packages, and users associated with the label.

Deleting labels will remove any existing association of that label with any machine, login, or software.


To view label details:

1. Select Inventory | Labels.

2. Click the linked name of the label.

The Labels: Edit Detail page appears.

3. Click the + sign beside the section headers to expand or collapse the view.

Deleting labelsDeleting labels will remove any existing association of that label with any machine, login, or software. You can delete labels two ways: from the Label List view, or from the Label: Edit Detail page.

To delete a label:

1. To delete labels, do one of the following:

From the Labels List view, select the check box beside the label, then select Delete Selected Item(s) from the Choose action drop-down list.

From the Labels: Edit detail page, click Delete.

2. Click OK to confirm deleting the selected label.


Software MeteringThe KBOX 1000 Series Metering feature allows you to keep track of software use across your enterprise.

The Metering feature records and reports the details on software use that can help you manage license compliance and better negotiate license renewals and upgrades.You can record and view software usage for the last 1, 2, 3, 6, or 12 months. Detail pages provide information on individual software processes, including the name of the computer that is using the software, the number of times the software was launched, the total minutes the software was used, and when the software was last used.

Adding a Software MeterYou can add a software meter to monitor the specified process name on the agent machine.

To add a Software Meter:

1. Select Inventory | Metering. The Software Metering page appears.

2. Select Add New Item in the Choose action drop-down list. The Software Metering: Edit Detail page appears.

3. Enter Software Meter details as follows:

4. Click Save to save your changes or click Cancel to return to the Software Metering Listing page. Your Software Meter now appears in the Software Metering Listing page.

The results of the software metering can be seen at two places:

On the Software Metering page

On the Software Metering: Edit Detail page

To view Software Metering results:


The software metering page displays useful information such as the Process Name, Enabled, Installed, Licensed, In Use, etc.

2. Click the process name. The Software Metering: Edit Detail page appears.

The Month-to-date usage Detail table displays information such as Computer Name, Times Launched, Minutes Used and Last Used.

Enabled Select this check box to enable software metering for this software.

Process Name The specified process name will be monitored on the KBOX Agent machine.

Associated Software To track usage only on machines with a specific software version deployed, choose the related software inventory item.

Notes Enter any notes that further describe or explain this software meter.

Licenses Displays license information for the software. To view the license asset details, click on the license link.


Editing Software Meter DetailsYou can edit a software meter to monitor the specified process name on the agent machine.

To edit Software Meter details:


2. Click the process name. The Software Metering: Edit Detail page appears.

3. Edit Software Meter details as shown in the following table:

4. Click Save to save your changes or click Cancel to return to the Software Metering page.

Deleting a Software MeterYou can delete a software meter.

To delete a Software Meter:

1. Select Inventory | Metering. The Software Metering page is appears.

2. Select the processes of which software meter or meters you want to delete.3. Select Delete Selected Item(s) from the Choose action drop-down list.4. Click Yes to confirm deleting the software meter(s). Else, click Cancel to cancel deleting the software

meter(s).

Configuring the Software Metering SettingsYou can configure the software metering settings.

To configure Software Metering settings:


2. Select the process name.

3. Select Configure Settings in the Choose action drop-down list. The Software Metering Settings page appears.

4. Edit configuration settings as shown in the following table:

Enabled Select this check box to enable software metering for a software process.

Process Name The specified process name will be monitored on the KBOX Agent machine.

Associated Software To track usage only on machines with a specific software version deployed, choose the related software inventory item.

Notes Enter any notes that further describe or explain this software meter.

Enabled Select this check box for metering to run on the target machines.

Allow Run While Dis-connected

Select this check box for metering to run even if the machine cannot con-tact the KBOX to report results. The results will be stored on the machine and will be uploaded once contact with the KBOX is established.

Allow Run While Logged Off

Select this check box for metering to run even if a user is not logged in. If you clear this check box, the script will run only when a user is logged into the machine.


5. Edit deployment settings as shown in the following table:

6. Click Save to save your changes or click Cancel to return to the Software Metering page.

Deploy to All Machines

Select this check box if you want to deploy to all the Machines. Click OK in the confirmation dialog box.

Limit Deploy To

You can limit deployment to one or more labels. Press CTRL and clickto select more than one label.

Supported OperatingSystems

Select the operating system to which you want to limit deployment. Press CTRL and click to select more than one operating system.Note: Leave blank to deploy to all operating systems.


ProcessesThe KBOX 1000 Series Processes feature allows you to keep track of processes that are running on all agent machines across your enterprise.

The Processes feature records and reports the processes details information.You can record and view software usage for the last 1, 2, 3, 6, or 12 months. Detail pages provide information on individual processes, including the name of the computer running those processes, system description, and the last user.

Using Processes feature, you can:

View Process details

Delete selected processes

Disallow selected processes

Meter selected processes

Apply labels

Remove labelsThe processes are categorized in: Audio / Video, Business, Desktop, Development, Driver, Games, Internet, Malware, Security, and System Tool.

To View Process Details

1. Select Inventory | Processes. The Processes page appears.

2. Click on the process name to view details. The Process Details page appears.

3. Select labels to assign to process in the Assign To Label box.

4. Enter any notes that further describe this process in the Special Notes box.

5. Select the category of the process in the Category drop-down list.

6. Select the threat level of the process in the Threat Level drop-down list.

7. Click Save to save the processes details.

You can also see computers with running the selected process. You can view a printer friendly version of this page and take print outs of the report.

To delete process:


2. Select the processes to delete.

3. Select Delete Selected Item(s) in the Choose Action drop-down list. A confirmation message appears.

4. Click OK to confirm deleting the selected processes. Else, click Cancel to cancel the deletion operation.

You can read comments on the process submitted by other users by clicking [Read Comments] on the Process Details page. You can also ask for help from Kace about the processes by clicking [Ask For Help.] You need kace username and password to log in to the Kace database.


To disallow processes:


2. Select the processes to disallow.

3. Select Disallow Selected Item(s) in the Choose Action drop-down list. The Script : Edit Detail page appears.

4. Enter the script configuration details, and then click Run Now to run Disallowed Programs Policy.

For more detailed information on scripting and Disallowed Programs Policy, refer to Chapter 8,“Scripting,” starting on page 102


StartupThe KBOX 1000 Series Startup feature allows you to keep track of startup programs on all agent machines across your enterprise.

The Startup feature records and reports the startup program detail information. Detail pages provide information on startup programs, including the name of the computer running those startup programs, system description, and the last user.

Using Startup feature, you can:

View startup program details

Delete selected startup programs

Apply or remove labels

The startup programs are categorized in: Audio / Video, Business, Desktop, Development, Driver, Games, Internet, Malware, Security, and System Tool.

To View Startup detail information:

1. Select Inventory | Startup. The Startup Programs page appears.

2. Click on the startup program name to view details. The Startup Programs : Edit Startup Programs Detail page appears.

3. Select labels to assign to startup program in the Assign To Label box.

4. Enter any notes that further describe this startup program in the Notes box.

5. Select the category of the startup program in the Category drop-down list.

6. Select the threat level of the startup program in the Threat Level drop-down list.

7. Click Save to save the startup program details.

You can also see computers with running the selected startup program. You can view a printer friendly version of this page and take print outs of the report.

To delete startup program details:

1. Select Inventory | Startup. The Startup Programs page appears.

2. Select the startup program to delete.


4. Click OK to confirm deleting the selected startup programs. Else, click Cancel to cancel the deletion operation.

You can read comments on the startup program submitted by other users by clicking [Read Comments]. You can also ask for help from Kace about the startup programs by clicking [Ask For Help.] You need kace username and password to log in to the Kace database.


ServiceThe KBOX 1000 Series Service feature allows you to keep track of services running on all agent machines across your enterprise.

The Service feature records and reports the services detail information. Detail pages provide information on services, including the name of the computer running those services, system description, and the last user.

Using Services feature, you can:

View services details

Delete selected services

Apply or delete labels

The services are categorized in: Audio / Video, Business, Desktop, Development, Driver, Games, Internet, Malware, Security, and System Tool.

To view service detail information:

1. Select Inventory | Service. The Services page appears.

2. Click the service name to view details. The Service : Edit Service Detail page appears.

3. Select labels to assign to service in the Assign To Label box.

4. Enter any notes that further describe this service in the Notes box.

5. Select the category of the service in the Category drop-down list.

6. Select the threat level of the service in the Threat Level drop-down list.

7. Click Save to save the service details.

You can also see computers with running the selected startup program. You can view a printer friendly version of this page and take print outs of the report.

To delete services detail information:

1. Select Inventory | Service. The Services page appears.

2. Select the services to delete.


4. Click OK to confirm deleting the selected services. Else, click Cancel to cancel the deletion operation.

You can read comments on the service submitted by other users by clicking [Read Comments]. You can also ask for help from Kace about the service by clicking [Ask For Help.] You need kace username and password to log in to the Kace database.


Software Lookup ServicesThe KBOX Software Lookup Services (SLS) automatically discovers and publishes information on software programs and processes. KBOX SLS provides information on software and process as they appear on KBOX management appliances systems across the globe. KBOX SLS is available for all major platforms including Windows, Mac, Red Hat Linux, and Solaris. KBOX SLS also includes software command line arguments, uninstall commands, and installation advice. To add/view any information on the SLS website, you need to establish a unique account for the SLS site. You would need to use these credentials to add any new comments.

Enabling Software Lookup ServiceYou need to select the 'Enable KACE Software Lookup Service' check box in the General Settings tab to be able to access the data available with Kace about common software applications and how to deploy/ remove them and share anonymous information about the software on machines in your environment. You can integrate KACE and user submitted information directly from the Software Lookup Service. If the 'Enable KACE Software Lookup Service' check box in the General Settings tab is selected, you can share the information of the software in your KBOX with the SLS website.

For more information on how to enable Software Lookup Service in your KBOX appliance, see “Configuring General settings,” on page 10.

To Enable Software Lookup Service:

1. Select Settings | General. The KBOX Settings: General page appears.

2. Under General Options, click the Edit Mode link next to Set Options tab.

3. Select the Enable KACE Software Lookup Service check box to enable the Software Lookup Service. A confirmation message appears.

4. Click OK.

5. Click Set Options to set the options. The KBOX information will now be shared with the Kace SLS site.

Viewing Software Lookup ServicesYou can view Software Lookup Services contents of your KBOX. From the Inventory tab, you can view SLS information on software, processes, startup programs, and services. Software Lookup Services can also be viewed from the Distribution | Managed Installations and Distribution | File Synchronization.

To View Software Lookup Services information:

1. Select Inventory | Software. The Software page appears, which lists the software installed on client machines.

2. Select the software title in order to see the associated information from the Software Lookup Service. The Software:Edit Software Detail page appears.


Figure 3-4: Software: Edit Software Detail page

3. To Update the software information on Kace SLS site, perform the following steps:

a Under Metadata, select the software category in the Category list.

b In the Threat Level list, select the threat level.

If you have not enabled Software Lookup Services at the Settings | General page, you will not be able to view SLS information and a note will appear asking you to enable the Software Lookup Services. Refer to “To Enable Software Lookup Service:,” on page 52.

You can see more information of the application on the Kace SLS site.

Click Read Comments to view the comments and to add comments on the Kace SLS site.


c If you would prefer not to share information about this particular item, select the Hide from Software Lookup Service check box.

d Click Save to save the edited information.

4. You can view following SLS information on the Software:Edit Software Detail page.

In order to provide the best information to your fellow SLS users, we recommend not hiding items from the Software Lookup Service.The information shared doesn't include any personally identifiable information about your company or users.

Field Description

Average Threat Level This value is an average of the threat levels assigned by SLS users who have assigned a threat level. This is intended as a guide for software you may not be familiar with. A threat level of 1 would be interpreted as safest.

User Submitted Comments The information displayed on this page and the information presented on the Kace website is related to the particular soft-ware title you have selected from the KBOX. Click Read Com-ments to view the comments on the SLS site. You need to login on the Kace SLS site using login credentials to add com-ments.

Categories Displays the software categories that have been assigned to this software title by SLS users and the percentage of those users who have assigned each.

Quiet Installation Switches Displays known Quiet Installation Switches for the item you have selected.

Description It displays information on product description, product URL, links to support and help, and lockdown information.

Install Command Line Help It displays information on Standard MSI Commands, Standard Install Commands, and Uninstall Help.



C H A P T E R 4

56

Asset Management

The KBOX 1000 Series allows you to manage and track as-sets in your environment in a flexible and customizable way.

“Overview of Asset Management,” on page 57

“Managing Asset Types,” on page 58

“Managing Assets,” on page 61

“Licensing,” on page 63

“Importing Asset,” on page 65

Overview of Asset ManagementThe KBOX 1000 Series allows you to manage and track assets in your environment in a flexible and customizable way. By establishing asset types and relationships to other asset types and other objects in the KBOX, you will be able to report on existing assets as well as track licensing and cost information in a way that works for you in your environment.

In looking at asset management in the KBOX, it is important to understand that there are two types of assets, organizational assets (like Department, Location or Cost Center) and physical assets (like Computers, Users, Phones or Projectors). Commonly, the organizational assets are used as a way to collect similar sets of physical assets. Before you begin to use assets, you should establish the asset types that will make sense for you, both in terms of the organization elements you want to use as well as what physical asset types you are hoping to track.

You can view the list of available assets from the Asset | Assets tab.

With the Assets tab you can:

Add or delete assets

Configure Asset types

Add or delete software licenses

Import data


Managing Asset TypesThere are two types of asset types:

Organizational information (Cost Center, Department, Location)the organizational assets are used as a way to collect similar sets of physical assets.

Actual physical assets (computers, users, phones, projectors)where the organizational ones are pointed to by the physical ones mainly

There are several built-in Asset Types — Computer, Cost Center, Department, Location, Owner, Vendor. Built-in assets can not be deleted. If you delete an asset type, then all the assets using that asset type will get deleted.

You can add an unlimited number of asset types and these types have a default attribute 'Name'. You can not create an asset type with the same name as the built-in asset type name. Asset types can be organized into logical groups or hierarchies to allow for roll up reporting. Asset types can have any number of attributes.

Assets can point to other Assets and to Inventory records like Machine, User, and Software. Relationships can be either one - to - one or one - to - many. Asset fields have a default value that should be used when filling in a new asset. Changing the default value in the asset type does not change any existing records, but only affects newly created records.

Asset AssociationYou can create an assets field and associate it to another asset using the field type. Associations are defined in asset types and are used in assets.

Assets associations are of following types:

User

Parent

Asset Computer

Asset Cost Center

Asset Department

Asset License

Asset Location

Computer AssetWhen a machine checks into the KBOX, an asset of type computer is automatically created.

The Computer Asset is mapped to a machine automatically using following two fields:

1. Mapped Inventory field

2. Mapped Asset field

The mapped inventory field enables you select a field that is checked against the inventory to verify if the machine just checked in is already an asset. For example:

if the

machine inventory field = IP address


Matching asset field = Name

and a machine with an IP address shows up, the IP is checked against IP of machines that are already assets. If no such asset, then a new asset with Name = IP address is created.

If the mapped inventory field is by IP and the matching asset field is different, perhaps an asset field called IP, then an asset is created with the Name as system name, and the IP as IP.

The matching asset field has to be of type text.

To add new asset type:

1. Select Asset | Asset Types. The Asset Types page appears.

2. Select Add New Item from the Choose action drop-down list. The Asset Type Detail page appears.

3. Enter a name for the asset type in the Name field.

4. You can add associations by adding an asset field. To add asset fields, click the button in the Asset Fields table.

5. Enter following details depending on the asset type selected.

You can not create a new asset type with the same name as a built-in asset type name.

Field Value

Name Type a relevant name for the custom asset field, such as Asset Code, Pur-chase Date, or Building Address Line 1. This name appears on the data entry page for the asset.

Select Values This field is enabled when you select Single Select or Multiple Select from the Field Type list. Type the values that should appear in the custom asset field. You must type at least one value in this field. If you want to type multiple values, you must separate each value with a comma.

Default Type the default value for this field. If you select Single Select or Multiple Select from the Field Type list, you must type one of the values given in the Select Values field.

Required Select this check box to make this custom asset field a mandatory field. If you select this check box, you need to enter a value for this custom asset field before saving the Asset detail page.


6. Click Save to save the entries in the Asset Fields table.

7. Click Save to save the added asset type.

Field Type Select the appropriate field type. Single select (single value length 255, list length 65k).

Multiple select (single value length 255, list length 65k)

Text field (length 255)

Attachment (This field allows you to attach a file to the asset.) Note: You can create multiple fields of attachment type per asset type.

Notes (length 65K)

Date ('1000-01-01' to '9999-12-31')

Number (-9223372036854775808 to 9223372036854775807)

Parent. This field type allows this asset to point to the same type of asset in a parent-child relationship. For example, you might allow Location types to have a Parent connection, allowing 'New York' to point to a 'North America' Location. This can then be used in the reporting system to show all Assets in North America. This report will contain all the assets in New York and in North America.

User. This field type allows you to associate an asset record with one of the User records from the Inventory system.

Asset ASSET_TYPE. This field type is similar to the single select field type and the multiple select field type. However, you cannot specify the values for this custom field type. The values are retrieved from the current list of Assets in the system.

Allow Multiple This check box is enabled when you select Asset ASSET_TYPE from the Field Type list. Select this check box to allow this custom field to point to multiple records. For example, the License Asset type can point to many computers that are approved for a particular License. A single relationship might have a printer pointing to a single Department record, indicating that this printer is used by only one department.

When you rename a custom asset field, the values for that custom field are retained. However, when you remove the custom asset field, values for that custom field are removed from all assets. When you change the Field Type of a custom asset field, the system tries to retain the previous values, but you may also lose some data. For instance, if you had a custom asset field named Model Number that is of type Text. Model Number has a value of 'A123'. If you were to change the Field Type from Text to Number, the system might not be able to convert that 'A123' to a valid number. In this case, the value for Model Number is set to zero.

If you click Delete, the Asset Type definition and the assets of this type are removed from the system. If there are assets that point to the Asset Type definition that you deleted, the asset association is removed.


Managing AssetsYou can add a new asset, delete an existing asset, or view assets by using the Asset | Assets tab.

You can not delete parent asset if that parent asset has child assets. Assets can be viewed by asset type or by the associations. You can view the related assets that are not part of any particular asset and can clone any existing asset.

Changes done to the asset are recorded as part History. Asset History is displayed on the Asset Detail page.

To add an asset:

1. Select Asset | Assets. The Assets page appears.

2. Select the asset type you want to add from the Choose action drop-down list. The Asset Detail page appears.

3. Enter the name of the selected asset type in the Name field, and then click Save. All the asset types have a standard field as Name. If you are adding asset of computer type, then you need to enter following information:

a Select the machine from the Machine list, and then enter the filter criteria in the Filter box.Machine is a default field that comes with the asset type.

b Enter the date of asset creation in the Date Created box.

c Enter additional information on the asset in the notes box.

d Enter the asset id in the id box.

4. If you want to add another asset, then click Save and New. Otherwise, click Save to save the asset.

To view assets:


2. To view assets by asset types or association, select the asset type or association from the View by asset type drop-down list. A list of filtered assets appears.

3. Select the asset title to see detailed information of that asset. The Asset Detail page appears.

4. If you want to clone the asset details, click Clone, and then click Save.

5. After editing the asset information, click Save.

Date created, notes, and id are the asset fields created for asset of computer type.

The Assets page also shows the associated assets.


6. In the Related Assets table, you can view the related assets that are not parent of this asset.Click the asset name to view asset details of this related asset.

For example, if computer A's Location is associated to computer X, then computer A will be listed as a related asset on computer X's page, but on computer A's page, you can not see computer X. Child assets are shown on the related assets list.

7. In the History table, you can view changes done to the asset.

If the asset you are viewing is associated to a software or machine, then on clicking that asset name will take you to the Inventory page.


LicensingWith KBOX, you can create, edit, and delete license assets. You can assign licenses to software and computers, specify or view the number of licenses available, and keep track of the expiry date for each license.

When you assign a license to a software, the license is linked with the software. You can view this license information in the software detail page, the metering page, and the software library admin and user pages. You can also navigate to the license asset detail page by clicking on the license link in the software detail page, the metering page, and the software library admin and user pages.

To add new license:


2. Select License from the Choose action drop-down list. The Asset Detail page appears.


4. Click Save. To save and add another license asset, click Save and New.

Name Enter the name for this license.

Seats Licensed Enter the number of licenses available.

Applies to Software Select the software to which you want to assign this license.

Approved for Computer Select the computer to which you want to assign this license.

License Mode Select the appropriate license mode.

Product Key Enter the license key for the product.

Unit Cost Enter the cost of each license.

Expiration Date Enter the expiration date for this license.

Vendor Select the vendor name for this license.

Filter Enter the filter criteria for the Vendor list.

Purchase Order # Enter the purchase order number for this license.

Purchase Date Enter the date when you purchased this license.

Notes Enter notes about this license.

License Text Enter license text, such as the end-user license agreement.


Generating ReportsYou can run various reports to display information about the licenses assigned to software and computers. Description of these reports is provided below.

Category Report Description

Compliance Software Compliance Simple Lists the licenses and counts like the License list page with details such as vendor, PO#, and Notes.

Compliance Software License Compliance Complete Lists software and comput-ers that are impacted by each license record.

Compliance Unapproved Software Installation Lists software found on computers that do not have approved licenses.

Table 4-1: License Reports


Importing AssetThe Asset Import feature allows you to import assets data from CSV file into the desired asset type.

To import assets data:

1. Select Asset | Asset Import. The Kace Asset Import Wizard - Uploadfile page appears.

2. In the Select File box, specify CSV file path or click Browse to select CSV file.

3. Select Is header name in the file check box if the CSV file contains header.

4. Click Next. It will take you to Asset Type Selection page.

5. Select the asset type from the Asset Type list, to which data need to be imported from CSV file.

6. Click Next. It will take you to mapping page, which displays mapping of CSV fields against fields of selected Asset Type.

7. Under Standard Fields, perform the following steps:

a Select the CSV field from the drop-down list box to match the corresponding standard field.

b Select the PK check box to choose this field as the primary key.

8. Under Asset Fields, perform the following steps:

a Select the CSV field from the drop-down list box to match the corresponding Asset field.

b Select the PK check box to choose this field as the primary key.You can select one or more fields as composite primary key.

9. Click Preview. It will take you to the confirmation page.

10. Click Import Data. The Kace Asset Import Wizard - Result page appears.

11. To import more assets data, click More Import. Otherwise, click Done.

Mapping of Standard fields is Mandatory.

If none of records for Asset Type match with value of CSV field chosen as primary key then record will be inserted. If only one records for Asset Type match with value of CSV field chosen as primary key then record will be updated. If more than one records for Asset Type match with value of CSV field chosen as primary key then record will be flagged as duplicate.


66

C H A P T E R 5

IP scan is an appliance-side KBOX 1000 Series technology that allows you to scan a range of IP addresses to detect the existence and attributes of various devices on a network.

“IP Scan Overview,” on page 67

“Viewing List of Scheduled Scans,” on page 68

“Creating an IP Scan,” on page 69

IP Scan

IP Scan OverviewThe KBOX 1000 Series can scan a range of IP addresses for SNMP enabled machines, allowing you to retrieve information about machines connected to your network. Although IP Scans have their own server-side scheduling, you can invoke a scan on-demand, or schedule a IP scan to run at a specific time.

IP scan reports a variety of inventory data that lets you monitor the availability and service level of a target machine. And because IP scan scans ports in addition to IP addresses, you can collect data even without knowing the IP addresses of the target machines.

IP scan will scan any type of device (as long as it has an IP address on the network) including computers, printers, network devices, servers, wireless access points, routers and switches. You can create and view IP scans from the Inventory | IP Scan tab.

From the Network Scan Results page you can:

View scan schedules

Schedule new scan

Delete selected items

Apply a label/delete a label

Create a remote connection to the machine, if configured under Machine Action.


Viewing List of Scheduled ScansBy default, the IP Scan tab displays the results of configured Network Scans that have been run. You can modify this view to show the scans that are schedule to occur in the future.

To view scheduled scans:

1. Select Inventory | IP Scan.

2. Select View Scan Schedules in the Choose action drop-down list.


Creating an IP ScanYou can create a network scan that will look for DNS, Socket, and SNMP across a subnet or subnets. You also define a network scan to look for devices listening on a particular port (for example, Port 80). This allows you to see devices that are connected to your network even when the KBOX Agent isn’t installed on those devices.

When defining a network scan, it’s important to balance scope of the scan (number of IP addresses you’re scanning) with the depth of the probe (number of attributes you’re scanning for) so that you do not overwhelm your network or KBOX 1000 Series appliance itself. For example, if you needed to scan a large number of IP addresses frequently, you would want to keep the number of ports, TCPIP connections, etc., relatively small. As a general rule, KACE recommends scanning a particular subnet no more than once every few hours.

To create an IP scan:

1. Select Inventory | IP Scan. The Network Scan Result page appears.

2. Select Schedule New Scan in the Choose action drop-down list.

The Network Scan Setting page appears.

3. Enter a name for the scan in the Network Friendly Scan Name field.

4. Enter the IP range to scan in the Network Scan IP Range field.

5. Specify the DNS lookup test details:

6. Select the Ping Test Enabled check box.

The Ping test must be enabled in order to run other tests. The Ping or Socket tests determine if the address is alive. If it is, then a SNMP or a Port Scan can be run against it. If the Ping and Socket tests are disabled, then the other tests will not be run.

7. Specify the Connection test details:

The KBOX Agent listens to port 52230. To determine which machines on your network are running KBOX Agent, you could define a network scan to report which machines were listening on that port.

DNS Lookup Enabled If selected, live addresses will be checked against the DNS server to see if they have a name associated with them. This can help you iden-tify known nodes on your network.

Name Server for lookup Specify hostname or IP address.

Lookup time out Specify the time out interval (in seconds).

Connection Test Enabled Select to allow Network scan do perform connection testing.

Connection Test Protocol Specify the protocol to use.

Connection Test Port Specify the port to use for testing the connection.

Connection Time Out Specify the time out interval (in seconds).


8. Specify SNMP test details:

9. Specify Port scan test details:

10. Specify scan schedule:

11. Click Save or Scan Now to run scan immediately.

SNMP Enabled Select to enable SNMP scanning.

SNMP Public String Enter Public string.

Device Port Scan Enabled Select to enable port scanning of device ports.

TCP Port List A comma-separated list of TCP ports to scan.

UDP Port List A comma-separated list of UDP ports to scan.

Port Scan Time Out Specify the time out interval (in seconds).

Don’t Run on a Schedule Tests will run in combination with an event rather than on a spe-cific date or at a specific time. Use this option in combination with one or more of the “Also” choices below. For example, use this option in conjunction with “Also Run at User Login” to run when-ever the user logs in.

Run Every n minutes/hours Runs at the specified time.

Run Every day/specific day at HH:MM AM/PM

Runs on specified day at the specified time.

Run on the nst of every month/specific month at HH:MM AM/PM

Runs on the specified time on the 1st, or 2nd, etc. of every month or only the selected month.

Deleting a Scan Configuration will also delete all associated scan inventory items. If you wish to maintain the scan inventory but not "rescan" just set the schedule of the scan configuration to not run.


71

C H A P T E R 6

The KBOX 1000 Series Distribution feature provides various methods for deploying software, updates, and files to computers on your network.

“Distribution Feature Overview,” on page 72

“Types of Distribution Packages,” on page 73

“Managed Installations,” on page 75

“Examples of Common Deployments on Windows,” on page 79

“Examples of Common Deployments on Linux,” on page 83

“Examples of Common Deployments on Solaris,” on page 87

“Examples of Common Deployments on Macintosh(r),” on page 91

“File Synchronizations,” on page 94

“Replication,” on page 96

Distribution

Distribution Feature OverviewKACE recommends that customers follow a predefined set of procedures before deploying any software on their network. The following flow diagram represents a high-level example of common distribution procedures. You can modify this process to meet the needs of your organization. However, to avoid distribution problems, it is important to test various deployment scenarios prior to deployment.

Figure 6-1: Basic Deployment Procedure

Perhaps the most important concept in the deployment procedure is to test each deployment before rolling it out to a large number of users. The KBOX 1000 Series verifies that a package is designated for a particular system, machine, or operating system; however, it cannot assess the likelihood that a particular package will behave well with existing applications on the target machine. Therefore, we strongly suggest that you establish procedures for testing each piece of software before deploying it on your network.

One way to do this is to develop a test group of target machines. You can then deploy – via the KBOX 1000 Series – to the test group and verify compatibility with the operating system and other applications within your test group. You can do this by creating a test label and perform a test distribution before you go live in your environment. You can create a test label from the Inventory | Labels tab. For more information about creating labels, see “Labels,” on page 43.

This chapter will focus primarily on the Test, Target, Deploy portions of this flow diagram. For more details on creating an inventory of computers and software packages in use on your network, see Chapter 3,“Inventory,” starting on page 26.

Inventory &Assess

Test

Target

Report

Deploy

p y


Types of Distribution PackagesThere are three primary types of distribution packages you can deploy to the computers on your network: managed installations, file synchronizations, and KBOX Agent.

Distribution packages (whether for managed installation, file synchronization, or user portal packages) CANNOT be created until a digital file is associated with an Inventory Item. This rule applies even if you are:

Sending a command, rather than an installation or a digital file, to target machines.

Redirecting the KBOX Agent to retrieve the digital asset (for example,.exe,.msi) from an alternate download location.

To create a distribution:

1. Install the package manually on a machine.

2. Take an inventory of that machine. For more information on how to take an inventory, see “Software Inventory,” on page 38.

3. Use the item listed in the Software Inventory list for the Managed Installation.

If you need to create packages with different settings, such as parameters, labels, or deployment definitions, you can create multiple distribution packages for a single Inventory item. However, the MI cannot be verified against more than one inventory item because the MI checks for the existence of one and only one inventory item.

Distributing Packages through KBOXPackages distributed through KBOX are only deployed to target desktops if the Inventory Item is designated to run on the target operating system. For example, if the Inventory Item is defined for Windows XP Professional only, the Inventory Item will not deploy on Windows 2000. Similarly, the package will not deploy if it is designated for a target label for which the target machine is not a member. For example, if the Deployment Package is set to deploy to a Label called Office A, it will not deploy to machines that are not in Office A. When KBOX creates a software inventory item, it will only record the operating systems on which the item was installed, in the Inventory detail record.

Distributing Packages through an Alternate LocationKBOX supports software distribution from remote file stores. The KBOX Agent can retrieve digital installation files from remote file stores, as opposed to KBOX, including a UNC address, a DFS source, or an HTTP location. The CIFS and SMB protocols are supported. KBOX also supports SAMBA servers and fileserver appliances.

In order to activate this capability, you must enter an Alternate Checksum (MD5) that matches the MD5 checksum on the remote file share (for security purposes). You may use any tool to establish your checksum. For creating your MD5 hash, you can use the KBOX Admin Utilities tool, which is available on the KBOX Agent CD. There are other utilities that will work equally well.

Although the KBOX Agent tab is listed under the Distribution tab, “Deploying KBOX Agent” is discussed as part of the installation and setup process in Chapter 1,“Getting Started with KBOX 1000 Series,” starting on page 1. For information about updating an existing version of KBOX Agent, please see Chapter 12,“Server Maintenance,” starting on page 173.


If no checksum is entered, then the digital asset on the file share must exactly match the digital asset associated with the Deployment Package on the KBOX 1000 appliance. Also, the target path must include the complete filename (for example, \\fileserver_one\software\adobe.exe).

When KBOX is fetching files, the priority for fetching files is as follows:

1. Alternate download location

2. Replication point

3. KBOX

If there is no replication point, the KBOX agent fails over to KBOX.


Managed InstallationsManaged Installations enable you to deploy software to the computers on your network that require an installation file to run. You can create a Managed Installation package from the Distribution | Managed Installation page.

From the Managed Installations tab you can:

Create or delete Managed Installations

Execute or disable Managed Installations

Specify a Managed Action

Apply or remove a label

Search Managed Installations by keyword

Creating a Managed Installation for Windows PlatformWhen creating a Managed Installation, you can specify whether you want to interact with users by showing a message before or after installation, indicate whether the package should be when the user is logged in or not, and limit deployment to a specific label. The following section provides general steps for creating a managed installation. For specific details on creating a managed installation for an .MSI, .EXE, or .ZIP file, please refer to the subsequent sections.

To create a managed installation for Windows platform:

4. Click Distribution | Managed Installations.

5. Select Add New Item in the Choose action drop-down list.

The Managed Software Installation: Edit Detail Page appears.

6. Select the software from the drop-down list. You can filter the list by entering any filter options.


Run Parameters Specify the installation behavior.

The maximum field length is 256 characters. If your path exceeds this limit, on the command line, point to a BAT file that contains the path and the command.

If your Parameters file path includes spaces (for example, \\kace_share\demo files\share these files\setup.bat), place quotes around the path (for example, “\\kace_share\demo files\share these files\setup.bat”.

Full Command Line If desired, specify full command-line parameters. Please refer to the MSI Command Line documentation for available runtime options.

Un-Install using Full Com-mand Line

Select this check box to uninstall software.

Run Command Only Select this check box to run the command line only.


http://msdn.microsoft.com/library/default.asp?url=/library/en-us/msi/setup/command_line_options.asp

8. Specify the deployment details:

9. Set user interaction details:

Managed Actions Managed Action allows you to select the most appropriate time for this package to be deployed.Available options are:

Disabled

Execute anytime (next available)

Execute before logon (before machine boot)

Execute after logon (before desktop loads)

Execute while user logged on

Execute while user is logged off

Deploy to All Machines Select this check box if you want to deploy to all machines.

Limit Deployment To Selected Labels

Select a label to limit deployment only to machines grouped by that label. Press CTRL and click labels to select more than one label.

Limit Deployment To Listed Machines

You can limit deployment to one or more machines. From the drop-down list, select a machine to add to the list. You can add more than one machine. You can filter the list by entering filter options.

Deploy Order The order in which software should be installed. Lower deploy order will deploy first.

Max Attempts Specify the maximum number of attempts, between 0 and 99, to indicate the number of times the KBOX 1000 Series appliance will try to install the package. If you specify 0, KBOX will enforce the installation forever.

Deployment Window(24H clock)

Specify the time (using a 24 hr. clock) to deploy the package. Deployment Window times will affect any of the Managed Action options. Also, the run intervals defined under the Server Settings->Options page will override and/or interact with the deployment window of a specific package.

Allow Snooze Select this check box to allow snooze. When you select this check box, the following additional fields appear:

Snooze Message: Enter a snooze message.

Snooze Timeout: Specify a timeout, in minutes, for which the message will be displayed.

Snooze Timeout Action: Select a timeout action that will take place at the end of the timeout period. For example, you might select Install now because you are installing at a time when you know that the users are away from their desktops. You might select Install later because the installer needs some user interaction and it would not work if the users were not at their desktops.


10. Click Save.

Sharing Managed Software Installation InformationThe Distribution | Managed Installation tab enables to share the managed software installation information on the Kace SLS site.

To Share Managed Software Installation Information on Kace SLS:

1. Select Distribution | Managed Installation. The Managed Installations page appears.

2. Select the managed installation you want to share with Software Lookup Services. The Managed Software Installation : Edit Detail page appears.

Custom Pre-Install Mes-sage

Select this check box to display a message to users prior to installation. When you select this check box, additional fields appear:

Pre-Install User Message: Enter a pre-install message.

Pre-Install Message Timeout: Specify a timeout, in minutes, for which the message will be displayed.

Pre-Install Timeout Action: Select a timeout action that will take place at the end of the timeout period from the drop-down list. Options include Install later or Install now. For example, you might select Install now because you may be installing at a time when you know that the user is away from his or her desktop, making it a good time to install. Or, you might select Install later if the installer needs some user interaction and it would not work if the user was not at his or her desktop.

Custom Post-Install Mes-sage

Select this check box to display a message to users after the installation completes. When you select this check box, message field and timeout options appear. Enter a message and a timeout value in minutes.

Delete Downloaded Files Select this check box to delete the package files after installation.

Use Alternate Download Select this check box to specify details for alternate download. When you select this check box, the following fields appear:

Alternate Download Location: Specify the location where the KBOX Agent can retrieve digital installation files.

Alternate Checksum: Specify an Alternate Checksum (MD5) that matches the MD5 checksum on the remote file share (for security purposes).

Alternate Download User: Specify a user name that will have the necessary privileges to access the alternate download location.

Alternate Download Password: Specify the password for the user name.

Note: If the target machine is part of a replication label, then the KBOX will not fetch software from the alternate download loca-tion.


3. After editing managed installation information, click Share with Software Lookup Service to share managed installation information with SLS.

4. Click Save.

You can view the SLS information on this page. For more information on Software Lookup Services, see “Software Lookup Services,” on page 52.


Examples of Common Deployments on WindowsThree of the most common package deployments contain .msi, .exe, and .zip files. This section provides examples for each type of deployment. For each of these examples, you must have already uploaded the file to KBOX prior to creating the Managed Installation package. We recommend installing the software on a QA machine, waiting a sufficient amount of time for the KBOX Agent to connect to the KBOX 1000 series appliance and create an inventory item for the software, and then creating the Managed Installation package.

Standard MSI ExampleUsing .MSI files is an easy, self-contained way to deploy software on Windows-based machines. If you have a .MSI that requires no special transformation or customization, the deployment is simple.

To create a managed installation for a .MSI file:

1. Select Distribution | Managed Installations. The Managed Installations page appears.


The Managed Installation: Edit Detail Page appears.


4. Set the following installation details:

You also can run the file KBScriptRunner tool located in Program Files\KACE\KBOX to force the KBOX Agent to check in with the KBOX 1000 appliance.

If you are not sure about the installation parameters for your MSI installation, you can open the command prompt, and then type msiexec to view available options.

Run Parameters Specify the installation behavior.

The maximum field length is 256 characters. If your path exceeds this limit, please point to a BAT file on the command line that contains the path and the command.

If your Parameters file path includes spaces (for example, \\kace_share\demo files\share these files\setup.bat), place quotes around the path. For example, “\\kace_share\demo files\share these files\setup.bat”.

Full Command Line If desired, specify full command-line parameters. Please refer to the MSI Command Line documentation for available runtime options.


Select this check box to uninstall software.

Run Command Only Select this check box to run the command line only.


http://msdn.microsoft.com/library/default.asp?url=/library/en-us/msi/setup/command_line_options.asp



Managed Actions Managed Actions allow you to select the most appropriate time for this package to be deployed.Available options are:

Disabled


Execute before logon (before machine boot)



Execute while user logged off

Deploy to All Machines Select this check box if you want to deploy to all the Machines.






Max Attempts Specify the maximum number of attempts, between 0 and 99, to indi-cate the number of times the KBOX 1000 Series appliance will try to install the package. If you specify 0, KBOX will enforce the installation forever.


Specify the time (using a 24 hr. clock) to deploy the package. Deploy-ment Window times will affect any of the Managed Action options. Also, the run intervals defined under the Server Settings->Options page will override and/or interact with the deployment window of a specific package.

Allow Snooze Select this check box to allow snooze. When you select this check box, the following additional fields appear:

Snooze Message: Enter a snooze message.

Snooze Timeout: Specify a timeout, in minutes, for which the message will be displayed.

Snooze Timeout Action: Select a timeout action that will take place at the end of the timeout period. For example, you might select Install now because you are installing at a time when you know that the users are away from their desktops. You might select Install later because the installer needs some user interaction and it would not work if the users were not at their desktops.


7. Click Save.

Custom Pre-Install Message Select this check box to display a message to users prior to installa-tion. When you select this check box, additional fields appear:

Pre-Install User Message - Enter a pre-install message.

Pre-Install Message Timeout - Specify a timeout in minutes for which the message will be displayed.

Pre-Install Timeout Action - Select a timeout action that will take place at the end of the timeout period from the drop-down list. Options include Install later or Install now. For example, you might select Install now because you may be installing at a time when you know that the user is away from his or her desktop, making it a good time to install. Or, you might select Install later if the installer needs some user interaction and it would not work if the user was not at his or her desktop.

Custom Post-Install Message Select this check box to display a message to users after the installa-tion completes. When you select this check box, message field and timeout options appear. Enter a message and a timeout value in min-utes.


User Alternate Download Select this check box to specify details for alternate download. When you select this check box, the following fields appear:

Alternate Download Location - Specify the location from where the KBOX Agent can retrieve digital installation files.

Alternate Checksum - Specify an Alternate Checksum (MD5) that matches the MD5 checksum on the remote file share (for security purposes).

Alternate Download User - Specify a username that will have the necessary privileges to access the Alternate Download Location.

Alternate Download Password - Specify the password for the username specified above.

Note: If the target machine is part of a replication label, then the KBOX will not fetch software from the alternate download location.


Standard EXE ExampleThe standard EXE example is identical to the MSI example above with one exception: /I is not required in the “run parameters” line when using a .exe.

When using an EXE it is often helpful to identify switch parameters for a quiet or silent installation. To do this, specify /? in the run parameters field.

Standard ZIP ExampleDeploying software using a .zip file, is a convenient way to package software when more than one file is required to deploy a particular software title (for example, setup.exe plus required configuration and data files). For example, if you have a CD-ROM containing a group of files required to install a particular application, you can package them together in a .zip file, and upload them to KBOX for deployment.

To create a managed installation for a .zip file:

1. Browse to the location that contains the necessary installation files.

2. Select all files, and create a .zip file using WinZip or other utility.

3. Create an inventory item for the target deployment.

You can do this manually from the Inventory | Software tab, or by installing the package on a KBOX Agent machine that regularly connects to the KBOX 1000 Series appliance.

4. Associate the .zip file with the inventory item and upload it to the KBOX 1000 Series.


6. Select Add New Item in the Choose action drop-down list. The Managed Software Installation : Edit Detail page appears.

7. Select the software title with which the .zip file is associated from the software drop-down list.

8. In the Full Command Line field, please specify the complete command with arguments.

Example: setup.exe /qn

9. Enter other package details as described in the Creating a Managed Installation procedures.

10. Click Save.

The KBOX Agent will automatically run deployment packages with .MSI and .EXE extensions. However, KBOX 1000 Series also provides a capability for administrators to Zip many files together and direct the KBOX 1000 Series to unpack the Zip and run a specific file within. If you intend to deploy a .ZIP file, you must place the name of the file within the .zip that you would like to run in the Command (Executable) field within the Deployment Package (for example, runthis.exe).


Examples of Common Deployments on LinuxThe supported package deployments are .rpm, .zip, .bin, .tgz and tar.gz files. This section provides examples for each type of deployment. For each of these examples, you must have already uploaded the file to KBOX prior to creating the Managed Installation package. We recommend installing the software on a QA machine, waiting a sufficient amount of time for the KBOX Agent to connect to the KBOX 1000 series appliance and create an inventory item for the software, and then creating the Managed Installation package.

Standard RPM ExampleYou can deploy software on Linux-based machines using .rpm files.

To create a managed installation for a .rpm file:


2. Select Add New Item in the Choose action drop-down list. The Managed Installation: Edit Detail Page appears.


4. By default the kbox agent will attempt to install the .rpm file via the following command. In general, this should be sufficient to install a new package or update an existing one to a new version:

rpm -U packagename.rpm

5. If you have selected a zip/tgz/tar.gz file, then the content will be unpacked and the root directory searched for all .rpm files. The installation command will be run against each of them. KBOX will find all rpm files at the top level of an archive automatically, so you can install more than one package at a time. You can also create an archive containing a shell script and then specify that script name as the full command. KBOX will run that command if it is found and log an error if is not.

If you want to change the default parameters, you have to specify the Full Command Line. You may specify wildcards in the filenames you use. Enclose the filename in single or double quotation marks if it contains spaces. The files will the unarchived into a directory in "/tmp" and that will become the current working directory of the command.

If the PATH environment variable of your root account does not include the current working directory and you wish to execute a shell script or other executable that you've included inside an archive, specify the relative path to the executable in the Full Command Line field. The command will be executed inside a directory alongside the files which have been unarchived. For example, if you want to run a file called "installThis.sh", you would package it up alongside a .rpm file and then put the

You can also run the file runallkbots located in \KACE\KBOX to force the KBOX Agent to check in with the KBOX 1000 appliance.

On Red Hat Linux, you do not need to include any other files in your archive other than your script if that's all you wish to execute.


command "./installThis.sh" in the Full Command Line field. If you archived it inside another directory, like "foo", the Full Command Line field should be "./foo/installThis.sh".

Both these examples, as well as some other KBOX functions, assume that "sh" is in root's PATH. If you're using another scripting language, you may need to specify the full path to the command processor you wish to run in the Full Command Line, like "/bin/sh ./installThis.sh". Include appropriate arguments for an unattended, batch script.

If you select the uninstall check box in the MI detail, the KBOX agent will run the command

//usr/sbin/rpm -e packagename.rpm on either your standalone rpm file or each rpm file it finds in the archive, removing the package(s) automatically. Uninstallation in this way will be performed only if the archive or package is downloaded to the client. If you select the check box for "Run Command Only", you should specify a Full Command Line to ensure the correct removal command is run on the correct package. Since no package is downloaded in this case, you should specify the path in the installation database where the package receipt is stored.

6. If your package requires additional options, you can enter the following installation details:


Run Parameters You don’t need to specify any parameters if you have a .rpm file. If no Run Parameters are filled in, -U will be used by default.Setting a value here will override the default “-U” option. For instance, if you set Run Parameters to: “–ivh --replacepkgs”, then the command that would run on the computer would be:rpm -ivh –replacepkgs package.rpm

Full Command Line You don’t need to specify a full command line if you have a .rpm file. The server executes the installation command by itself. The Linux client will try to install this via: rpm [-U | Run Parameters] "packagename.tgz”If you don’t want to use the default command at all, you can replace it completely by specifying the complete command line here. Remember that if you have specified an archive file, this command will run against all of the .rpm files it can find.

Un-Install using Full Command Line

Select this check box to uninstall software. If the Full Command Line above is filled in, it will be run. Otherwise, by default the agent will attempt the command, which is generally expected to remove the pack-age.

Run Command Only Select this check box to run the command line only. This will not down-load the actual digital asset.

Managed Action Managed Action allows you to select the most appropriate time for this package to be deployed. Execute anytime (next available) and Dis-abled are the only options available for Linux platform.

Deploy to All Machines Select this check box if you want to deploy to all the machines.







9. Click Save.


Max Attempts Specify the maximum number of attempts, between 0 and 99, to indicate the number of times the KBOX 1000 Series appliance will try to install the package. If you specify 0, KBOX will enforce the installation forever.

Deployment Win-dow(24H clock)

Specify the time (using a 24 hr. clock) to deploy the package. Deployment Window times will affect any of the Managed Action options. Also, the run intervals defined under the Server Settings->Options page will override and/or interact with the deployment window of a specific package.

Allow Snooze This option is not available for Linux platform.

Custom Pre-Install Message This option is not available for Linux platform.

Custom Post-Install Message This option is not available for Linux platform.









Standard TAR.GZ ExampleDeploying software using a tar.gz file is a convenient way to package software when more than one file is required to deploy a particular software title (for example, packagename.rpm plus required configuration and data files). For example, if you have a CD-ROM containing a group of files required to install a particular application, you can package them together in a tar.gz file, and upload them to KBOX for deployment.

To create a managed installation for a tar.gz file:

1. Use the following two commands to create tar.gz file:

tar –cvf filename.tar packagename.rpm

gzip filename.tar

This will create filename.tar.gz



3. Associate the tar.gz file with the inventory item and upload it to the KBOX 1000 Series.


5. Select Add New Item in the Choose action drop-down list. The Managed Software Installation: Edit Detail page appears.

6. Select the software title with which the tar.gz file is associated from the software drop-down list.

7. This file will be uncompressed and searched for all .rpm files. The installation command will be run against each of them.

8. If no Run Parameters are filled in, -U will be used by default.

9. You don’t need to specify a full command line. The server executes the installation command by itself. The Linux client will try to install this via:

rpm [-U | Run Parameters] "packagename.tgz”

10. Enter other package details as described in the Creating a Managed Installation procedures for .rpm file above.

11. Click Save.

The KBOX Agent will automatically run deployment packages with .rpm extensions. However, KBOX 1000 Series also provides a capability for administrators to Zip many files together and direct the KBOX 1000 Series to unpack the Zip and run a specific file within.


Examples of Common Deployments on SolarisThe supported package deployments are .pkg, pkg.gz, .zip, .bin and tar.gz. This section provides examples for each type of deployment. For each of these examples, you must have already uploaded the file to KBOX prior to creating the Managed Installation package. We recommend installing the software on a QA machine, waiting a sufficient amount of time for the KBOX Agent to connect to the KBOX 1000 series appliance and create an inventory item for the software, and then creating the Managed Installation package.

To create a managed installation for a .pkg file:




4. By default the kbox agent will attempt to install the .pkg file via the following command. In general, this should be sufficient to install a new package or update an existing one to a new version:

pkgadd -n -d "packagename.pkg" [Run Parameters]

5. If you have selected a zip/pkg.gz/tar.gz file, then the contents will be unpacked and the root directory searched for all .pkg files. The installation command will be run against each of them. KBOX will find all pkg files at the top level of an archive automatically, so you can install more than one package at a time. You can also create an archive containing a shell script and then specify that script name as the full command. KBOX will run that command if it is found and log an error if is not.

If you want to change the default parameters, you have to specify the Full Command Line. You may specify wildcards in the filenames you use. Enclose the filename in single or double quotation marks if it contains spaces. The files will the unarchived into a directory in "/tmp" and that will become the current working directory of the command.

If the PATH environment variable of your root account does not include the current working directory and you wish to execute a shell script or other executable that you've included inside an archive, specify the relative path to the executable in the Full Command Line field. The command will be executed inside a directory alongside the files which have been unarchived. For example, if you want to run a file called "installThis.sh", you would package it up alongside a .pkg file and then put the command "./installThis.sh" in the Full Command Line field. If you archived it inside another directory, like "foo", the Full Command Line field should be "./foo/installThis.sh".

Both these examples, as well as some other KBOX functions, assume that "sh" is in root's PATH. If you're using another scripting language, you may need to specify the full path to the command

You can also run the file runallkbots located in \KACE\KBOX to force the KBOX Agent to check in with the KBOX 1000 appliance.

You can put a zero-byte .pkg file in your archive if all you want to do is execute a shell command or some other executable.


processor you wish to run in the Full Command Line, like "/bin/sh ./installThis.sh". Include appropriate arguments for an unattended, batch script.

If you select the uninstall check box in the MI detail, the KBOX agent will run the command:

/usr/sbin/pkgrm -n packagename.pkg on either your standalone rpm file or each rpm file it finds in the archive, removing the package(s) automatically. Uninstallation in this way will be performed only if the archive or package is downloaded to the Agent. If you select the check box for "Run Command Only", you should specify a full command line to ensure the correct removal command is run on the correct package. Since no package is downloaded in this case, you should specify the path in the installation database where the package receipt is stored.



Run Parameters You don’t need to specify any parameters if you have a .pkg file. If no Run Parameters are filled in, all will be used by default to install all pack-ages in the .pkg file. Setting a value here will override the default option.

Full Command Line You don’t need to specify a full command line if you have a .pkg file. The server executes the installation command by itself. The Solaris client will try to install this via: pkgadd -n -d "packagename.pkg" [Run Parameters]If you don’t want to use the default command at all, you can replace it completely by specifying the complete command line here. Remember that if you have specified an archive file, this command will run against all of the .pkg files it can find.

Un-Install using Full Command Line

Select this check box to uninstall software. If the Full Command Line above is filled in, it will be run. Otherwise, by default the agent will attempt the command, which is generally expected to remove the pack-age.

Run Command Only Select this check box to run the command line only. This will not down-load the actual digital asset.

Managed Action Managed Action allows you to select the most appropriate time for this package to be deployed. Execute anytime (next available) and Dis-abled are the only options available for Solaris platform.







Max Attempts Specify the maximum number of attempts, between 0 and 99, to indicate the number of times the KBOX 1000 Series appliance will try to install the package. If you specify 0, KBOX will enforce the installation forever..



9. Click Save.

Standard TAR.GZ ExampleDeploying software using a tar.gz file is a convenient way to package software when more than one file is required to deploy a particular software title (for example, packagename.pkg plus required configuration and data files). For example, if you have a CD-ROM containing a group of files required to install a particular application, you can package them together in a tar.gz file, and upload them to KBOX for deployment.

To create a managed installation for a tar.gz file:

1. Use the following two commands to create tar.gz file:

tar –cvf filename.tar packagename.pkg

gzip filename.tar

This will create filename.tar.gz.



3. Associate the tar.gz file with the inventory item and upload it to the KBOX 1000 Series.


Deployment Win-dow(24H clock)

Specify the time (using a 24 hr. clock) to deploy the package. Deployment Window times will affect any of the Managed Action options. Also, the run intervals defined under the Server Settings > Options page will override and/or interact with the deployment window of a specific package.

Allow Snooze This option is not available for Solaris platform.

Custom Pre-Install Message This option is not available for Solaris platform.

Custom Post-Install Message This option is not available for Solaris platform.









5. Select Add New Item in the Choose action drop-down list. The Managed Software Installation: Edit Detail page appears.

6. Select the software title with which the tar.gz file is associated from the software drop-down list.

7. This file will be uncompressed and searched for .pkg files. The installation command will be run against each of them.

8. If no Run Parameters are filled in, all will be used by default to install all packages in the .pkg file.

9. You don’t need to specify a full command line. The server executes the installation command by itself. The Solaris client will try to install this via:

pkgadd -n -d "packagename.pkg" [Run Parameters]

If extension is tar.gz:

tar xzpf “packagename”If extension is .zip:

unzip “packagename.zip”If extension is .gz:

gunzip “packagename.gz”

10. Enter other package details as described in the Creating a Managed Installation procedures for .pkg file above.

11. Click Save.

The KBOX Agent will automatically run deployment packages with .pkg extensions. However, KBOX 1000 Series also provides a capability for administrators to Zip many files together and direct the KBOX 1000 Series to unpack the Zip and run a specific file within.


Examples of Common Deployments on Macintosh(r)On the Apple MacOS X platform, there is a universal installer with the usual file extension of .pkg. (This format is different from the Solaris .pkg files.) You cannot upload a .pkg file directly, because .pkg files are actually directories at a low level and web browsers can't handle uploading entire directories.

You do not need to use an installer for KBOX to install plain packages. These are the ".app" packages you might normally drag to your Applications folder. These must be archived as well, since they are also directories at a very low level, just like installer packages.

You can even archive installers alongside plain applications. KBOX will run the installers first and then copy the applications into the Applications folder.

The supported package deployments are .pkg, .app, .dmg, .zip, .tgz and tar.gz. If you package the file as a disk image, KBOX will mount and unmount it quietly. This section provides examples for each type of deployment. For each of these examples, you must have already uploaded the file to KBOX prior to creating the Managed Installation package. We recommend installing the software on a test machine, waiting a sufficient amount of time for the KBOX Agent to connect to the KBOX 1000 series appliance and create an inventory item for the software, and then creating the Managed Installation package.

To create a managed installation:




4. By default the kbox agent will attempt to install the .pkg file via the following command. In general, this should be sufficient to install a new package or update an existing one to a new version:

installer -pkg packagename.pkg -target / [Run Parameters]

5. If you have selected a zip/tgz/tar.gz file, then the contents will be unpacked and the root directory searched for all .pkg files. The installation command will be run against each of them. KBOX will search for all the .pkg files on the top level of an archive and execute that same installer command on all of them in alphabetical order. After that, KBOX will search for all plain applications (.app) on the top level of the archive and copy them to /Applications with this command:

ditto -rscs Application.app /Applications/Application.app

If you wish to execute a script or change any of these command lines more fully, you may specify the appropriate script invocation as the Full Command Line. You may specify wildcard in the filenames you use. Enclose the filename in single or double quotation marks if it contains spaces. The files will the

You can also run the file runallkbots located in /Library/KBOXAgent/Home/bin to force the KBOX Agent to check in with the KBOX 1000 appliance.


unarchived into a directory in "/tmp" and that will become the current working directory of the command.

If the PATH environment variable of your root account does not include the current working directory and you wish to execute a shell script or other executable that you've included inside an archive, be sure to specify the relative path to the executable in the Full Command Line field. Remember, you'll be executing your command inside a directory alongside the files which have been unarchived. For example, if you want to run a file called "installThis.sh", you would package it up alongside a .pkg file and then put the command "./installThis.sh" in the Full Command Line field. If you archived it inside another directory, like "foo", the Full Command Line field should be "./foo/installThis.sh".

Both these examples, as well as some other KBOX functions, assume that "sh" is in root's PATH. If you're using another scripting language, you may need to specify the full path to the command processor you wish to run in the Full Command Line, like "/bin/sh ./installThis.sh". Be sure to include appropriate arguments for an unattended, batch script.

If you select the uninstall check box in the MI detail, KBOX will remove each .app it finds in the top level of your archive from the Applications folder. Thus, if you include two files in your archive named "MyApp.app" and "MyOtherApp.app", those two applications will disappear from your Applications folder if they exist there.

Uninstallation in this way will be performed only if the archive or package is downloaded to the client. If you select the check box for "Run Command Only", you should specify a full command line to ensure the correct removal command is run on the correct package. Since no package is downloaded in this case, you should specify the path in the installation database where the package receipt is stored or run the correct file removal command to delete the files from the Applications folder. In that case, you can download a script inside an archive and run the script on the Full Command Line.


On MacOS, you do not need to include any other files in your archive other than your script if that's all you wish to execute.

Run Parameters You cannot apply "Run Parameters" to the above mentioned com-mands.

Full Command Line You don’t need to specify a full command line. The server executes the installation command by itself. The Macintosh(r) client will try to install this via:installer -pkg packagename.pkg -target / [Run Parameters]or ditto -rsrc packagename.app /Applications/theappIf you don’t want to use the default command at all, you can replace it completely by specifying the complete command line here. Remember that if you have specified an archive file, this command will run against all of the .pkg files or .app files it can find.


Select this check box to uninstall software. If the Full Command Line above is filled in, it will be run. Otherwise, by default the agent will attempt the command, which is generally expected to remove the package.

Run Command Only Select this check box to run the command line only.This will not down-load the actual digital asset.




9. Click Save.

Managed Action Managed Action allows you to select the most appropriate time for this package to be deployed. Execute anytime (next available) and Dis-abled are the only options available for Macintosh(r) platform.






Deploy Order The order in which software should be installed.Lower deploy order will deploy first.

Max Attempts Specify the maximum number of attempts, between 0 and 99, to indi-cate the number of times the KBOX 1000 Series appliance will try to install the package. If you specify 0, KBOX will enforce the installation forever.


Specify the time (using a 24 hr. clock) to deploy the package. Deploy-ment Window times will affect any of the Managed Action options. Also, the run intervals defined under the Server Settings->Options page will override and/or interact with the deployment window of a specific package.

Allow Snooze This option is not available for Macintosh(r) platform.

Custom Pre-Install Message This option is not available for Macintosh(r) platform.

Custom Post-Install Message This option is not available for Macintosh(r) platform.









File SynchronizationsFile synchronizations enable you to distribute software files to the computers on your network. These can be any type of file, such as PDF, ZIP files, or EXE files, which are simply downloaded to the user’s machine, but not installed.

Creating a file synchronizationUsing file synchronizations, you can push out any type of file to the computers on your network. You can choose to install the files from the KBOX 1000 Series, or you can specify an alternate location where users will download the file. The string KACE_ALT_Download in the Alternate Download Location field will be replaced with the value assigned by the corresponding LABEL. You should not have a machine in more than one LABEL with an Alternate Download Location specified.

To create a file synchronization:

1. Select Distribution | File Synchronization. The File Synchronizations page appears.


The File Synchronization: Edit Detail page appears.

3. Select the software title to install in the Software Title to Install drop-down list.

4. Set or modify the following installation details:

Notes Enter any information related to the software title selected.

Location (full directory path) Specify the location on the users machine where you want to upload this file.

Location User If the Location specified above is a shared location, specify the User login name.

Location Password If the Location specified above is a shared location, specify the login password.

Enabled Select this check box to download the file the next time the KBOX Agent checks in to the KBOX 1000 Series appliance.

Create Location (if doesn’t exists)

Creates the installation location if not already there.

Replace existing files Select this check box to overwrite existing files of the same name on the target machines.

Do Not Uncompress Distribu-tion

Select this check box if you are distributing a compressed file and do not want the file uncompressed.

Persistent Select this check box if you want the KBOX 1000 Series to con-firm every time that this package does not already exist on the target machine before attempting to deploy it.

Create shortcut (to location) Select this check box if you want to create a desktop shortcut to the file location.

Shortcut name Type a display name for the shortcut.

Delete Temp Files Select this check box to delete temporary installation files.




7. Click Save.

Limit Deployment to Specify a label for the package. The file will be distributed to the users assigned to the label, such as operating system affected by the syn-chronization.

Pre-Install User Message Select this check box to display a message to users prior to installation. When you select this check box, additional fields appear:

Pre-Install User Message - Enter a pre-install message.

Pre-Install Message Timeout - Specify a timeout in minutes for which the message will be displayed.

Pre-Install Timeout Action - Select a timeout action that will take place at the end of the timeout period from the drop-down list. Options include Install later or Install now. For example, you might select Install now because you may be installing at a time when you know that the user is away from his or her desktop, making it a good time to install. Or, you might select Install later if the installer needs some user interaction and it would not work if the user was not at his or her desktop.

Post-Install User Message Select this check box to display a message to users after the installation completes. When you select this check box, message field and timeout options appear. Enter a message and a timeout value in minutes.

Deployment Window Specify the time (using a 24 hr. clock) to deploy the package. Deploy-ment Window times will affect any of the Managed Action options. Also, the run intervals defined under the Server Settings | Options page will override and/or interact with the deployment window of a specific package.







To distribute files previously deployed after the deployment window has closed, click the Resend Files button.


ReplicationA Replication Share allows a KBOX Agent to replicate software installers to a share for use by other KBOX Agents. This allows users to download software from the share instead of directly from the KBOX 1000 Series. This is useful if you have machines in a remote office where downloading the software once for each machine would impact the network.

From the Replication tab, users can:

Add or delete replication shares

Enable or disable replication shares

Creating a Replication ShareReplication shares can only be created on one of the machines listed in the KBOX Inventory | Computers tab. If you want to create a share on a machine not listed there, you will need to create an inventory record for the machine before continuing. For more information, see Chapter 3,“Inventory,” starting on page 26. The Replication Machine will need write permissions to the Destination Path to write the software files.

To create a replication share:

1. Select Distribution | Replication. The Replication Shares page appears.

2. Select Add New Item in the Choose Action drop-down list.

The Replication Share: Edit Detail page appears.

3. Select the machine on which the share will reside in the Replication Machine drop-down list.

4. Specify the Replication Share destination details:

5. Select a label for the Replication Share.

Make sure that the label does not have ALT_KACE_LOCATION specified on it.

6. Specify the replication share download details:

7. Enter comments in the Notes field as necessary.

Destination Path Specify the destination path where the replication machine should copy all the software from the KBOX 1000 Series. All software items with digital assets are copied, including patches. The Replication Machine will need write permissions to the Destination Path to write the software files.

Destination Path User Specify the login name for the share.

Destination Path Password Specify the password for the share.

Download Path Specify the download path from where machines in the replication label will copy these assets instead of downloading them directly from KBOX. The Clients will need read permission to this share.

Download Path User Specify the login name the users in the replication share label will enter to access the assets on the replication share.

Download Path Password Specify the password for the share. The password the users in the replication share label will enter to access the assets on the replica-tion share.


8. Click Save.

9. After creating a replication share, select the Enabled check box to allow users to begin using the share to download digital assets.

Viewing Replication Share DetailsAfter clicking Save, the Replication Shares list will be displayed showing the new replication share. You can view the list of digital assets that will be copied to this share by clicking the linked name of the Replication Share and scrolling down to the table at the bottom.

You can also click the Details link beside the Replication Machine field to view the computer inventory record for the Replication Share. Click the Details link beside the Labels field to view the computers and users assigned to that label.


98

C H A P T E R 7

The KBOX 1000 Series Wake-on-LAN feature provides the ability to “wake up” computers equipped with network cards that are Wake-on-LAN compliant.

“Wake-on-LAN Feature Overview,” on page 99

“Issuing a Wake-on-LAN Request,” on page 100

“Troubleshooting Wake-on-LAN,” on page 101

Wake-on-LAN

Wake-on-LAN Feature OverviewThe KBOX 1000 Series Wake-on-LAN feature enables you to remotely power-on device on your network, even if those machines don’t have the KBOX Agent installed. Wake-on-LAN can target a label, or specific MAC-addressed machine.

Wake-on-LAN is often used to power on machines prior to some IT activity, such a distributing a package from the KBOX 1000 Series to a subnet, to ensure that the distribution or update reaches as many of the target machines as possible. Because many of the updates are performed during off-hours to minimize the impact on your network, some of the machines targeted for updating might be turned off at the time you are performing the updates. In such cases, you could issue a Wake-on-LAN call to turn computers on prior to performing updates, running scripts, or distributing packages.

Using the Wake-on-LAN feature on the KBOX 1000 Series will cause broadcast UDP traffic on your network on port 7. This traffic should be ignored by most computers on the network. The KBOX 1000 Series sends 16 packets per Wake-on-LAN request because it must guess the broadcast address that is required to get the "Magic Packet" to the target computer. This amount of traffic should not have a noticeable impact on the network.

This feature only supports machines that are equipped with a Wake-On-LAN-enabled network interface card (NIC) and BIOS.


Issuing a Wake-on-LAN RequestYou can wake multiple devices at once by specifying a label to which those devices belong, or you can wake computers or network devices individually. If you need to wake devices on a regular basis, for example to perform monthly maintenance, you could schedule a Wake-on-LAN to go out a specific time.

If the device you want to wake is not inventoried by the KBOX 1000 Series but you still know the MAC (Hardware) address and its last-known IP address, you can manually enter the information to wake the device.

To issue a Wake-on-LAN request:

1. Click Distribution | Wake-on-LAN. The Wake-on-LAN page appears.

2. To wake multiple devices, select a label from the Labels drop-down list.

3. To wake computers individually, select them from the Wake a Computer list.

Press CTRL, and then click to select multiple computers.

4. To wake a network device, specify the device’s IP address in the Devices field.

5. Enter the filter criteria in the Filter field.

6. Specify the MAC address of the device in the MAC Address field.

7. Specify the IP address of the device in the IP Address field.

8. Click Send Wake-on-LAN.

After sending the Wake-on-LAN request, you will see the results at the top of the page indicating the number of machines that received the request and to which label, if any, those machines belong.

To schedule a Wake-On-LAN request:

1. Click Distribution | Wake-on-LAN.

2. Click the Schedule a routine Wake-on-LAN event link. The Wake-on-LAN page appears.

3. Select Add New Item in the Choose action drop-down list. The Wake-on-LAN Settings page appears.

4. In the Labels to Wake-on-LAN box, select the labels to include in the request.

Press CTRL, then click to select multiple labels.

5. In the Limit by Operating Systems box, select the operating systems to include in the request.

6. Specify the Wake-on-LAN schedule in the Scheduling area:

7. Click Save.

On clicking Save, you will see the Wake-on-LAN tab with the scheduled request listed. From this view you can edit or delete any scheduled requests.

Don’t Run on a Schedule Tests will run in combination with an event rather than on a specific date or at a specific time.


Runs every day or only the selected day at the specified time.

Run on the nst of every month/specific month at HH:MM AM/PM

Runs on the 1st, or 2nd, etc. of every month or only the selected month at the specified time.


Troubleshooting Wake-on-LANIf a Wake-on-LAN request fails to wake devices, your network devices could be configured in a way that is causing Wake-on-LAN to fail:

The device does not have a WOL-capable network card or is not configured properly.

The KBOX 1000 Series has incorrect information about the subnet to which the device is attached.

UDP traffic is not routed between subnets or is being filtered by a network device.

Broadcast traffic is not routed between subnets or is being filtered by a network device.

Traffic on Port 7 is being filtered by a network device.

For more assistance with troubleshooting Wake-on-LAN, see http://support.intel.com/support/network/sb/cs-008459.htm


http://support.intel.com/support/network/sb/cs-008459.htm

http://support.intel.com/support/network/sb/cs-008459.htm

102

C H A P T E R 8

The optional Policy and Scripting Module provides a point-and-click interface for performing many tasks that would typically require a manual process or advanced programming. This feature is available only for computers that run on the Windows operating system.

“Scripting Module Overview,” on page 103

“Creating and Editing Scripts,” on page 105

“Using the Run Now Function,” on page 111

“Searching Scripting Log Files,” on page 114

“Configuration Policies,” on page 115

Scripting

Scripting Module OverviewIf you purchased the optional KBOX 1000 Series Policy and Scripting Module, you now have a way to easily and automatically perform a variety of tasks across your network through customized scripts that run when and where you want them to. You can automate tasks like installing software, checking antivirus status, changing registry settings, or configuring browser settings by creating a custom script and then scheduling deployment to the endpoints on your network. Each script consists of metadata, dependencies (where necessary), rules, tasks, and deployment and schedule settings.

Dependencies are supporting files that are needed for the script to run, such as executable, .zip files, etc. When creating your script, you will be prompted to upload any required dependencies.

Rules are tasks performed in a specified order on the target machine. Each task determines whether processing should continue or end at the end of each task.

Tasks are the individual steps being carried out by the script. In each script, you can have any number of tasks. Whether or not a task is executed is dependent upon the success or failure of the previous task and any rules for performing subsequent tasks.

There are two types of scripts you can create: policies and jobs. Policies are generally used to perform tasks that will be repeated, such as checking to see whether McAfee Antivirus is installed and working. Jobs are used to perform one-time tasks, such as uninstalling software or moving files.


Using Scripts that are Installed with KBOXKBOX installs the following scripts by default:

Script Name Description

Force Checkin Runs KBScriptRunner on client to force checkin.WARNING: do not run this with more than 50 clients selected as this can overload the server with requests.

Defragment the C: drive Example script to defragment the c:

DOS-DIR DOS-DIR

Inventory Startup Programs Fix On some machines, a missing registry entry causes all of the contents of the system32 directory to be reported as the Star-tup Programs. This script fixes the registry entry if it is missing.

KBOX Remote Control Disabler Disables KBOX Remote Control functionality on Windows XP Professional by configuring Terminal Services properly.

KBOX Remote Control Enabler Enables KBOX Remote Control functionality on Windows XP Professional by configuring Terminal Services properly.

KBOXClient debug logs Disable If the client is checking in and a problem occurs with the inven-tory and deployment, this script will disable the debug switch.

KBOXClient debug logs Enable If the client is checking in and a problem occurs with the inven-tory and deployment, this script will enable the client debug and send the debug back to the server. This only turns on debug for the inventory and deployment part of the client. It does not enable debugging of the scheduling service.

Make Removable Drives Read-Only Removable drives may only be mounted read-only. This pre-vents people from absconding with corporate data, though they may transport data to their PC.

Make Removable Drives Read-Write Removable drives may be mounted read-write.

Message Window Script Example This is an example script to illustrate use of message window. Your script must have properly paired create/destroy message window commands in order to work properly. Message Win-dows remain displayed until user dismisses, until the script fin-ishes executing, or until the timeout is reached, whichever comes first.

Reset KUID Deletes the registry keys that identify a machine. You should also delete the specific machine record from the inventory tab.

Shutdown a Windows system It specifies timeout in seconds while the message in quotes will be displayed to the user. Omit for silent immediate shutdown.

USB Drives Disable USB Drives may not be used at all.

USB Drives Enable USB Drives may be used.

Table 8-1: Default scripts in KBOX


Creating and Editing ScriptsThere are three ways you can create scripts: by importing an existing script (in XML format), by making a copy of an existing script, or by creating a new script from scratch. You can perform these actions from the Scripting | Scripts tab.

The process of creating scripts is an iterative one. After creating a script, it’s a good idea to deploy the script to a limited number of machines (you can create a test label to do this) so that you can verify it is doing what you intend before deploying it to all of the machines on your network. It’s good practice to leave a script disabled until after you have done all of your editing and testing and you are ready to run the script.


Adding ScriptsScripts are made up of one or more Tasks. Within each Task there are Verify and Remediation sections where you can further define the script behavior. If a section is left blank, it defaults to success. For example, if you leave the Verify section blank, it will end in On Success.

To add a script:

1. Select Scripting | Scripts.

2. Select Add New Item from the Choose action drop-down list. The Script: Edit Detail page appears.

3. In the Configuration area, enter the requested details:

4. Specify the deployment options:

Name Provide a meaningful name for the script to make it easier to distinguish from others listed on the Scripts tab.

Description Describe briefly the actions the script will perform. Although this field is optional like the Name field, it will help you to distinguish one script from another on the Scripts tab.

Type Classify the script as either a Job or a Policy. This distinction has no affect on how the script will run, however, it can help to differentiate those scripts that will run regularly (policies) from those that will run only once (jobs).

Status Use this field to indicate whether the script is in development (Draft) or has been rolled out to your network (Production). Use Template if you are building a script that will be used as the basis for future scripts.

Enabled Select this check box to run the script on the target machines. Do not enable until you are finished and want to run it. Enable on a test label before you enable on all machines.

Allow Run While Dis-connected

Select this option if you want to allow the script to run even if the target machine cannot contact the KBOX 1000 Series to report results. In such a case, results will be stored on the machine and uploaded to the KBOX 1000 Series until the next contact.

Allow Run While Logged Off

Select this option if you want to allow the script to run even if a user is not logged in. To run the script only when the user is logged into the machine, clear this option.

Deploy to All Machines

Select this check box if you want to deploy to all the Machines.

Limit Deploy-ment To Selected Labels


Limit Deploy-ment To Listed Machines


Supported Oper-ating Systems

Select an operating system on which the script will run. If you selected a label as well, the script will only run on machines with that label if they are also running the selected operating system.


5. Click Run Now to immediately push the script to all machines. Use this option with caution. For more information about the Run Now button, see “Using the Run Now Function,” on page 111.

6. To browse for and upload files required by the script, click Add new dependency, click Browse, and then click Open to add the new dependency file.

Repeat this step to add additional new dependencies as necessary.

7. Click Add Task Section to add a new task. The process flow of a task in a script is shown below.

Figure 8-2: Example of Task process flow

Scheduling In the Scheduling area, specify when and how often the script will run.

Don’t Run on a Schedule Tests will run in combination with an event rather than on a specific date or at a specific time. Use this option in combination with one or more of the “Also” choices below. For example, use this option in con-junction with “Also Run at User Login” to run when-ever the user logs in.

Run Every n minutes/hours Test will run on every hour and minutes as specified.


Test will run on the specified time on the specified day.

Run on the nst of every month/spe-cific month at HH:MM AM/PM

Test will run on the specified time on the 1st, or 2nd, etc. of every month or only the selected month.

Custom Schedule This option allows you to set an arbitrary schedule using standard cron format. For example, 1,2,3,5,20-25,30-35,59 23 31 12 * * means:On the last day of year, at 23:01, 23:02, 23:03, 23:05, 23:20, 23:21, 23:22, 23:23, 23:24, 23:25, 23:30, 23:31, 23:32, 23:33, 23:34, 23:35, 23:59. The KBOX 1000 Series doesn’t support the extended cron format.

Also Run Once at next Client Checkin

This option runs the script once when new scripts are downloaded from the KBOX 1000 Series. The time interval for downloaded scripts is set in KBOX Settings | Client Options | Scripting Update Interval.

Also Run at Machine Boot Up This option runs the script at machine boot time. Be aware that this will cause the machine to boot up slower than it might normally.

Also Run at User Login This option runs the script after the user has entered their Windows login credentials.

IF Verify THEN

Success

ELSE IF Remediation THEN

Remediation Success

ELSE

Remediation Failure


8. Under Job or Policy Rules, set the following options for Task 1:

9. In the Verify section, click Add to add a step, and then select one or more steps to perform. See Appendix A,“Steps for Task sections,” starting on page 204.

10. In the On Success and Remediation sections, select one or more steps to perform.

See Appendix A,“Adding steps to a Task,” starting on page 203.

11. In the On Remediation Success and On Remediation Failure sections, select one or more steps to perform.

See Appendix A,“Adding steps to a Task,” starting on page 203.

Editing ScriptsYou can edit scripts on the Script: Edit Detail page, or in an XML editor. To use the XML editor, click the View raw XML editor link at the top of the Script: Edit Detail page. Scripts created using one of the wizards can be re-edited using the wizard in addition to these methods.

To edit a script:


2. Click the name of the script you want to edit.

The Script: Edit Detail page appears.

3. Modify the script as desired.

4. Click Save.

To delete a script:


2. Select the check box beside the script you want to delete.

3. Choose Delete Selected Item(s) from the Choose action drop-down list.

4. Click OK to confirm deletion.

Attempts The number of times the script will attempt to run. If the script fails but remediation is successful, you may want to run the task again to confirm the remediation step. To do this, set the number of Attempts to 2 or more. If the Verify section fails, it will be run Attempts number of times.

On Failure Select Break if you want the script to stop running upon failure. Select Continue if you want the script to perform remediation steps upon failure.

To remove a dependency, task, or step, click the trash can icon beside the item. This icon appears when your mouse hovers over an item.


Importing scriptsIf you prefer to create your script in an external XML editor, you can upload your finished script to the KBOX 1000 Series. Be sure that the imported script conforms to the following structure:

The root element <kbots></kbots> includes the URL of the KACE DTD “kbots xmlns=”http://kace.com/Kbots.xsd”>...<kbots>

One or more <kbot> elements.

Exactly one <config> element within each <kbot> element.

Exactly one <execute> element within each <config> element.

One or more <compliance> elements within each <kbot> element.

Figure 8-3: Example of XML structure for KBOX 1000 Series script

In the above example, we see an example of a simple XML script. The <config> element corresponds to the Configuration section on the Script: Edit Detail page and is where you will specify the name of the policy or job (optional), and the script type (policy or job). Within this element you also will indicate whether the script will run when the target machine is disconnected or logged off from the KBOX 1000 Series.

Within the <compliance> element you will specify whether the script is enabled and describe the specific tasks the script is to perform.

Tip: If you are creating a script that will perform some of the same tasks as an existing script, you may want to consider creating a copy of that existing script, then opening the copied script in XML editor view to better understand what is possible in the <compliance> element. For more information, see “Duplicating scripts,” on page 110.

<?xml version=”1.0” encoding=”utf-8” ?>

<kbots xmlns=”http://kace.com/Kbots.xsd”>

<kbot>

<config name=”name=”” type=”policy” id=”0” version=”version=”” description=”description=””>

<execute disconnected=”false” logged_off=”false”>

</execute>

</config>

<compliance>

</compliance>

</kbot>

</kbots>


To import an existing script:

1. Click the Scripting button, then choose the Scripts tab.

2. From the Choose action drop-down list, select Import from XML.


3. Paste the existing script into the space provided, then click Save.

Duplicating scriptsIf you have already created a script that performs many of the tasks required of your new script, the simplest way to begin is to make a copy of the current script, then modify the steps as required, and then upload any new dependency files.

To duplicate an existing script:


2. Click the linked name of the script you want to copy to open it for editing.


3. Click the Duplicate button.

The Scripts list page appears, which includes a new script named “Copy of xxx”, where “xxx” is the name of the copied script.

4. Click the linked name of the copied script to open it for editing.

Continue as you would in “Adding Scripts,” on page 106.


Using the Run Now FunctionThe Run Now function provides a way for you to run scripts on selected machines immediately without setting a schedule. You may want to use this function if you have machines on your network that you suspect are infected with a virus or other vulnerability which could compromise your entire network if not resolved right away. Run Now is also useful for testing and debugging scripts on a specific machine or set of machines during development.

The Run Now function is available in three places:

Run Now tab - Running Scripts from the Scripting | Run Now tab allows you to run one script at a time on the target machines.

Script: Edit Detail Page - Running Scripts from the Script : Edit Detail page allows you to run one script at a time on the target machines.

Scripts List Page - Running scripts from the Scripts List Page using the Run Now option from the Choose action drop-down list allows you to run more than one script at the same time on the target machines.

Run Scripts using the Run Now tabYou can run scrips using the Scripting | Run Now tab.

To run Scripts using the Run Now tab:

1. Select Scripting | Run Now. The Run Now page appears.

2. Select the Script you want to run in the Scripts list. You can use the Filters to filter the Scripts list.

3. Select the machines on which Script needs to run from the Inventory Machines list. Selected machine name appears in the Machine Names field. You can use the Filters to filter the machine names list. You can add all the machines by clicking Add All.

Atleast one machine name should be present in the list to run the script.

4. Click Run Now to run the selected Script.

Run Now from the Script Detail page

To use the Run Now function from the Script Detail page:

1. To minimize the risk of deploying to unintended target machines, KACE recommends that you create a label that represents the machine or machines on which you want to use the Run Now function. See “Creating Labels,” on page 43 for more information.

2. Select the Scripting tab.

CAUTION: Because a script is deployed immediately when you click Run Now, use this feature cautiously, and do not deploy unless you are certain that you want to run the script on the target machines. Be sure to specify a label on which to run the script, otherwise it will deploy to all machines by default.

See “Creating Labels,” on page 43 for more information.


3. Select the script you want to run.


4. Select the label or labels that represent the machine(s) on which you want to run the script. Press CTRL and click to select multiple labels.

5. Scroll to the bottom of the Scheduling section, then click Run Now.

To use the Run Now function from the Scripts Lists Page:

1. To minimize the risk of deploying to unintended target machines, KACE recommends that you create a label that represents the machine or machines on which you want to use the Run Now function. See “Creating Labels,” on page 43 for more information.

2. Select the Scripting tab.

3. Select the script or scripts you want to run.

4. Select Run Now from the Choose action drop-down list.

Monitoring Run Now statusWhen you click Run Now or select Run Now from the Choose action drop-down list, the Run Now Status tab appears where you will see a new line item for the script.

The Pushed column indicates the number of machines on which the script is attempting to run. The Completed column indicates the number of machines that have finished running the script. The numbers in these columns increment accordingly as the script runs on all of the selected machines. The icons above the right-hand column provide further details of the script status.

If there were errors in pushing the scripts to the selected machines, you can search the scripting logs to determine the cause of the error. For more information about searching logs, see “Searching Scripting Log Files,” on page 114.

Icon Description

The script completed successfully.

The script is still being run, therefore its success or failure is unknown.

An error occurred while running the script.

Table 8-4: Run Now Status tab icons

The Run Now function communicates over port 52230. One reason a script might fail to deploy is if firewall settings are blocking the KBOX Agent from listening on that port.


Run Now Detail PageFor more information on a Run Now item, click the linked start time on the Run Now Status page to display the item’s Run Now Detail page.

The Run Now Detail page displays the results of a script that was run manually using the Run Now Function, instead of running it on a schedule.

The Push Failures section lists those machines that the server could not contact, and therefore did not receive the policy. Once pushed, it may take some time for the machine to complete a policy. Machines that have received the policy, but have not reported their results yet are listed in the Scripts Running section. After the policy is run, it will report either success or failure. The results will be sorted under the appropriate section. Each individual computer page also has the results of the Run Now events run on that machine.


Searching Scripting Log FilesThe Search Logs page allows you to search the logs uploaded to the KBOX 1000 Series appliance by the machines on your network.

To search scripting logs:

1. Select Scripting |Search Logs.

2. Enter the keywords to search for in the Search for field. You can use the following operators to change how the logs are searched:

3. To search only in logs uploaded by a particular script, choose the script name.

4. Select the log type to search in from the drop-down list. Options include: Output, Activity, Status, and Debug.

5. In the Historical field, select whether to search in only the most recent logs or in all logs from thedrop-down list.

6. To search only in logs uploaded by KBOX Agents in a particular label group, select the label from the drop-down list.

7. Click Search.

Operator Function

+ A leading plus sign indicates the word must be present in the log.

- A leading minus sign indicates the word must not be present in the log.

* A trailing asterisk can be used to find logs that contain words that begin with the supplied characters.

“ A phrase enclosed in double quotes matches only if the log contains the phrase exactly as typed.

Table 8-5: Available search operators


Configuration PoliciesThe Configuration Policy page displays a list of wizards you can use to create policies that manage various aspects of the computers on your network.

To access the list of available Configuration Policy wizards, click the Scripting button, then select the Configuration Policy tab. This section includes descriptions of the settings for each of the policies you can create.

Available wizards include:

Enforce Registry Settings

Remote Desktop Control Troubleshooter

Enforce Desktop Settings

Desktop Shortcuts Wizard

Event Log Reporter

MSI Installer Wizard

UltraVNC Wizard

Un-Installer Wizard

Windows Automatic Updates Settings.


Enforce Registry SettingsThis wizard allows you to quickly create scripts that enforce particular registry settings.

To enforce registry settings:

1. Use regedit.exe to locate and export the values from the registry that you are interested in.

2. Open the .reg file that contains the registry values you want with notepad.exe and copy the text.

3. Select Scripting |Configuration Policy.

4. Click Enforce Registry Settings. The Configuration Policy : Enforce Registry Settings page appears.

5. Enter a policy name in the Policy Name field.

6. Paste the copied registry values into the Registry File field.

7. Click Save.

After clicking Save you will be taken to the Script: Edit Detail page, where you will need to enable and set a schedule for this policy to take effect.

A new script will be created that will check that the values in registry file match the values found on the target machines. Any values that are missing or incorrect will be replaced.

See “Adding Scripts,” on page 106 for more information.

Remote Desktop Control TroubleshooterThis editor creates a troubleshooting script for the KBOX 1000 Series Remote Control functionality. The script that this page generates will test the following things:

Terminal Services: To access a Windows XP Professional machine using Remote Desktop, Terminal Services must be running. This script will verify that this is the case;

Firewall Configuration: If the Windows XP SP2 Firewall is running on the machine, several different configurations may be affecting whether the Remote Desktop requests are being blocked by the firewall.

To troubleshoot remote behavior:


2. Click Remote Desktop Control Troubleshooter. The Configuration Policy : Remote Control Troubleshooter page appears.

Under Firewall Configuration, specify the desired settings.

3. Click Save.

After clicking Save you will be taken to the Script: Edit Detail page, where you will need to enable and set a schedule for this policy to take effect. See “Adding Scripts,” on page 106 for more information.


Enforce Desktop SettingsThis wizard allows you to build policies that affect the user's desktop wallpaper. The Wallpaper bitmap file is distributed to each machine affected by the policy. This file must be in the Bitmap (.bmp) format.

To create a policy to enforce Desktop Settings:


2. Click Enforce Desktop Settings.

3. Select the Use wallpaper check box to enforce this setting.

4. Click Browse to select and upload the .bmp file to use for the wallpaper.

5. Select a position for the wallpaper image from the Position drop-down list. Select Stretch to stretch the image so that it covers the entire screen. Select Center to display the image in the center of the screen. Select Tile to repeat the image over the entire screen.

6. Click Save.


Desktop Shortcuts WizardThis wizard allows you to quickly create scripts that add shortcuts to users' Desktop, Start Menu, or Quick Launch bar. You can create an Internet shortcut and can put a URL to the target with no parameters and working shortcut.

To create scripts to add shortcuts:


2. Click Desktop Shortcuts Wizard. The Configuration Policy : Enforce Shortcuts page appears.

3. Enter a name for the desktop shortcut policy in the Policy Name field.

4. Click Add Shortcut.

5. Specify the shortcut details.

6. Click Save Changes to save the new shortcut.

7. Click Add Shortcut to add more shortcuts. To edit or delete a shortcut, hover over a shortcut and click the Trash can icon that appears.

8. Click Save.


Name The text label that will appear below or beside the shortcut.

Target The application or file that is launched when the shortcut is clicked, e.g., Program.exe.

Parameters Any command line parameters. For example: /S /IP=123.4

WorkingDir Changes current working directory. For example: C:\Windows\Temp

Location Select the location where the shortcut will appear from the drop-down list. Options include Desktop, Quick Launch, and Start Menu.


Event Log ReporterThis wizard creates a script that queries the Windows Event Log and uploads the results to the KBOX 1000 Series.

To create an Event Log query:


2. Click Event Log Reporter. The Configuration Policy : Event Log Reporter page appears.

3. Specify query details:

4. Click Save.


MSI Installer WizardThis wizard helps you set the basic command line arguments for running MSI based installers. See the MSI Command Line documentation for full details.

To create the MSI Installer policy:


2. Click MSI Installer Wizard. The Configuration Policy : MSI Wizard page appears.


Output filename The name of the log file created by the script.

Log file The type of log you want to query. Options include Application, System, and Security.

Event Type The type of event you want to query. Options include Information, Warn-ing, and Error.

Source Name Use this optional field to restrict the query to events from a specific source.

Action Select a task. Options include Install, Uninstall, Repair missingfiles, and Reinstall all files.

Software Select the application you want to install, uninstall, or modify.

MSI filename Enter a MSI filename.

User Interaction Select an option to specify how the installation should appear to end users. Options include: Default, Silent, Basic UI, Reduced UI, and Full UI. See MSI documentation for a complete description of the available options.

Installation Directory Specify the installation directory.

Additional Switches Include any additional installer switches. Additional Switches will be inserted between the msiexe.exe and the /i foo.msi arguments.


4. Click Save.


Additional Properties Include any additional properties. Additional Properties will be inserted at the end of the command line.

For example: msiexec.exe /s1 /switch2 /i patch123.msi TARGETDIR=C:\patcher PROP=A PROP2=B

Feature List Enter the features to install. Separate features with commas.

Store Config per machine

Select this box to do per-machine installations only.

After install Select the behavior after installation. Options include:

Delete installer file and unzipped filesDelete installer file, leave unzipped filesLeave installer file, delete unzipped filesLeave installer file and unzipped files.

Restart Options Select the restart behavior. Options include:

No restart after installation

Prompts user for restart

Always restart after installation

Default

Logging Select the type(s) of installer messages to log. Press CTRL and click to select multiple message types. Options include:

NoneAll MessagesStatus MessagesNon-fatal warningsAll error messagesStart up actionsAction-specific recordsUser requestsInitial UI parametersOut-of-memory or fatal exit informationOut-of-disk-space messagesTerminal propertiesAppend to existing fileFlush each line to the log

See MSI documentation for a complete description of the available logging options.

Log File Name Specify the name of the log file.


UltraVNC WizardThe UltraVNC Wizard creates a script to distribute UltraVNC to Windows computers on your network.

UltraVNC is a free software solution that allows you to display the screen of a computer (via Internet or network) on another computer. You can use your mouse and keyboard to control the other computer remotely. It means that you can work on a remote computer, as if you were sitting in front of it, right from your current location.This wizard creates a script to deploy UltraVNC to your computers. See UltraVNC documentation for complete details.

To distribute UltraVNC to the computers on your network:

1. Select Scripting | Configuration Policy.

2. Click UltraVNC Wizard. The Configuration Policy : Ultra VNC Wizard page appears.

3. Specify UltraVNC installation and authentication options:

Go to http://www.uvnc.com/ for UltraVNC downloads and documentation.

Install Options Install Mirror Driver Check the Mirror Driver box to if you want to install the optional UltraVNC Mirror Video Driver.

The Mirror Video Driver is a driver that UltraVNC can use to be quickly and efficiently notified with screen changes. Using it on an UltraVNC server results in an excellent accuracy. The video driver also makes a direct link between the video driver framebuffer memory and UltraWinVNC server. Using the framebuffer directly eliminates the use of the CPU for intensive screen blitting, resulting in a big speed boost and very low CPU load. See UltraVNC documentation for complete details.

Install Viewer Check the Mirror Driver box to if you want to install the optional UltraVNC Mirror Video Driver.

Authentication VNC Password Provide a VNC password for authentication.

Require MS Logon If you want to use MS Logon authentication, use MSLogonACL.exe /e acl.txt to export the ACL from your VNC installation. Copy and paste the contents of the text file into the ACL field.

It is advisable to look at the script that is generated by this wizard to make sure it is doing something you expect. You can view the raw script by clicking View raw XML Editor on the Script Detail page.


4. Specify UltraVNC miscellaneous options:

5. Click Save.


Un-Installer WizardThis wizard allows you to quickly build a script to uninstall a software package. The resulting script can perform three actions: Execute an uninstall command;Kill a process; and Delete a directory.

To create an uninstaller script:


2. Click Un-Installer Wizard. The Configuration Policy : Uninstaller page appears.


4. Click Save.


Disable Tray Icon Check this box if you do not want to display the UltraVNC tray icon on the target computers.

Disable client options in tray icon menu

If you did not check Disable Tray Icon, check this box if you do not want to display client options in the tray icon menu on the target computers.

Disable properties panel Check this box to disable the UltraVNC properties panel on the tar-get computers.

Forbid the user to close down WinVNC

Check this box if you do not want to allow computer users to shut down WinVNC.

Job Name Enter a name for the uninstaller script.

Software Item Select the software item to uninstall.

The wizard will attempt to fill in the correct uninstall command. Verify that the values are correct.

Uninstall Command Directory When you select the software item, the wizard will attempt to fill in the uninstall command directory, file, and parameters.

Review the entries to make sure the values are correct.Uninstall Command File

Uninstall Command Parameters

Kill Process To have a process killed before executing the uninstall com-mand, enter the full name of the process in the Kill Process field. (For example: notepad.exe)

Delete Directory. To have a directory deleted after executing the uninstall command, enter the full name of the directory in the Delete Directory field here. (For example: C:\Program Files\An Example App\).


Windows Automatic Update Settings policyThis policy allows you to configure a script to control Windows Automatic Updating system. Detailed information can be found at Microsoft's Knowledge Base Article 328010 (http://support.microsoft.com/kb/328010).

To modify Windows Automatic Update settings:


2. Click Windows Automatic Update Settings. The Windows Automatic Update Policy page appears.

The Windows Automatic Update Policy page appears.


4. Select the interval (in minutes) to wait to reschedule an update if the update fails from the Reschedule Wait Time drop-down list.

5. Specify whether or not to reboot while a user is logged in.

6. Enter the details for the SUS Server and SUS Server Statistics.

7. Click Save.


Automatic (recommended) Select this option to enable automatic downloading of Windows Updates.

Download updates for me, but let me choose when to install them.

Select this option to ensure that you always receive the latest downloads, but retain the flexibility to decide when to install them.

Notify me but don’t automati-cally download or install them.

Select this option provides for the most flexibility. Be aware, how-ever, that this may make your network more vulnerable to attack if you neglect to retrieve and install the updates on a regular basis.

Turn off Automatic Updates Select this option if you are using the KBOX 1000 Series Patching feature to manage Microsoft patch updates.

Remove Admin Policy. User allowed to configure.

Select this option to provide users with control over the update process. Be aware, however, that this may make end-users, and therefore your network, more vulnerable to attack.


C H A P T E R 9

123

Patching

The KBOX 1000 Series Patching feature enables you to quickly and easily deploy Microsoft patches to your network. This feature is available only for computers that run on the Windows operating system.

“Overview of Patching feature,” on page 124

“Bulletin Management workflow,” on page 126

“Updating Patch definitions,” on page 131

Overview of Patching featureThe KBOX 1000 Series patching feature provides access to the latest Microsoft Security bulletin updates for Windows platforms including Microsoft Office programs. Microsoft updates its list of Security bulletins nightly, and new patches are available for download from the KBOX 1000 Series daily beginning at 3 AM. The KBOX 1000 Series automatically downloads patch software and creates managed installations based on the configured patch settings.

You can view the list of available bulletins, see which bulletins require attention, and access other patching functions from the Distribution | Patches tab.

The Bulletin Management view of the Patches tab provides a central interface where you can easily review, approve, or decline patches, as well as access all other patch functions.

From the Distribution | Patches tab you can:

Filter and search patch bulletins

Approve or decline bulletinsConfigure and troubleshoot patch deploymentCreate a new Replication Share Create a new Windows update policySee a list of computers currently patchingRun patch reportsView patch status.

To sort the bulletin list view by status, importance, or bulletin year, click one of the links at the top of the page under Bulletin Lists. The Patch Listing page appears.

The Patch Listing page provides a list of all available bulletins, which you can further sort based on status, bulletin year, importance, bulletin year, or affected operating system. You can also view only those bulletins that encountered errors during deployment.

To view details about a specific patch, click the linked name of the bulletin.

The Patch Listing page uses the following icons to convey the status of a bulletin:

The Patch Listing page also contains the following information:

Importance - The severity rating of the patch: Unrated, Low, Moderate, Important, or Critical

Expected - The number of computers to which the patch will be deployed

Icon Description

No icon Bulletin needs review.

The bulletin is approved for distribution.

The bulletin is under review.

The bulletin is declined and will not be distributed.

Table 9-1: Patch List icons


ToDo - The number of computers still to be patched

Error - The number of errors encountered during the patch process.

To return to the Bulletin Management page from the Patch Listing page, click the Patches tab again.


Bulletin Management workflowThe process for deploying patches on your network follows these basic steps: Downloading, Reviewing/ Approving, Deploying, and Reporting. The sections that follow describe each of these steps in detail along with associated tasks and settings.

The Bulletin Management page provides a dashboard from which you can access all the necessary patch deployment tasks.

The Bulletin Lists offer a filtered view of the bulletins so you can scale the list to specific bulletins by year, importance (critical), or status (approved or declined).

Downloading patch bulletinsAs mentioned previously, the KBOX 1000 Series automatically downloads all new patches available from Microsoft every day. However, you can modify the patch configuration settings to only download bulletins from a certain year, invoke an immediate patch download, or delete all software associated with previously downloaded patches.

To configure patch download settings:

1. Select Distribution |Patches.

2. Under Associated Activities, click the Change Patch Settings link.

The Patch Settings page appears.


4. Under Download Patches from, select the bulletin year.

5. To update patch definitions immediately, click Update Patches Now.

6. To delete all software associated with previously download patches, click Delete Patches ( ).

The number of Managed Installations that will be deleted is in parenthesis.

Reviewing & approving bulletinsWhen new bulletins appear in the KBOX 1000 Series, they appear under the Need Review Bulletins section of the Bulletin Management page so that you can easily see which bulletins need your attention. You should review items listed here and move them to the appropriate category (Approved, Reviewing, or Declined) as soon as possible.

You can review and approve bulletins in several ways: from the Needs Review Bulletin list, from the Patch List page, or from the individual bulletin detail page. Both the Needs Review Bulletin and Patch List offer the option of modifying multiple bulletins at once.

Additionally, you can sort the bulletin view by the most Critical bulletins to ensure that you approve and deploy the most sensitive bulletins as quickly as possible.

To review bulletins from the Needs Review Bulletin list:

1. Select Distribution | Patches.

2. Under the Needs Review Bulletins, select the check box beside the bulletin(s) you want to modify.

3. Select the check box beside the bulletin(s) you want to modify.

4. Select the check box next to the check mark in the header to select all bulletins.


5. Select one of the following options from the Choose action drop-down list:

6. Click Save.

To review patches from the Patch listing:


2. Under To Do Lists, click the Need Review Bulletins link. The Patch Listing page appears.

3. Select the check box beside the bulletin(s) you want to modify.

4. From the Choose action drop-down list, select the desired status. You can change the status of bulletins in batches or individually. There are several ways to change the status of a bulletin:

From the Bulletin Management page

From the Patch List page

From the Bulletin Detail page.

To change the status of all open bulletins at once:

1. From the Bulletin Management Page, under Need Review Bulletins, click the + Bulletins link to expand the list.

2. Scroll down and select the Check All Bulletins check box.

3. Select the desired status:

Reviewing

Approved

Declined.

4. Click Save.

To change bulletin status individually:

1. From the Bulletin Management Page, under Need Review Bulletins, click the + Bulletins link to expand the list.

2. Click the linked bulletin number. The Bulletin: Detail page appears in a new browser window.

3. Select the desired status:

Needs review

Reviewing

Approved

Declined.

Needs review The default option on this page. Bulletin will remain on the Needs Review list. Bulletin will not be distributed.

Reviewing The bulletin is moved out of the Needs Review list, but still requires an Approved status before it will be deployed.

Approved The bulletin will be deployed according to the patch settings you specify.

Declined The bulletin will be removed from the Needs Review list.


4. Click Save.

To see a list of software titles affected by this bulletin, scroll down to the bottom of the page.

Deploying bulletinsWhen you approve a bulletin, you will see the Bulletin: Detail page where you will see the bulletin details, such as the computers to which you want to deploy bulletins be deployed to, operating systems affected, and links to access the Managed Installation details for the bulletin.

By default, approved bulletins are set to execute the next time a machine checks in to the KBOX 1000 Series. You can configure this and other settings, such as installation behavior, user interaction, and deployment window from the Patch Settings page.

To configure bulletin deployment settings:

1. Select Distribution |Patches.

2. Under Associated Activities, click the Change Patch Settings link.

The Patch Settings page appears.

3. Click the [Edit Mode] link to modify settings.

4. Enter Patch Download Maintenance information as follows:

5. Specify the following Default Patch Settings:

If you see the word WARNING on this page, it means that the settings for the various Managed Installations listed are different from each other. Clicking Save under these circumstances will overwrite those different settings with the values you specify on this page.

Download Patches From Select a year from the drop-down list.

Update Patches Now Click Update Patches Now to update your list of patches.

Delete all Patch Software Click Delete Patches to delete all downloaded patches.

Managed Action Select a Managed Action from the drop-down list. This dictates deployment behavior. Options include:


Execute before logon (at machine bootup)



Execute while user logged off.

Quiet Install Select this check box to install the patch without notifying the user.

Suppress Reboot Select this check box to install the patch without requiring the users machine to reboot.

Deployment Window By default, the KBOX 1000 Series will attempt to deploy this patch for 24 hrs. Select a time on a 24-hour clock to open the deployment window and a time to close the deployment window.


6. To apply these changes across all patches, select the Apply changes to existing patches check box.

7. Click Save.

Limit Deployment To

Specify the label(s) to which you want to deploy the patch. KACE recommends deploying patches to a test label with a small number of machines before deploying more widely on your network.

Press CTRL and click to select multiple labels.

Max Attempts Specify the maximum number of times (between 1 and 99) the KBOX 1000 Series will attempt to install the patch before giving up.

Allow Snooze Select this check box to allow users to delay patch installation until a later time.

Pre-Install Message Select this check box to display a message to users before installing the patch. Additional Pre-Install Message fields appear.

Pre-Install User Message Enter the message text that will displayed to users before installing the patch.

Pre-Install Message Timeout Enter a timeout duration for the message in minutes.

Pre-Install Message Timeout Action

Select one of the following options from the drop-down list. This action will be taken if the time duration is reached. Options include:

Install Now

Install Later

Post-Install Message Select this check box to display a message to users after installing the patch. Type message in space provided.

Post-InstallUser Message

Enter the message text that will displayed to users after the patch is installed.

Post-Install Message Time-out

Enter a timeout duration for the message in minutes.

Delete Downloaded Files Select to download all the files after the patch is installed.


Reporting patching results There are several ways you can access patching results. To see which patches were unsuccessful, for example, you could select Bulletins with deployment errors from the To Do Lists section of the Bulletin Management page, or sort the Patch Listing page by Bulletins with Errors.

For more details about patching status and results, you can refer to the Computer Information, Patch Reports, and Patch System Status sections of the Bulletin Management page.

Computer Information includes the Machine name, IP Address, Last Sync, Last User Logged In, and the Number of Patches for each machine to which patches were deployed.

The Patch Reports section provides quick links for viewing reports on:

Critical Bulletin List

For each Machine, what patches are installed

For each Patch, what machines have it installed

How many computers have each Patch installed

Installation Status of each enabled Patch

Needs Review Bulletin List

Patches waiting to be deployed.

The Patch System Status gives an overview of the number of bulletins that have been downloaded from Microsoft, the status of the last update, and the date and time of the last attempted and successful downloads.

Creating a Replication Share for patchesA Replication Share allows a KBOX Agent to replicate software installers to a share for use by other KBOX Agents. This allows KBOX Agent machines to download patch software from the share instead of directly from the KBOX 1000 Series. This is useful if you have machines in a remote office where downloading the software once for each machine would impact the network.

For more information about creating Replication Shares, see Chapter 6,“Replication,” starting on page 91.

Create new Windows Update PolicyThe KBOX 1000 Series provides a way for you to control the behavior of the Windows Update feature. This feature allows you to specify how and when Windows updates are downloaded so that you can control the update process for the computers on your network. Although this functionality is accessible from the Bulletin Management page, the configuration settings reside under the Scripting | Configuration Policy tab. For more information about this policy, see “Windows Automatic Update Settings policy,” on page 111.


Updating Patch definitionsAlthough the definitions for Microsoft patches are updated automatically on a scheduled basis, you can retrieve the latest files manually from the Server Maintenance page.

To update the Patch definitions:


2. To update Microsoft patches, click Change Patch Setting.


C H A P T E R 10

132

Security

The optional KBOX 1000 Series Security Enforcement and Audit Module allows you to run vulnerability tests on your network using Open Vulnerability and Assessment Language (OVAL). This feature is available only for com-puters that run on the Windows operating system.

“Security Module Overview,” on page 133

“OVAL Tests,” on page 134

“OVAL Reports,” on page 138

“Creating Security Policies,” on page 139

Security Module OverviewIf you purchased the optional KBOX 1000 Series Security Enforcement and Audit Module, you can ensure the health of your network by running vulnerability tests on the computers in your network, then, based on testing results, you can determine how to bring the computers back into compliance. You can customize security policies to enforce certain rules, schedule tests to run automatically, and run reports based on testing results.

The KBOX 1000 Series Security Enforcement and Audit Module uses Open Vulnerability and Assessment Language (OVAL), an internationally recognized standard for detecting security vulnerabilities and configuration issues on computer systems. OVAL is compatible with the Common Vulnerabilities and Exposures (CVE) list, which provides common names used to describe known vulnerabilities and exposures.

The ability to describe vulnerabilities and exposures in a common language makes it easier to share security data with other CVE-compatible databases and tools.

About OVAL and CVEOVAL relies on definitions submitted by members of the security community on the Community Forum, by MITRE Corporation, or by the OVAL Board, to detect vulnerabilities on your network. OVAL uses the vulnerabilities on the CVE List as the basis for most of its definitions. CVE content is determined by the CVE Editorial Board, which is composed of experts from the international information security community.

Any new information about a vulnerability that is uncovered as a result of discussions on the Community Forum are sent to the CVE Initiative for possible addition to the list. For more information about CVE visit http://cve.mitre.org.

OVAL definitions pass through a series of phases before being released. Depending on where a definition is in this process, it will likely be assigned a status of DRAFT, INTERIM, or ACCEPTED. Other possible values for status are Initial Submission and Deprecated. For more information about the stages of OVAL definitions, visit http://oval.mitre.org/about/stages.html.

Note that the OVAL tests available with your KBOX 1000 Series when it is first installed might be out of date. After installation, the KBOX 1000 Series will automatically check for updates nightly. You can see the current OVAL version on the KBOX Summary Info page (Reporting | Summary).

Status Description

Draft Definitions with this status have been assigned an OVAL ID number and are under discus-sion on the Community Forum and by the OVAL Board.

Interim Definitions with this status are under review by the OVAL Board and available for discus-sion on the Community Forum. Definitions are generally assigned this status for two weeks, unless further changes or discussion are required.

Accepted Definitions with this status have passed the Interim stage and are posted on the OVAL Definition pages. All history of discussions surrounding Accepted definitions are linked from the OVAL definition.

Table 10-1: OVAL status definition descriptions


http://cve.mitre.org/

http://oval.mitre.org/about/stages.html

OVAL TestsThe KBOX 1000 Series checks nightly for updates to the list of available OVAL definitions. Definitions are displayed on the OVAL Tests tab, along with their associated OVAL ID and CVE Number. Search for a specific OVAL test by operating system, vulnerability, or by OVAL ID or CVE Number.

To view the list of OVAL definitions, click the Security button, then select the OVAL Tests tab.

To view the details of a test, click the linked definition to view the OVAL Test Detail page.

When OVAL tests are enabled, all of the available OVAL tests are run on the target machines.

Figure 10-2: OVAL Test Definition page

OVAL Test details do not indicate the severity of the vulnerability. Use your own judgement when determining whether to test your network for the presence of a particular vulnerability.

Definition status

The steps used to test for the vulnerability

The computers detected to have this vulnera-bility along with the IP address and operating systems of the affected computers

Click the OVAL-ID or CVE-ID for more details about a vulnerability


The table below contains an explanation of the fields found on the OVAL Tests Definition page.

The table at the bottom of the page displays the list of computers in your network that contain this vulnerability. For convenience, a printer-friendly version of this data is available.

Running OVAL TestsThe KBOX 1000 Series runs OVAL tests automatically based on the schedule specified in OVAL Settings. Because OVAL Tests take up a considerable amount of memory and CPU, they will impact the performance of the target machines. OVAL Tests take between 5 and 20 minutes to run. Therefore, to minimize the disruption to your users, it is best to run OVAL Tests once a week, or once a month during off hours when your users are least likely to be inconvenienced. For example, you may want to schedule OVAL to run once a week on a Saturday.

If you are only running OVAL Tests periodically, or if there are only select machines whose OVAL Test results you are concerned about, you could assign a label to those machines and use the Run Now Function to run OVAL Tests on those machines only. For more information about the Run Now Function, see “Using the Run Now Function,” on page 101.

OVAL UpdatesThe KBOX 1000 Series checks www.kace.com for new OVAL definitions nightly, but you should expect new definitions weekly. If you have OVAL tests enabled, the KBOX 1000 Series will download new OVAL definitions to all client machines on the next scripting update interval whenever a new package becomes available, regardless of the OVAL schedule settings. The .zip file that contains the updates could be up to 2MB, so use caution when enabling OVAL Tests for the computers on your network, as the size of the package could impact the performance of users’ machines, particularly those on dialup connections.

For this reason, a good rule to follow is to only enable OVAL Tests when you want to run them. For example, if you wanted to schedule OVAL Tests to run on January 1st, you could disable them on January 2nd, and not enable them again until close to the next time you want them to run. Any OVAL updates that are pulled down while the OVAL Tests are disabled will be stored on the KBOX 1000 Series and only pushed out to the target machines when enabled again.

Field Description

OVAL-ID Click the OVAL-ID to visit an external Web site with more details about the vulnera-bility. The status of the vulnerability follows the OVAL-ID. Possible values are DRAFT, INTERIM, or ACCEPTED.

Class Indicates the nature of the vulnerability. Possible values are: compliance, depre-cated, patch, and vulnerability.

Ref-ID Click the Ref-ID to visit an external Web site for more details about the vulnerability.

Description The common definition of the vulnerability as found on the CVE list.

Definition Specifies the testing steps used to determine whether or not the vulnerability exists.

Table 10-3: OVAL Test Definition page fields


www.kace.com

OVAL Settings and ScheduleBy default, OVAL is set to run on all machines, on all operating systems, and at 3AM.

To specify OVAL settings:

1. Select Security | Oval Settings. The OVAL Settings & Schedule page is displayed.

2. Specify the Configuration settings:

3. Edit deployment settings as shown in the following table:

4. In the Scheduling area, specify the time and frequency for running OVAL:

Enabled Run OVAL on the target machines. Only enabled OVAL Tests will run when you want to run them.

Allow Run While Disconnected Run OVAL on the target machines, but store test results on the target machine until they can be uploaded to the KBOX 1000 Series.

Allow Run While Logged Off Run OVAL even if a user is not logged in. With this turned off, the script will only run when a user is logged into the machine.

Deploy to All Machines Select this check box if you want to deploy to all the Machines. Click OK in the confirmation dialog box.

Limit Deploy To You can limit deployment to one or more labels. Press CTRL and clickto select more than one label.

Supported OperatingSystems

Select the operating system to which you want to limit deployment. Press CTRL and click to select more than one operating system.Note: Leave blank to deploy to all operating systems.

Don’t Run on a schedule Tests will run in combination with an event rather than on a specific date or at a specific time. Use this option in combina-tion with one or more of the “Also” choices below. For example, use this option in conjunction with “Also Run at User Login” to run whenever the user logs in.

Run Every n minutes/hours Test will run on every hour and minutes as specified.

Run Every day/specific day at ... Test will run on the specified time on the specified day.

Run on the nst of every month/specific month at...

Test will run on the specified time on the 1st, or 2nd, etc. of every month or only the selected month.

Custom Schedule This option allows you to set an arbitrary schedule using stan-dard cron format. For example, 1,2,3,5,20-25,30-35,59 23 31 12 * * means:On the last day of year, at 23:01, 23:02, 23:03, 23:05, 23:20, 23:21, 23:22, 23:23, 23:24, 23:25, 23:30, 23:31, 23:32, 23:33, 23:34, 23:35, 23:59. The KBOX 1000 Series doesn’t support the extended cron format.

Also Run Once at next Client Checkin

If this option is selected, test will run once at next client checkin. It is recommended to avoid this option because this option will run tests when the user’s machine is in use. Select-ing this option could impact the machine’s performance.


5. To run the script immediately, click Run Now.

The Run Now button only runs tests on the machines selected in the Deployment area, specified in steps 3 and 4 above. For more information about Run Now, see “Using the Run Now Function,” on page 101.

Also Run at Machine Boot Up If this option is selected, test will run at machine boot up. It is recommended to avoid this option because this option will run tests when the user’s machine is in use. Selecting this option could impact the machine’s performance.

Also Run at User Login If this option is selected, test will run at user login. It is recom-mended to avoid this option because this option will run tests when the user’s machine is in use. Selecting this option could impact the machine’s performance.


OVAL ReportsThe OVAL Reports tab displays a list of all of the OVAL Tests that have been run. At a glance, you can see which OVAL Tests failed and the number of computers that failed each OVAL test.

From the test detail view, you can see all of the computers that failed that OVAL Test and you can assign a label to those machines so that you can patch them at a later time.

In addition, the Computer Reports tab offers a list of machines with OVAL results where you can see a summary of tests run on specific computers. The label under the Machine column is the KBOX 1000 Series inventory ID assigned by the Inventory module.

For more information about any of the computers on the report, click the linked machine name to go to the computer’s Inventory Detail page.


Creating Security PoliciesThe KBOX 1000 Series Security Module includes several wizards that can help you create security policies to manage the computers on your network. To view the list of available security policies you can create, Select Security | Security Policy. This section includes descriptions of the settings for each of the policies you can create.

After you click Save on one of the policy wizard screens, the Scripting tab will appear where you can specify when to run the script and which machines will be targeted. If you want to modify a script that was created using one of these wizards, you can either re-edit it using the wizard or you can edit the script in the KBOX 1000 Series script editor. Opening the script in the regular KBOX 1000 Series script editor is also a useful way to determine exactly what actions the script performs.

Available wizards include:

Enforce Internet Explorer Settings

Enforce XP SP2 Firewall Settings

Enforce Disallowed Programs Settings

Enforce McAfee AntiVirus Settings

McAfee SuperDAT Updater

Enforce Symantec AntiVirus Settings

Quarantine Policy

Lift Quarantine Action.

Enforce Internet Explorer SettingsThis policy allows you to control user’s Internet Explorer preferences. You can choose to control some preferences, while leaving others as user-defined. Policy settings enforced by you will overwrite the users’ corresponding Internet Explorer preferences. Because this script modifies user settings, you will need to schedule it to run when the user is logged in.

To set the Internet Explorer settings policy:

1. Select Security | Security Policy.

2. Click Enforce Internet Explorer Settings.

3. In the User Home Page area, select Enforce User Home Page policy, then specify the URL to use as the home page.

4. In the Security area, select the Enforce Internet Zone settings policy check box, then choose the security level.

5. Select the Enforce Local Intranet Zone settings policy check box, then choose the security level.

6. Set the following options:

Include all local (intranet) sites not listed in other zones

Include all sites that bypass the proxy server

Include all network paths (UNCs)

7. Select the Enforce Trusted Zone settings policy check box, then choose the security level.

8. Select the Enforce Zone Map check box, then specify the IP addresses or ranges for the following zones:


Restricted sites

Locale Intranet sites

Trusted sites

9. Select the Enforce Privacy settings policy check box, then set the Cookie policy.

10. Select the Enforce pop-up settings policy check box, then set the following options:

Pop-up filter level

Web sites to allow

11. Click Save.

After clicking Save you will be taken to the Script: Edit Detail page where you must enable and set a schedule for this policy to take effect.

Enforce XP SP2 Firewall SettingsThis policy enables you to enforce firewall settings on endpoint computers running Windows XP with Service Pack 2. You can enforce different policies based on whether the endpoint computer has authenticated with a domain controller, or is accessing the network remotely, from home or through a wireless hotspot. If your endpoint computer has authenticated with a domain controller, it uses the Domain Policy; otherwise, it uses the Standard Policy, so you might want to configure it to impose tighter restrictions.

To set the XP SP2 Firewall settings policy:


2. Click Enforce XP SP2 Firewall settings.

3. In either the Domain Policy or Standard Policy areas, indicate whether Firewall is Enabled, Disabled, or if No Policy is in effect.

4. Select or clear the Enable logging check box, then specify a location and name for the log file.

By default, the log is stored here: C:\Program Files\KACE\firewall.log.

5. Select or clear the check boxes for the following settings:

Allow WMI traffic Enables inbound TCP traffic on ports 135 and 445 to traverse the firewall. These ports are necessary for using remote administra-tion tools such as the Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI).

Allow Remote Desktop Enables inbound TCP traffic on port 3389 to traverse the firewall. This port is required for the computer to receive Remote Desktop requests.

Allow file and printer sharing Enables inbound TCP traffic on ports 139 and 445, and inbound UDP traffic on ports 137 and 138. These ports are required for the machine to act as a file or printer sharing server.

Allow Universal Plug-and-Play (UPnP)

Enables inbound TCP traffic on port 2869 and inbound UDP traffic on port 1900. These ports are required for the computer to receive messages from Plug-and-Play network devices, such as routers with built-in firewalls.


6. To specify Inbound Port Exceptions, click Add Port Exception.

Inbound Port Exceptions enables additional ports to be opened in the firewall. These may be required for the computer to run other network services. An Inbound port exception is automatically added for port 52230 for the KACE Client Listener, which is required to use the Run Now functionality.

7. Specify a Name, Port, Protocol, and source for the exception.

8. Click Save.

After clicking Save you will be taken to the Script: Edit Detail page, where you must enable and set a schedule for this policy to take effect.

Enforce Disallowed Programs SettingsThis policy allows you to quickly create a script that prevents certain programs from running on the endpoint machines. After the resulting script is executed on a target machine, these policies take effect only after the next reboot of that machine. On Windows XP or 2000, you can add a shutdown command as the last step of the script to force a reboot, which will enable the policy to take effect right away.

To set the Disallowed Programs settings policy:


2. Click Enforce Disallowed Programs Settings.

3. Specify a name for the policy.

4. Select or clear the Disallow programs check box.

When checked, all disallowed programs will be prevented from running. When unchecked, all programs will be allowed to run.

5. Add disallowed programs.

To prevent Notepad from running, for example, enter notepad.exe.

6. Click Save.

After clicking Save you will be taken to the Script: Edit Detail page, where you must enable and set a schedule for this policy to take effect.

The script created as a result of this wizard will overwrite any disallowed program settings on the target machines.


Enforce McAfee AntiVirus SettingsThis policy allows you to configure which McAfee VirusScan features are installed. This policy works with McAfee VirusScan version 8.0i and verifies that the software is installed with the configuration you specify here. It also confirms that the OnAccessScan (McShield) is running.

You will need to zip the McAfee VirusScan installation directory and upload it here. A Software Inventory item will be created automatically if it does not already exist.

To set the McAfee AntiVirus settings policy:

1. Zip the McAfee VirusScan installation directory.


3. Click Enforce McAfee AntiVirus Setting.

4. Click Browse to search for the McAfee zip file.

5. Use the User Interaction drop-down list to specify how the installation should appear to your users.

For a description of the available options, refer to the McAfee documentation.

6. Select the McAfee AntiVirus features to install.

Press CTRL and click to select multiple features. To install the Alert Manager, use the McAfee tools to include the Alert Manager installation files in the deployment package. Please consult the McAfee documentation for specific information about the features available here.

7. Select or clear the following check boxes:

Enable On Access Scanner

Lockdown VirusScan Shortcuts

Preserve earlier version settings

Remove other anti-virus software.

8. Specify the location on the target machine where the following files will be installed:

McAfee installation

Alert Manager

SITELIST.XML

Desktop Firewall

EXTRA.DAT.

9. Select the information you want to log. Press CTRL and click to select multiple log items.

10. Specify a filename for the log.

11. Enter any special arguments.

12. Specify the reboot behavior.

13. Specify the behavior following installation.

14. Click Save.



McAfee SuperDAT UpdaterThis policy allows you to build a script for applying McAfee SuperDAT or XDAT updates. There are several steps involved in creating this script:

Specifying the update files and reboot behavior on the target machines

Selecting the software package(s) to push to target machines during update

Verifying network scan status.

To create the McAfee update script:


2. Click McAfee SuperDAT Updater.

3. Enter a file name and then click Browse to search for the SDAT or XDAT file.

4. Set update options:

5. Click Save.


Enforce Symantec AntiVirus SettingsThis policy allows you to configure which Symantec AntiVirus features are installed. It verifies that the software is installed with the configuration you specify here. This policy is intended to be run periodically to ensure that Symantec AntiVirus is installed, configured, and running properly, not only upon initial installation.

To set the Symantec AntiVirus settings policy:


2. Click Enforce Symantec AntiVirus Settings.

3. Specify the Action to perform.

Install

Uninstall

Repair missing files

Install Silently This option causes the update to be installed without showing a UI on the target computers.

Prompt for Reboot Use this option to make the update prompt the user before rebooting. Use this option with the "Install Silently" option.

Reboot if Needed This option causes the update to reboot the machine as needed. If this options is not used, a silent installation will not reboot the machine.

Force Update Use this option to always update all file versions, even if the machine already appears to have the latest versions.

You will need to create a Software inventory item and upload the Symantec AntiVirus.msi file to be distributed.


Reinstall all files.

4. Select the software package to use for this script.

5. If the software package is zipped, specify the MSI file name.

6. Use the User Interaction drop-down list to specify how the installation should appear to your users.

7. Specify the install directory.

8. Specify any additional switches.

9. Specify any additional properties.

10. Specify behavior after installation.

11. Select the information you want to log.

Press CTRL and click to select multiple items.

12. Specify a filename for the log.

13. Select a NETWORKTYPE from the Network Management drop-down list.

14. Specify the server name, if required.

15. Set the AutoProtect option.

16. Set the Disable SymProtect option.

17. Set the Live Update behavior.

18. Select the features you want to install.

Press CTRL and click to select multiple items. Please consult the Symantec documentation for specific information about the options available here.

19. Click Save.


Quarantine PolicyUse this wizard to create a script that you can use to quarantine computers that have failed OVAL tests for vulnerabilities. The script that is created as a result of this wizard is merely a template. Use the script editor to modify the template script and add the appropriate verification steps to decide which computers to quarantine.

When a computer is under quarantine, all communication from it is blocked except for communication to the KBOX 1000 Series Server, therefore use care when performing this action. If you were to deploy this accidentally to all machines on your network, you could take your network down very quickly.

You must include the SAVMain feature for this script to work properly, although this wizard does not enforce that.

You can/should look at the script that is generated by this wizard to make sure it is doing what you expect. You can view the raw script by clicking To edit the policy using this editor, click here on the Script detail page.


After a user’s machine is in quarantine, it cannot be unquarantined without intervention by the KBOX 1000 Series administrator. The user will not be able to recover from this without you taking some action. Quarantined computers only have access to the KBOX 1000 Series Server in order to receive a Run Now event to lift the quarantine.

To set the Quarantine policy:


2. Click Quarantine Policy.

3. Specify a Policy Name.

This field is optional. It could be helpful to assign a meaningful name that relates to the vulnerability so that you can lift the quarantine later once that vulnerability is resolved.

4. Leave the KBOX SERVER IP unchanged.

5. Specify the DNS Server IP address.

6. Modify the Message dialog text as desired.

This message is displayed to users prior to placing their computer in quarantine.

7. Modify the description text as desired.

8. Click Save.


Modify the Verify steps to determine the conditions under which you want the quarantine to take effect. Although it will not be enabled automatically, it will be configured to deploy to everyone. For more information on scripting, see Chapter 7,“Scripting,” starting on page 91.

Lift Quarantine ActionAssuming you have a machine that has been quarantined from the network using the KBOX 1000 Series Quarantine application, you can use this to turn off the quarantine.

To set the Lift Quarantine Action policy:


2. Click Lift Quarantine Action.

3. Select the label for the quarantined machines or select the specific machine to unquarantine.

4. Enter data in the Filter field to help narrow your search.

5. Click Send Lift Quarantine Now.

If there are a lot of computers in quarantine, it will take some time for all of them to receive and process the request.


C H A P T E R 11

User Portal and Help Desk

The KBOX 1000 Series Help Desk provides an online area for you to upload software library, support documents, and other self-help tools. The optional KBOX 1000 Series Help Desk Module adds the ability to create, track, and manage Help Desk tickets.

“Overview of the User Portal,” on page 147

“Understanding the Software Library feature,” on page 149

“Using the Knowledge Base,” on page 151

“Managing Users,” on page 153

“Overview of the Help Desk Module,” on page 159

“Configuring basic Help Desk settings,” on page 160

“Customizing Help Desk fields,” on page 162

“Creating and editing Help Desk Tickets,” on page 166

“Managing Help Desk tickets,” on page 169

“Running Help Desk Reports,” on page 171

146

Overview of the User PortalThe User Portal provides the ability for users to download software, run scripts, have software installed for them automatically, track computer info, and view a record of what they have downloaded. You can log onto the User Portal by visiting the root URL of the KBOX 1000 Series machine name (for example, http://kbox/). Although users can access the User Portal even if they do not have KBOX Agent installed on their machine, they will not be able to run installations or scripts. The User Portal is administered from the User Portal tab.

If you have purchased the optional KBOX 1000 Series Help Desk Module, additional tabs or options are added to the ones described below. For more information about using the features added by the Help Desk Module, see “Overview of the Help Desk Module,” on page 159.

End user view of the User PortalThe end-user view of the User Portal displays the following tabs:

Welcome - Users enter login credentials from this screen.

Software Library - Displays available software for download or automatic install.

My Computer - Displays status information about the user’s computer.

License Keys - Lists license information for installed software, as available.

Help Desk - Users create or edit a Help Desk ticket using this tab.

Knowledge Base - Provides access to Knowledge Base articles authored by the administrator.

Download Log - Displays a log of software downloaded and installed on the user’s computer.

Users also can filter the software or Knowledge Base views by category, or use keywords to narrow their search.


Administrator view of the User PortalAs an administrator logged into the administrator UI, you can create and push packages, define Knowledge Base articles, and specify which users can connect.

The User Portal tab displays the following tabs:

Packages - Packages can be scripts, software packages, documentation, or other media.

Knowledge Base - Knowledge Base articles include software notices, instructional content, IT reference documentation, self-help information, and any other specific content intended for the end users.

Users - This user information is used to authenticate users of the KBOX 1000 Series Help Desk. Users can be "tagged" with labels in order to define which packages they can access through the portal.

The sections that follow will focus on the administrator view of the User Portal and describe the process for creating packages and Knowledge Base articles, and describes managing user access to the User Portal.


Understanding the Software Library featureSoftware Libraries are deployed to end users via the KBOX 1000 Series User Portal. This "self service" portal allows individuals to download and install software or documents on their own in a controlled environment. The software library you create from the Software Library tab are available for download on the Software Library tab of the User Portal.

From the Software Library tab you can create or delete software library, sort software library by label or column header, and search for software library using keywords.

Creating a software library to deployThe Software Library tab allows you to specify the components of the software library you want to make available to your end users; it does not allow you to upload software or author scripts. Any software or script that you want to include in a software library must already exist on the KBOX 1000 Series Software Inventory or Scripting tabs.

Along with the software library, you can choose to post cost information, documentation, or other instructions for your users. Any notifications that you have configured will be mailed at the time of user download. You can also restrict access to a software library by specifying a label.

To create a package:

1. Select Help Desk | Software Library.

2. In the Choose action drop-down list, select Add New Item.

The Portal Package: Edit Detail screen appears.

3. Select or clear the Enabled check box.

Select this box to make the software library visible to users on the Help Desk. Clear this check box to hide a software library from users.

4. Specify the software library type:

5. From the Download drop-down list, choose the software to install. You can filter the list by entering any filter options.

6. Specify the information to include with your package:

Download Select this type to include documentation, files, or other software that does not automatically install.

Install Select this type to select software that will install automatically on the user’s machine. The user must have the KBOX Agent installed to run installations.

Script Select this type to select a script to include in the software library. The user must have the KBOX Agent installed to run scripts.

Installation Instructions Specify the installation instructions. Any defined instructions, legal policy, cost information, etc will be posted along with the portal package for user visibility.

Product Key Select this check box to require users to enter a product key upon installation of the software library. The license key specified on the software license entry on the Inventory | Licensing tab.


7. If you selected the Install software library type, specify the command line to run the installation, including any necessary install switches or other parameters.

8. If you selected the Script software library type, choose the script from the Script drop-down list.

9. Type any notes in the Additional Notes field.

10. Specify the following informations, as necessary.

11. If desired, select a label to limit software library deployment to specific users.

12. Select the check box to restrict software library deployment by machine label.

13. Click Save.

E-mail Product Key to User Select this option if you want to send download instructions at the time of user download.

Request Mgr Notification Select this option to require users to enter their manager’s mail address for notification prior to downloading or installing the soft-ware library.

Note that users must have the KBOX Agent installed on their machines in order to run the installations or scripts.

Corporate License Text Enter any text related to the Corporate License.

Vendor License Text Enter any text related to Vendor License.

Unit Cost Enter the cost per Unit.

Documentation File Browse the desired documentation file.

A major benefit of the Help Desk is that it provides your users with the resources they need to solve many of the most common support issues on their own, thus alleviating some of the burden on your support staff. Be sure to provide adequate information to your users so that you, and they, can experience the full benefit of this feature.


Using the Knowledge Base The Knowledge Base allows you to provide documentation, FAQs, or other self-help information for your users. If you purchased the optional Help Desk Module, the Knowledge Base integrates with the Tickets feature to enable users to resolve their own issues. For more information, see “Creating and editing Help Desk Tickets,” on page 166.

Users can sort the articles by Article ID, Title, Category, Platform, or Importance, or search article contents by using keywords.

Adding Knowledge Base articlesKnowledge base articles are published to the KBOX 1000 Series Help Desk where users can search and sort articles to locate the information they require.

To add an article to the Knowledge Base:

1. Select Help Desk | Knowledge Base tab, or select Help Desk | Knowledge Base if you have the optional Help Desk Module installed.


The Knowledge Base: Edit Article page appears.

3. Enter the following article information:

If you have the optional Help Desk Module installed, you can also create a new Knowledge Base article from the comments in a Ticket by clicking the Create KB article button on the Ticket Detail page. For more information, see “Creating and editing Help Desk Tickets,” on page 166.

Title A specific description of the issue covered in the article. Make the title as descriptive as possible and use common terms so that it will be easy for an end-user to locate information about a problem.

Category A general description of the type of issue. (For example, “printing” or “net-work access”).

Platform The operating systems to which this article applies.

Importance The relative weight of the article’s contents. (For example, “reference” or “low”; or “critical” or “high”.

Use Markdown Markdown is a plain text formatting syntax, and a software tool, written in Perl, that converts the plain text formatting to HTML. See Figure 5-7 below, for an example of markdown syntax and HTML display. For more informa-tion about markdown, see http://daringfireball.net/projects/mark-down/syntax.

Limit AccessTo User Labels

Select the labels you want to limit access to.

Article Text Enter any text about the article.


http://daringfireball.net/projects/markdown/syntax

http://daringfireball.net/projects/markdown/syntax

4. Click Save.

The KBOX 1000 Series assigns the article an Article ID and displays it on the Knowledge Base Articles List page.

Editing and deleting Knowledge Base articlesYou can easily modify or remove existing Knowledge Base articles. There are two options for deleting articles: from the Articles List page and from the Edit Article page.

To edit an existing Knowledge Base article:


2. Click the linked article title. The Knowledge Base: Edit Article page appears.

3. Click the [Edit] link to update the article details.

4. Modify article details, then click Save.

To delete an article from the Articles List page:


2. To delete an article, select the check box beside the article and choose Delete Selected Item(s) from the Choose action drop-down list.


To delete an article from the Article Edit page:


2. Click the linked article title.

The Knowledge Base: Edit Article page appears.

3. Click the [Edit] link, then click Delete.


To see how the article appears to your users on the Help Desk, click on the article’s title, and then click the User URL on the Edit Article page.


Managing UsersWhen logged in as an administrator, you can add users to the Help Desk either manually or automatically. Depending upon the permissions assigned to the user logged into the Help Desk, all or only a subset of Help Desk features may be available. When adding users to the Help Desk, be sure to specify the correct user permission level.

Adding users manuallyWhen adding users to the KBOX 1000 Series, you can tag them with a label, which determines which packages they will have access to in the Help Desk. The details that you enter below are used to authenticate users.

To add users manually:

1. Select Help Desk | Users, or select Help Desk | Users if you have the optional Help Desk Module installed.

2. In the Choose action drop-down list, select Add New Item.

The User : Edit User Detail page appears.

3. Enter the necessary user details.

User Name Required. This is the name the user types to enter the Help Desk.

Full Name Required. The user’s full name.

Email Required for Help Desk installations. The user’s email address. This is the address to which Help Desk messages, if enabled, will be sent.

Domain Optional. An active directory domain.

Budget Code Optional. The financial department code.

Location Optional. The name of a site or building.

Work Phone Optional. Enter the user’s work phone number.

Home Phone Optional. Enter the user’s home phone number.

Mobile Phone Optional. Enter the user’s mobile phone number.

Pager Phone Optional. Enter the user’s pager phone number.

Custom 1Optional. Enter the custom related information.Custom 2

Custom 3

Custom 4

Password Required. Blank or empty passwords are not valid for new users. The user will be created but the user cannot be activated without a valid password.

Confirm Password Required. Retype the user’s password.

Assign To Label Select the labels to assign.


4. Click Save. The Users page appears.

Adding users automatically Rather than setting up users individually on the Users tab, you can configure the KBOX 1000 Series to access a directory service (such as LDAP) for user authentication. This allows users to log into the KBOX 1000 Series Administrator portal using their domain username and password, without requiring to add users individually from the Users tab.

To configure access to a directory service:

1. Select Settings | Authentication.

The KBOX Settings: User Portal Authentication page appears.

2. Click the [Edit Mode] link.

3. Specify the Authentication method you want to use:

4. Local authentication is the default setting for the KBOX. If you require external user authentication, for example against an LDAP server or Active Directory server, complete the external server definition by specifying the following information.

Permissions Required. Specify the user’s logon permissions:

Admin - This user can log on to and access all features of the administrator UI and Help Desk.

ReadOnly Admin - This user can log on to the administrator UI, but cannot modify any settings and Help Desk.

User - This user can log on to the Help Desk.

Lock user out of User Portal

Select this check box to lock the user out of User Portal.

Allowed to be assigned Help Desk Tickets

Required for Help Desk installations. Select this check box to permit any user (Admin, ReadOnlyAdmin, or User) to be assigned as owner of Help Desk tickets.

If the external server requires credentials for administrative login (aka non-anonymous login), you will need to specify those credentials. If you do not specify an LDAP user name, then an anonymous bind will be attempted. The LDAP user configured should have at least READ access to the "search base" area.

KBOX (local Authentication) Select this option if you want to use local pass-words for authentication.

External LDAP Server Authentication for Specify LDAP settings as necessary. Contact KACE customer support if you need assistance with this process.

Server Host Name ( or IP ) Specify IP or Host Name of the LDAP Server.Note: For LDAPS, use the IP or the Host Name, as ldaps://HOSTNAME

LDAP Port Number Specify the LDAP Port number which could be either 389 / 636 (LDAPS).


5. Click Apply to save your changes.

6. To test LDAP settings, enter a password in the Test User password, then click Test LDAP Settings.

LDAP Browser WizardIf you are unable to fill in the information for Search Base DN and Search Filter, you can use the LDAP Browser Wizard. The LDAP Browser Wizard allows you to browse and search the data located on the LDAP Server. For example, Active Directory Server.

You must have the Bind DN and the Password to log on to the LDAP Server.

To use the LDAP Browser Wizard:

1. Click LDAP Browser.

2. Specify the LDAP Server Details

3. Click test.

4. On a successful connection to the LDAP server, a list of possible base DNs (Distinguished Names) available on that directory is displayed. These base DNs can be used as a start point to browse and search the directory.

If the connection was not established, the Operation Failed message appears, which could be due to one of the following reasons:

The IP or Host Name provided is incorrect.


For example:

CN=Users,DC=hq,DC=corp,DC=kace,DC=com


For example: (samaccountname=admin)


For example:

LDAP Login: CN=Administrator,CN=Users,DC=hq,DC=corp,DC=kace,DC=com

LDAP Password (if required) Specify the password for the LDAP login.

LDAP Server Specify IP or Host Name of the LDAP Server.

Note: For LDAPS, use the IP or the Host Name, as ldaps://HOSTNAME

LDAP Port Specify the LDAP Port number which could be either 389 / 636 (LDAPS).

LDAP Login Specify the Bind DN

For example:

CN=Administrator,CN=Users,DC=kace,DC=com



The LDAP Server is not up.

The login credentials provided are incorrect.

5. Click Next or one of the base DNs to advance to the next step.

A new window displays the Search Base DN and the Search Filter. The Search Base DN is populated on the basis of the Base DN that you selected in the previous screen. You can modify the Search Base DN and the Search Filter.

6. You can also use the Filter Builder to create complex filters. Click Filter Builder. The Query Builder is displayed. Specify the following information.

7. To add more than one attribute:

8. Click OK. The query appears in the Search Filter text area. For example, (samaccountname=admin).

9. Click Browse to display all the immediate child nodes for the given base DN and search filter or click Search to display all the direct and indirect child nodes for the given base DN and Search Filter.

The search results are displayed in the left panel.

10. Click a child node to view its attributes.

The attributes are displayed in the right panel.

11. Click Next to confirm the LDAP configuration.

12. Click Next to use the displayed settings.

Importing usersYou can import Users and Labels directly from your LDAP or Active Directory system into the KBOX.

To import users:

1. Specify the LDAP Server Details.

Attribute Name Specify the Attribute Name. For example, samaccountname.

Relational Operator Select the Relational Operator from the drop - down list. For example, =.

Attribute Value Specify the Attribute Value. For example, admin.

Conjunction Operator Select the Conjunction Operator from the drop - down list. For example, AND.

Note: This field is available for the previous attribute only when you add a new attribute.

Add Click Add. You can add multiple attributes.

Search Scope Click One level to search at the same level or click Sub-tree level to search at the sub tree level.

LDAP Server Specify IP or Host Name of the LDAP Server.



2. Specify the attributes to import.

3. If you are unable to fill in the information for Search Base DN and Search Filter, you can use the LDAP Browser Wizard. For more information on how to use the LDAP Browser Wizard, refer to “LDAP Browser Wizard,” on page 155.

4. Click Next.

5. Select the value from the drop-down list next to each LDAP attribute to map the values from your LDAP server into the User record on the KBOX. The fields in Red are mandatory. The LDAP Uid must be a unique identifier for the user record.

LDAP Port Specify the LDAP Port number which could be either 389 / 636 (LDAPS).


For example:

CN=Users,DC=hq,DC=corp,DC=kace,DC=com


For example: (samaccountname=admin)


For example:

LDAP Login: CN=Administrator,CN=Users,DC=hq,DC=corp,DC=kace,DC=com


Attributes to retrieve Specify the attributes to retrieve. For example, samaccountname

Note: You can leave this field blank to retrieve all attributes, but this may be slow and is not recommended.

Label Attribute Specify a label attribute. For example, memberof.

Label Attribute is the attribute on a customer item that returns a list of groups this user is a member of. The union of all the label attributes will form the list of Labels you can import.

Label Prefix Specify the label prefix. For example, ldap_

Label Prefix is a string that is appended to the front of all the labels.

Binary Attributes Specify the Binary Attributes. For example, objectsid.

Binary Attributes indicates which attributes should be treated as binary for purposes of storage.

Max # Rows Specify the maximum rows. This will limit the result set that is returned in the next step

Debug Output Select this check box to view the debug output in the next step.


6. Select a label to add to the KBOX. Press CTRL and click to select more than one label. This list displays a list of all the Label Attribute values that were discovered in the search results.

7. Click Next.

8. Review the information displayed in the tables below. The Users to be Imported table displays list of users reported and the Labels to be Imported table displays the list of labels reported. The Existing Users table and the Existing Labels table display the list of Users and Lables that are currently on the KBOX. Only users with a LDAP UID, User Name, and Email value will be imported. Any records that do not have these values are listed in the Users with invalid data table.

9. Click Next to start the import.


Overview of the Help Desk ModuleThe optional KBOX 1000 Series Help Desk Module provides a ticket submission, tracking, and management system that allows you to solve problems in real time. The KBOX 1000 Series Help Desk Module provides integrated access with KBOX 1000 Series capabilities for hardware and software inventory, software deployment, updates and patching, remote control, and alerting and reporting. After installation, you can customize the Help Desk settings according to the needs of your organization.

The Help Desk Module adds the following tabs to the administrator view of the Help Desk:

Tickets - Provides a list view of tickets submitted for users, and allows Help Desk users to assign, resolve, or escalate tickets based on user profile

Configuration - Allows administrators to customize the Help Desk displayed to users.

If you do not have the optional Help Desk module installed, you will not see these tabs.

The Help Desk Module provides permissions-based access to the features and functions needed by a particular user.

The Tickets tab of the Help Desk provides a way for end-users to submit and track desk tickets. In addition to creating new tickets, users can search for Knowledge Base articles that might help them to resolve support issues on their own.

From the Tickets tab users can:

Create Help Desk tickets

View tickets that they have submitted

Search for tickets using keywords and advanced methods.If the end-user also happens to be a support technician and you have given them permission to own Help Desk tickets (see “Managing Users,” on page 153), this user is known as a Help Desk user.

Users who are also Help Desk users (i.e., they can be assigned Help Desk tickets), can perform these additional functions:

Apply labels to tickets/remove labels from tickets

Delete Help Desk tickets

By default, view unassigned tickets and additions to tickets assigned to them, and view other tickets by using the View by owner drop-down list

Change a ticket’s status, priority, or owner.

Administrators can create, modify, and manage Help Desk tickets from the Tickets tab in the Administrator UI. Administrators also can use the security, scripting, and distribution features to resolve Help Desk tickets, then use the Knowledge Base to create the documentation that references the resolution for users.

From the Tickets tab, administrators can:

Create or delete Help Desk tickets

Apply labels to tickets/Remove labels from tickets

Sort the Ticket view by owner or submitter, summary, priority, or status

Change a ticket’s status, priority, or owner.


Configuring basic Help Desk settingsFrom the Help Desk Configuration tab, you can configure a variety of settings including the support mail address, defaults for ticket submission fields, and which events trigger mail alerts and to whom they are sent. This section describes how to configure basic Help Desk Settings only. To customize the default values for the options here, see “Customizing Help Desk fields,” on page 162.

To configure basic Help Desk settings:

1. Select Help Desk | Configuration.

2. Click the [Edit Mode] link.

3. In the Name field, specify the name that is displayed in the From field when users receive emails from the Help Desk.

4. In the Email Address field, specify the email address to which users can submit Help Desk tickets.

5. In the Alt. Email Address field, specify the alternate email address to which users can submit Help Desk tickets.

6. Select the Accept email from unknown users check box to accept emails from unknown users.

7. In the Ticket Defaults area, specify the following settings:

8. In the Email on Events area, specify to whom, and under what circumstances, emails should be sent:

Recipients:

Owner - The Help Desk user assigned to the ticket

Submitter - The user who submitted the ticket

Ticket CC - The email recipients listed in the CC area of the ticket

Field(s) Description

Name Specify the name for the Help Desk.

Email Address Specify the email address used to send email to and from the Help Desk.

Ticket Defaults Determines the default ticket values for tickets. To customize these options, click Cus-tomize These Values. For more information see “Customizing Help Desk fields,” on page 162.

Email on Events

These check boxes determine who gets email when tickets are changed or escalated. Note that "Any Change" overlaps with the "Owner Change" and "Status Change" events, but it does not include ticket escalations.

Table 11-1: Help Desk Configuration fields

Category Specify the default category for tickets. Options include Software, Hardware, Network, and Other.

Status Specify the default status for tickets. Options include New, Opened, Closed, and Need More Info.

Impact Specify the default impact for tickets. Options include Many people can’t work, Many people inconvenienced, 1 person can’t work, and 1 person inconvenienced.

Priority Specify the default priority for tickets. Options include Low, Medium, and High.


Category CC - The email recipients listed in the CC List area for the Ticket Category.

Events:

Any Change - Any change to any field on the ticket.

Owner Change - A change to the owner field on the ticket. By default, emails are sent to the old and new owners of the ticket.

Status Change - A change to the status field on the ticket.

Comment - A comment on the ticket.

Resolution Change - A change to the Resolution field on the ticket.

Escalation - The ticket enters escalation based on the configured settings. For more information, see “Understanding the escalation process,” on page 169.

Satisfaction Survey - Indicate whether you want to send an mail requesting that the submitter complete a satisfaction survey when the ticket is closed. For more information, see “About the satisfaction survey,” on page 170.

New Ticket Via Email - Select this check box for an email notification on a new ticket.

9. Click Save.


Customizing Help Desk fieldsWhere the basic Help Desk configuration page allowed you to set default values for the various drop-down lists in the Help Desk fields, the Customization page allows you to customize the values that appear in those drop-down lists, as well as add up to six custom fields.

To access the Help Desk Customization page:

1. Select Help Desk | Configuration.

2. Click the Customize These Values link.

The Help Desk Customization page appears.

To customize default Category Values:

1. In the Category Values area, click the icon beside a category value to modify it.

Editable fields appear for that value.

2. Edit the Category Values fields:

3. Click the icon beside a Category value to change its order in the drop-down list.

4. Click the icon to add an option to the Category drop-down list.

5. Click the icon to remove a Category value.

6. Click Save to apply your changes.

Name Specify the name for the value.

Default Owner Assign a default owner for tickets of this category.

CC List Enter the email address(es) to be copied when tickets of this category are sub-mitted to the Help Desk.

User Settable Indicates whether or not this category appears in the list of choices displayed to the end user. This setting allows you to present a simplified list of values to the user, and display more and create additional values that are only displayed to the administrator or Help Desk users.

You cannot remove Category values that are in use.


To customize default Status Values:

1. In the Status Values area, click the icon beside a category value to modify it.


2. Edit the Status Values field:

3. Click the icon beside a Status value to change its order in the drop-down list.

4. Click the icon to add an option to the Status drop-down list.

5. Click the icon to remove a Status value.


To customize default Priority values:

1. In the Priority Values area, click the icon beside a category value to modify it.

Editable fields appear for that value. Edit the Priority Values fields:

2. Click the icon beside a Priority value to change its order in the drop-down list.

3. Click the icon to add an option to the Priority drop-down list.

4. Click the icon to remove a Priority value.


Name Specify the name for the value.

State Indicates whether the ticket is open, closed, or stalled.

Open - The ticket is active

Closed - The ticket has been resolved

Stalled - The ticket is open past its due date, but is not in escalation.

You cannot remove Status values to which tickets are currently assigned.

Name Specify a name for the custom field.

Color The displayed color of this status on the ticket list pages.

Escalation Time The interval after which an open ticket of this priority is escalated. Specify a time integer and a unit from the drop-down list.

You cannot remove Priority values to Tickets which are currently assigned.


To customize default Impact values:

1. In the Impact Values area, click the icon beside an Impact value to modify it.


2. Modify the Name field as desired.

3. Click the icon beside an Impact value to change its order in the drop-down list.

4. Click the icon to add an option to the Impact drop-down list.

5. Click the icon to remove an Impact value.


To add custom value fields:

1. In the Custom fields area, click the Edit item icon to modify the fields.

2. In the Name field, enter the names for the custom fields as you want them to be displayed on the Ticket Details page.

The custom fields are added as text boxes that hold up to 255 characters. You can add up to six custom fields.

3. Enter the select values in the Select Values field.

Select Values are used for custom fields with Field Type of Single Select or Multiple Select. These values should be entered as comma-separated strings.

4. Select the field type in the Field Type list.

5. Select the Only Editable By Owners check box to make this field editable by owners.

6. To remove a custom field, clear the name from the field value.

When you remove the name of a field, values for that custom field will be removed from all tickets.

When you rename a field, values for that custom field will be retained.


8. In the Ticket List View area, click the Edit item icon to modify the desired Ticket List View fields.

9. Select the name in the Name list.

10. Specify the width in the Width field and then click Save.

11. Click Save.

You cannot remove Impact values to Tickets which are currently assigned.


To customize Ticket List View:

1. In the Ticket List View area, click the icon beside an attribute to modify it.

Editable fields appear for that value. Edit the fields:

2. Click the icon beside an attribute to change its order in the drop-down list.

3. Click the icon to add an attribute to the Ticket List View drop-down list.

4. Click the icon to remove an attribute.


Name Select an attribute name from the drop-down list.

Width Specify the column width.


Creating and editing Help Desk TicketsDepending on whether you are creating a ticket from mail, the Administrator UI, or from the Help Desk, you will have different options available to you. This section describes each of these methods. Regardless of the method used to submit a Help Desk ticket, all interested parties will receive a confirmation mail that includes a link to the submitted ticket.

To create a new ticket from the Help Desk:

1. Log into the User Portal as user. Tickets page appears.

2. Select Add New Item in the Choose action drop-down list. The New Ticket page appears.

To create a new ticket from the Administrator UI:

1. Select Help Desk | Tickets.

2. Select Add New Item in the Choose action drop-down list. The New Ticket page appears.

3. Specify ticket details.

Title Enter a title for the ticket.

Impact Specify the severity of the issue.

Category Indicate the issue type.

Status Indicate the status of the issue.

Priority Indicate the importance of the issue.

Owner Select an owner from the drop-down list.

Machine The machine affected by the issue. Defaults to submitter’s computer after Ticket is saved. Note: You can see help ticket submissions from the Computer’s inventory record. See “Help Tickets,” on page 34

Asset Select an asset from the drop-down list.

Filter Enter the filter criteria in the desired Filter field.

Due DateSpecify a due date if desired. Click the icon to select the Month, Day, and Year.

CC List A comma-separated list of additional email addresses for users who might be inter-ested in changes to this ticket.

SubmitterClick the icon to select the submitter from the drop-down list.

See Also Link(s) to related tickets. When editing this list, enter the Ticket IDs as comma-sep-arated integers.

Referrers If other tickets refer to this ticket in the see also field, those ticket IDs will appear here after this ticket is saved.

Owners only Select this check box to have the comment you are entering visible only to users who are authorized to own tickets.

Comment Provide comments about the support issue.

Attachment Browse the desired attachment file.


4. Click Save.

Submitting Help Desk tickets through emailIn addition to submitting tickets via the Web-based User and Administrator interfaces, users also can submit Help Desk tickets by sending mail to the Help Desk mail configured in the Help Desk settings. Tickets created from mails will receive the default values for Impact, Category, and Priority, as set on the Help Desk | Configuration tab. The body of the mail message will be added as a comment. The submitter is determined by the sender’s mail address. For more information, see “Configuring basic Help Desk settings,” on page 160.

Editing Help Desk ticketsAfter you create a Help Desk ticket, you can edit the tickets from the Tickets List page, or from the Ticket Detail page. Regardless of where the change is made, any change made to a ticket is reflected in the history log at the bottom of the Ticket Detail window.

To edit a ticket from the Tickets List page:

1. Select the check box beside the ticket(s) you want to edit.

2. From the Choose action drop-down list, select the desired option:

To edit a ticket from the Ticket Detail page:

1. Select Help Desk | Tickets.

2. Click the Ticket ID or linked Issue Summary.

The Ticket Detail page appears.

3. Edit Ticket details as desired. You can edit the Ticket details like Title, Impact, Category, Status, Priority, Owner, Machine, Asset, Due Date, CC List, Submitter, See Also, Referrers, and Resolution.

4. To provide additional information about your change, click Add Comment, and then perform the following steps:

a Select the Owners only check box to have the comment you are entering visible only to users who are authorized to own tickets.

b Enter comment about the changes in the Comment field.

After you create the new ticket, you can open the ticket record and view a print-friendly version of the ticket, email the ticket to someone, and click the Find Relevant Articles link to locate Knowledge Base articles related to the ticket.

• Delete Selected Item(s)

• Set status to New, Opened, Closed, or Need More Info

• Set priority to High, Medium, or Low

• Reassign to another user.

When reassigning a ticket to a new owner using the Choose action drop-down list, the number in parentheses (), indicates the number of tickets currently assigned to that Help Desk user.


c Browse the desired attachment file.

5. To provide additional information about the work, click Add Work, and then perform the following steps:

a Select the work date.

b Select the start date of the work.

c Select the end date of the work.

d Enter the adjustment hours in the Adjustment field.

e Enter work related details in the Work Note field.

6. To copy an existing ticket, click Clone.

7. To create a Knowledge Base article from the comments in the ticket, click the Create KB article button.


Searching Help Desk ticketsFrom the Ticket List page, users can search tickets submitted by them, as well as view tickets by other owners. You can use Advanced Search options to locate tickets. Advanced search allows you to use operators such as contains, >, <, =, and Match RegEx.

Match RegEx allows for wildcard and other search expressions standard to PERL users. “%” functions as the wildcard (similar to * in the DOS world). For additional information about RegEx searching, visit http://www.regular-expressions.info/ and/or http://dev.mysql.com/doc/mysql/en/regexp.html.


http://www.regular-expressions.info/

http://www.regular-expressions.info/

http://dev.mysql.com/doc/mysql/en/regexp.html

Managing Help Desk ticketsAfter a ticket is submitted to the Help Desk, it is the responsibility of the ticket owner to resolve the ticket. The owner reviews the ticket, adjusts the impact if necessary, and assigns a priority. If the ticket issue is straightforward, the owner might resolve the issue quickly, enter a resolution in the ticket details, then close the ticket. In more complicated situations, however, a ticket may take more time to close, and be assigned to different owners over its lifetime.

In some cases, the owner is unable to resolve the ticket by the due date and the ticket is then escalated to someone else to resolve. The process of escalation is determined by the settings configured in the Help Desk | Configuration tab.

Depending on the Help Desk configuration, the submitter of a ticket might receive a satisfaction survey to gather feedback about the way the ticket was handled, after the ticket is closed. For more information about the satisfaction survey, see “About the satisfaction survey,” on page 170.

Understanding the escalation processThe escalation process allows you to send out automatic emails when a ticket remains in an Open state longer than a specified time. This gives you a way to monitor service level agreements, and allows you to notify a large group when a ticket hasn’t been handled properly.

There are three variables that control the escalation process:

Which tickets can/should be escalated

The length of time a ticket can be open before an escalation email is sent

The recipient(s) of the escalation emails.

Each ticket has a Priority, and each Priority has an Escalation Time associated with it. Tickets are escalated if they have been open longer than the time specified by their priority setting. Tickets also have a Status that can either be Open, Stalled, or Closed. Tickets with an Open status will trigger an escalation mail every n minutes, where n is the time specified by the Escalation Time assigned to the priority. For example, by default, the KBOX 1000 Series has a Priority value of High, with an Escalation Time of 30 minutes. This means that for each ticket that is marked as High Priority, an escalation mail will be sent every 30 minutes to notify people that the ticket is still Open.

Tickets that are Stalled or Closed do not trigger escalation emails. Moving a ticket from Open to Stalled or Closed, and then back to Open will not change the creation time, so the escalation mails will continue to be processed based on the original time. For example, if you were to open a ticket, close it after 5 minutes, then reopen it after 35 minutes, an escalation email would be sent saying that the ticket is older than 30 minutes. After that email is sent, the next email would go out after an additional 30 minutes had elapsed.

You determine who receives the escalation emails in the Email on Events area of the Help Desk Configuration settings. You could choose to send the escalation email to any of the following:

The ticket owner

The submitter

The email address(es) listed in the Ticket CC area

The email address(es) listed in the Category CC area.

By specifying the recipient for escalation emails, you are routing open tickets to the right person or people who can help to resolve the issue.


About the satisfaction survey After a ticket is Closed, if a user views the detail page for that ticket, he or she will be presented with the option to indicate their level of satisfaction with the way the ticket was handled. Users also can add comments to the ticket to further explain their assessment.

In addition, you can configure the Help Desk to actively solicit feedback from users after a ticket is closed, by automatically sending them an email with a link to the survey.

Select the Closed ticket in the Tickets list, click Email this Ticket, and enter an email address to which you want to send the survey.

Score values assigned in the survey are stored in the ticket and are not editable by the Help Desk administrator, although you can run a variety of reports to display survey data. For more information about displaying survey data, please see, “Running Help Desk Reports,” on page 171.


Running Help Desk ReportsThe KBOX 1000 Series provides several default reports you can run on the Help Desk.

You can view these reports by selecting the Reporting tab and then selecting HelpDesk from the View by category drop-down list.

By default, the KBOX 1000 Series includes the Help Desk reports shown in the table below. For convenience, each of these reports is available in a variety of formats: HTML, PDF, CSV, and TXT.

Help Desk Report Description

Closed Satisfaction Survey last 31 days by Owner

Lists by Owner all Closed Satisfaction Surveys in the last 31 days.

Closed Ticket Resolutions last 31 days by Owner

Lists by Owner all Closed Ticket Resolutions in the last 31 days.

Closed Ticket Resolutions last 7 days by Owner


Closed Tickets last 31 days by Category

Lists by Category all Help Desk tickets that have been closed in the last 31 days.

Closed Tickets last 31 days by Owner

Lists by Owner all Help Desk tickets that have been closed in the last 31 days.

Closed Tickets last 7 days by Owner


Escalated/Open Tickets by Owner

Lists by Owner all escalated and open Help Desk tickets.

Open Tickets by Category Lists by Category all open Help Desk tickets.

Open Tickets by Owner Lists by Owner all open Help Desk tickets.

Open Tickets last 7 days by Owner

Lists by Owner all open Help Desk tickets opened in the last 7 days.

Stalled Tickets by Owner Lists by Owner all tickets that are past their due date but not in escalation (stalled tickets).

Stalled/Open Tickets by Category

Lists by Category all stalled and open Help Desk tickets.

Stalled/Open Tickets by Impact Lists by Impact all stalled and open Help Desk tickets.

Stalled/Open Tickets by Owner Lists by Owner all stalled and open Help Desk tickets.

Stalled/Open Tickets by Priority Lists by Priority all stalled and open Help Desk tickets.

Stalled/Open Tickets by Status Lists by Status all stalled and open Help Desk tickets.

Stalled/Open Tickets with Due Date by Owner

Lists by Owner and due date all stalled and open Help Desk tickets.

Work Report Date Range - Long Notes Display

Displays date, ticket #, technician and hours worked as a header above the Notes for a Work entry for 2006-04-01 through 2006-07-01.

Table 11-2: Default Help Desk reports


To run Help Desk reports:

1. Select Reporting.

The KBOX Reports page appears.

2. From the View by category drop-down list, select HelpDesk.

3. Click the format type for the report you want to view.

Work Report last 31 days Reports all tickets for which work has been logged for the last 31 days.

Work Report last 31 days - Customize

Use this report if you want to build a customized report show-ing only select fields for all tickets for which work has been logged for the last 31 days.

Work Report last 31 days - Long Notes Display

Displays date, ticket #, technician, and hours worked as a header above the Notes for each Work entry.

Work Report last 31 days by Person

Displays all people who logged work during the last 31 days first by person, and then by ticket and time.

If you need to create custom reports, see “Creating and editing reports,” on page 190 for information on using the Report Wizard.

Help Desk Report Description

Table 11-2: Default Help Desk reports


173

C H A P T E R 12

This chapter describes the most commonly used features and functions that the Administrator will use in administering and maintaining your KBOX 1000 Series appliance.

“KBOX 1000 Series maintenance overview,” on page 174

“Backing up KBOX 1000 Series data,” on page 174

“Restoring KBOX 1000 Series Settings,” on page 176

“Updating KBOX 1000 Series software,” on page 177

“Updating OVAL definitions,” on page 179

“Troubleshooting the KBOX 1000 Series,” on page 180

Server Maintenance

KBOX 1000 Series maintenance overview The Settings | Server Maintenance page allows you to perform a variety of functions to maintain and update the KBOX 1000 Series appliance. You can access the most recent KBOX server backups, upgrade your KBOX 1000 Series server to newer server versions, retrieve updated OVAL definitions, as well restore to backed-up versions as creating a new backup of the KBOX 1000 Series at any time that you'd like.

The Settings | Server Maintenance tab also enables you to reboot and shutdown the KBOX 1000 Series, as well as update KBOX 1000 Series license key information.

From the Server Maintenance tab you can:

Upgrade KBOX 1000 Series appliance

Update OVAL vulnerability definitions

Create a backup KBOX 1000 Series appliance

Enter or update KBOX 1000 Series License Key

Restore to most recent backup

Restore to factory default settings

Restore from uploaded backup files

Reboot KBOX 1000 Series

Shutdown KBOX 1000 Series.

The following sections describe some of the most commonly used features of the Settings | Server Maintenance tab.

Backing up KBOX 1000 Series dataBy default, the KBOX 1000 Series automatically takes backup at 3 A.M. and creates two files on the backup drive: kbox_dbdata.gz, containing the database backup, and kbox_file.tgz, containing any files and packages you have uploaded to the KBOX 1000 Series alliance.

Backing up KBOX 1000 Series manuallyIn some cases, you might want to invoke a KBOX 1000 Series backup before the nightly backup occurs. In such cases, you can create a KBOX 1000 Series backup manually.

To create a KBOX 1000 Series backup manually:



3. Beside Run KBOX Backup, click Run Backup Now.

After creating the backup, the Settings | Logs tab will appear.


Downloading backup files to another locationThe backup files are used to restore your KBOX 1000 Series configuration in the event of a data loss or during an upgrade or migration to new hardware. The KBOX 1000 Series contains only the most recent full backup of the files.

For a greater level of recoverability (for instance if you wanted to keep rolling backups), you can offload the backup files to another location so that they can be restored later if necessary. You can access the backup files for downloading from the Administrator UI as well as through ftp.

To download backup files to another location:

1. Select Settings |Server Maintenance.

2. Click the backup links on the sidebar.

Figure 12-1: Links to backup files

3. Click Save in the alert that appears, then specify a location for the files.

4. Browse to the location where you want to store the files, then click Save.

To access the backup files through ftp:

1. Open a command prompt.

2. At the C:\ prompt, type:

ftp kbox

3. Enter the login credentials:

user: kbftp, password: getbxf

4. Type the following ftp commands:

Figure 12-2: FTP command for accessing backup files

Contains the database backup

Contains the files and pack-ages you have uploaded to the KBOX 1000 Series


Restoring KBOX 1000 Series SettingsThe backup files are used to restore your KBOX 1000 Series configuration in the event of a data loss or during an upgrade or migration to new hardware. Restoring any type of backup file will destroy the data currently configured in the KBOX 1000 Series Server. KACE recommends off loading any backup files or data that you want to keep before performing a restore.

Restoring from most recent backupThe KBOX 1000 Series has a built-in ability to restore files from the most recent backup directly from the backup drive. You can access the backup files from the KBOX 1000 Series Administrator UI or through ftp.

To restore from the most recent backup:

1. Click Settings | Server Maintenance.


3. Click the Restore from Backup button.

Uploading files to restore settingsIf you have off-loaded your backup files to another location, you can upload those files manually, rather than restoring from the backup files stored on the KBOX 1000 Series.

To upload backup files:

1. Click Settings | Server Maintenance.

2. In the Database Backup Files field, click Browse and locate the backup file.

3. In the KBOX Backup Files field, click Browse and locate the backup file.

4. Click Restore from Upload Files.


Updating KBOX 1000 Series softwarePart of maintaining your KBOX 1000 Series appliance involves updating the software that runs on the KBOX 1000 Series server. This process also involves verifying that you are using the minimum required version of the KBOX 1000 Series, as well as updating the license key in the KBOX 1000 Series to reflect the current product functionality.

Verifying minimum server versionBefore applying this update, verify your KBOX 1000 Series server version meets the minimum version requirement.

To verify minimum server version:

1. Open your browser and go to the URL for the KBOX 1000 Series appliance (http://kbox/admin).

2. Click About KBOX in the upper right-hand corner of the screen.

Figure 12-3: About KBOX

Updating the license keyAfter installing an upgrade to the KBOX 1000 Series server, you may need to enter a new KACE license key to fully activate the KBOX 1000 Series. You should have the new license key to upgrade your KBOX 1000 Series appliance.

Updating your KBOX 1000 Series license key:



3. Enter your new license key, then click Save.

The version of the server


Applying the server updateIf you are using a previous version of the KBOX 1000 Series, you must apply the earlier updates separately before continuing. Refer to the release notes for your version of the KBOX 1000 Series to determine the minimum updates.

To apply the server update:

1. Download the kbox_upgrade_server_XXXX.bin file and save it locally.

2. Open your browser to http://kbox/admin.



5. Under Update KBOX, click Browse, and locate the update file you just downloaded.

6. Click Update KBOX.

When the file has completed uploading, your KBOX 1000 Series will reboot with the latest features.

Verifying the updateAfter applying the upgrade, verify successful completion by reviewing the update log.

To verify the upgrade:

1. Select Settings | Logs.

2. Click the Update link.

3. Review the Update log for any error messages or warnings.

4. Click About KBOX in the upper right corner to verify the current version.

Rebooting and shutting down KBOX 1000 Series applianceYou may need to reboot the KBOX 1000 Series appliance from time to time when troubleshooting or possibly upgrading KBOX 1000 Series settings. When rebooting KBOX 1000 Series, you should always do so by clicking the Reboot KBOX button located on the Settings | Server Maintenance tab.

Before performing hardware maintenance, you will need to shutdown the KBOX 1000 Series prior to unplugging appliance. You can shutdown the KBOX 1000 Series appliance either by pressing the power button ONCE, quickly, or by clicking the Shutdown KBOX button on the Settings | Server Maintenance tab.

The Reboot and Shutdown buttons will only be clickable if you have already click the blue "Edit Mode" link at the bottom of the page.


Updating OVAL definitionsAlthough the definitions for OVAL vulnerabilities are updated automatically on a scheduled basis, you can retrieve the latest files manually from the Server Maintenance page. For more information about OVAL definitions, see “About OVAL and CVE,” on page 133

To update the OVAL & Patch definitions:


2. To update OVAL definitions, click Update OVAL Now.


Troubleshooting the KBOX 1000 SeriesThe KBOX 1000 Series provides several log files that can help you detect and resolve errors. The log files are rotated automatically as each grows in size so no additional administrative log maintenance procedures are required. Log maintenance checks are performed daily.

The KBOX 1000 Series maintains the last seven days of activity in the logs. KACE Technical Support may request that you send the KBOX 1000 Series Server logs if they need more information in troubleshooting an issue. To download the logs, click the Download Logs link. For more information, see “Downloading log files,” on page 180.

Accessing KBOX 1000 Series logsYou can access the KBOX 1000 Series Server logs by going to the Settings | Logs tab. This area also provides a reference for any KBOX 1000 Series informational or exception notices.

Downloading log filesThe KBOX 1000 Series provides the ability to download the logs into one file directly from the Admin UI. You may be asked by KACE Technical support to submit KBOX 1000 Series logs in order to help diagnose a problem.

To download KBOX 1000 Series logs:

1. Select Settings | Logs.

2. Click the Download logs link on the right of the Log page.

The logs are downloaded in a file called kbox_logs.tgz.

3. Click Save.

Log Type Description

Disk Status Displays the status of the KBOX 1000 Series disk array.

Application Displays miscellaneous information about the application's operation and execution.

Access Displays the HTTP Server's access information.

Server Displays errors or server warnings regarding any of the onboard server processes.

Update Displays details of any KBOX 1000 Series patches or upgrades applied using the Update KBOX function.

Client Displays KBOX Agent exception logs.

Table 12-4: Types of Server Logs


Understanding disk log status dataThe log you are likely to interact with most often when troubleshooting the KBOX 1000 Series is the Disk Status log. If there is a physical problem with the KBOX 1000 Series, that issue would be reflected here.

KBOX 1000 Series Server and KBOX Agent exceptions are reported nightly to kace.com if you enabled crash reporting on the Settings | General tab.

Figure 12-5: Disk status without error

Figure 12-6: Disk status with error

The figures above display the difference in the Disk status log when no error is found and when an error exists. Although this section does not describe every possible error message that could be displayed here, many of the errors that occur can be resolved by following the same set of steps:

Error status listed here


Step Description

Step 1: Rebuild If the disk status log error reads “Degraded” that is an indication that you need to rebuild the array. To do this, click the Rebuild Disk Array but-ton. Rebuilding can take up to 2 hours. If an error state still exists after this, proceed to step 2.

Step 2: Power Down and Reseat the Drives

In some cases, the degraded array may be caused by a hard-drive that is no longer seated firmly in the drive-bay. In these cases, the disk status will usually show "disk missing" for that drive in the log. Power down the KBOX 1000 Series. Once the appliance is powered off, eject each of the hard-drives and then re-insert them, making sure that the drive is firmly in the bay. Power the machine back on and then look again at the disk status log to see if that has resolved the issue. If an error state still exists, try rebuilding again or proceed to Step 3.

Step: Call KACE Techni-cal Support

If you have the previous steps and are still experiencing errors, please contact KACE Technical Support by email ([email protected]) or phone (888) 522-3638 option 2.

Table 12-7: Troubleshooting your KBOX 1000 appliances




C H A P T E R 13

Reporting

The KBOX 1000 Series provides a variety of alert and reporting features that enable you to communicate easily with users and to get a detailed view of the activity on your network.

“KBOX 1000 Series Reports overview,” on page 184

“Alert Messages,” on page 193

“Email Alerts,” on page 194

“KBOX 1000 Series Summary,” on page 195

“LDAP Browser,” on page 201

183

KBOX 1000 Series Reports overviewThe KBOX 1000 Series ships with many included stock reports. The reporting engine utilizes XML-based report layouts to output report types of HTML, PDF, CSV, and TXT.

By default, the KBOX 1000 Series provides reports in the following general categories:

Compliance

Hardware

Help Desk

KBOX

Network

Patching

Security

Software

Template


Types of ReportsWithin each of the general categories mentioned above, there are various reports you can run to display information about the computers on your network. Descriptions of each type of report you can run are provided below. Help desk reports are discussed in Chapter 11,“User Portal and Help Desk,” starting on page 146.


Compliance Hotfix Compliance Shows which computers have the specified hot-fix installed.

Compliance Software Compliance Simple Lists the licenses and counts like the License list page with details such as vendor, PO#, and Notes.

Compliance Software License Compliance Complete

Lists software and computers that are impacted by each license record.

Compliance Unapproved Software Installation

Lists software found on computers that do not have approved licenses.

Hardware C drives less than 2G free Shows which computers less than 2 gigabytes of free space.

Hardware Computer - Video/Ram/Proc by Label

Lists all computers and their video, ram and pro-cessor information sorted by label and name.

Hardware Computer Export This report is intended to generate a CSV listing for data export to other programs.

Hardware Computer Inventory Detail Detail listing of all computers on the KBOX 1000 Series network with full field detail.

Hardware Computer Listing by Free Disk Space

Lists computer disk drives in order of total free disk space.

Hardware Computer Listing by Label Lists all computers by all KBOX 1000 Series labels.

Hardware Computer Listing by Memory Lists computer RAM in order of total memory size.

Hardware Computer Listing by Operating System

Sorts all computers by Operating System type and sums OS Types.

Hardware Computer Uptime Report Reports the uptime of the computers.

Help Desk Closed Satisfaction Survey last 31 days by Owner

Lists by Owner all Closed Satisfaction Surveys in the last 31 days.

Help Desk Closed Ticket Resolutions last 31 days by Owner


Help Desk Closed Ticket Resolutions last 7 days by Owner


Help Desk Closed Tickets last 31 days by Category

Lists by Category all Help Desk tickets that have been closed in the last 31 days.

Table 1: Default reports


Help Desk Closed Tickets last 31 days by Owner


Help Desk Closed Tickets last 7 days by Owner


Help Desk Escalated/Open Tickets by Owner

Lists by Owner all escalated and open Help Desk tickets.

Help Desk Open Tickets by Category Lists by Category all open Help Desk tickets.

Help Desk Open Tickets by Owner Lists by Owner all open Help Desk tickets.

Help Desk Open Tickets last 7 days by Owner

Lists by Owner all open Help Desk tickets opened in the last 7 days.

Help Desk Stalled Tickets by Owner Lists by Owner all tickets that are past their due date but not in escalation (stalled tickets).

Help Desk Stalled/Open Tickets by Category

Lists by Category all stalled and open Help Desk tickets.

Help Desk Stalled/Open Tickets by Impact Lists by Impact all stalled and open Help Desk tickets.

Help Desk Stalled/Open Tickets by Owner Lists by Owner all stalled and open Help Desk tickets.

Help Desk Stalled/Open Tickets by Priority Lists by Priority all stalled and open Help Desk tickets.

Help Desk Stalled/Open Tickets by Status Lists by Status all stalled and open Help Desk tickets.

Help Desk Stalled/Open Tickets with Due Date by Owner

Lists by Owner and due date all stalled and open Help Desk tickets.

Help Desk Work Report Date Range - Long Notes Display

Displays date, ticket #, technician and hours worked as a header above the Notes for a Work entry for 2006-04-01 through 2006-07-01.

Help Desk Work Report last 31 days Reports all tickets for which work has been logged for the last 31 days.

Help Desk Work Report last 31 days - Customize

Use this report if you want to build a customized report showing only select fields for all tickets for which work has been logged for the last 31 days.

Help Desk Work Report last 31 days - Long Notes Display

Displays date, ticket #, technician, and hours worked as a header above the Notes for each Work entry.

Help Desk Work Report last 31 days by Person

Displays all people who logged work during the last 31 days first by person, and then by ticket and time.




KBOX Boot/Login Policies Lists all the activities that could happen at machine boot time or after the user logs in.

KBOX KBOX Agent Roll Out Log Reports when a computer record was first cre-ated.

KBOX KBOX Communication Lists by day the latest communication from com-puters on the network.

KBOX MI's enabled on all machines Lists all the managed installations that are enabled on all machines.

KBOX Scripts enabled on all machines This report lists the scripts that are enabled on all machines.

Network Network Info - Domain Listing This report lists computers groups computers by domain/workgroup.

Network Network Info - IP Address Listing

Lists computers in order of IP Address (ascend-ing).

Network Network Scan Report Displays the results of the nightly Network Scan.

Patching Critical Bulletin List Lists all critical bulletins.

Patching For each Machine, what patches are installed

Lists of all patches on each computer in the KBOX network.

Patching For each Patch, what machines have it installed

Lists the computers having each software patch in inventory.

Patching How many computers have each Patch installed

Software Inventory listing sorted by software title showing number of seats deployed.

Patching Installation Status of each enabled Patch

Lists the installation status of each enabled patch.

Patching Needs Review Bulletin List List of all the Bulletins that need review.

Patching Patches waiting to be deployed Lists all patches waiting to be deployed.

Security Number of machines with OVAL vulnerabilities

Lists, for each OVAL test, how many machines failed the test and are therefore vulnerable.

Security OVAL Machine Report Reports all the machines and how many OVAL tests that each of them failed.

Security SANS Top 10 - Q2 2005 Reports all OVAL results from vulnerabilities reported by SANS.

Security Threating Items Displays all items o threat level 4 or 5 and the computers which have them.

Security Top 10 OVAL Vulnerabilities Displays a Pie graph of the top 10 OVAL vulnera-bilities that have been reported by the OVAL scan.

Software Software Export Generates a CSV listing for data export to other programs.




Software Software Installed But Not Used Last 6 Months

Lists, by software item, where software has been installed but not used according to soft-ware metering. This will only work when you have attached the metering to a particular soft-ware item which will limit you to a particular ver-sion of software.

Software Software Inventory By Vendor Software Inventory listing grouped by vendor showing number of seats deployed.

Software Software Listing By Label Lists all software titles organized by all KBOX 1000 Series labels.

Software Software not on any computer Listing of all software titles that are not currently installed on any computers.

Software Software on Computer Listing of all software on each computer in the KBOX 1000 Series network.

Software Software OS Report - Graph Pie graph showing the list and count of Operat-ing Systems currently deployed on your net-work.

Software Software Title & Version - Com-puter List

This report lists the computers having each soft-ware title in inventory.

Software Software Title - Computer List (MS Only)

This report lists computers having each Microsoft software title in inventory.

Software Software Title Deployed Count Software Inventory sorted by software title showing number of seats deployed.

Template Computer Listing - XP SP2 installed?

Lists all computers, reporting if XP SP2 is installed or not. Change 'Windows XP Service Pack 2' to any other Software title you are inter-ested in. Sorted by installation status.

Template Computer Listing with Software Template

Computer Listing sorted by LABEL with comput-ers having software names like "Microsoft Office Professional%".

Template Custom Inventory Template Reports the values returned by a custom inven-tory rule that you can setup in the Software Item page. Change 'McAfeeDATFile' to be the name of the Software item with the Custom Inventory Rule in it.

Template Log File Information Template This is a template that lists the values returned from a 'Log File Information' action in a script. Replace 'AccessedDate: ' with the actual attribute that you returned.

Template Log Registry Value Template This template lists the values returned from a script using the 'Log Registry Value' action. Replace the value '!doc =' with the appropriate value name that you entered in the script.




Template Machines By Label X with Soft-ware Y Installed

Reports all the machines in label(s) and indi-cates if they have a particular software product installed. Replace KBOX with the name of the software you are looking for and QA_LABEL and KBOX_LABEL with the labels of the machines you want included.




Running ReportsTo run any of the KBOX 1000 Series reports, you simply need to click the desired format type (HTML, PDF, CSV, or TXT). For HTML or PDF formats, the report will be displayed in a new window. If you select CSV or TXT format, you will be prompted to open the file or save it to your computer.

For example, the KBOX server build at your end is 3.1.6474. On clicking the Reporting | Summary tab, the KBOX Summary Information page appears, and on clicking the Settings | Server Maintenance tab, the KBOX Settings : Server Maintenance page appears.

Let’s say KACE comes up with a new patch for the server build by the name 3.1.6748 and pushes it to the corporate server. If you click on the Check for upgrade button in the Settings| Server Maintenance page, the An upgrade is now available link appears on the KBOX Summary Information page and the latest build is available in the Upgrade KBOX field on the KBOX Settings : Server Maintenance page.

The An upgrade to 3.1.6748 is now available link also appears in the Reporting | Summary page. Clicking on this link will take you to the Settings | Server Maintenance page. Click Upgrade now to upgrade your KBOX Server to the build 3.1.6748 build.

Creating and editing reportsIf you have other reporting needs not covered by the reports previously mentioned, you can either create a new report from scratch, or you can modify one of the templates provided in the KBOX 1000 Series Template category.

You can create a report in the following ways:

Duplicate an existing report - Another way to create a report is to open an existing report and create a copy of it, which you can then modify to suit your needs.

Create a new report using the Report Wizard.

Create a new report from scratch

To duplicate an existing report:

1. Select Reporting | Reports.

2. Click the linked Report Title.

The KBOX Report: Edit Detail page appears.

3. Click the Duplicate button.

4. Modify the report details as necessary, then click Save.

Consult the list of database table names in Appendix B,“Database tables,” starting on page 209.


To create a new report using the Report tab:

1. Select Reporting | Reports. The KBOX Report page appears.

2. Select Add New Report from the Choose action drop-down list.

3. Enter the report details as shown below:

4. Click Next.

5. The next step is to select fields you want to include on the report. Click Select All to select all fields or Deselect All to deselect all fields.

6. Click Next.

7. The next step is to arrange the fields you selected in the order in which you want the columns to appear on the report.

Highlight and drag a column block to change the order. Rearrange the fields until the columns are in the order you want to display them on the report.

8. Click Next.

9. The next step is to sort the fields you selected for the report and to decide where you want the report to break. You can sort first by one field, then further sort by one or two more fields.

a. Select a field or fields by which you want to sort from the Order By drop-down list or lists.

b. Select either Ascending or Descending from the Sequence drop-down list or lists.

c. Check Break Header? if you want to break the report with a new header and do subtotals.

10. Click Next.

11. The next step is to specify filter criteria for the report:

a. Select a field or fields by which you want to filter from the field drop-down list or lists.

b. Select an operator or operators from the operator drop-down list or lists.

c. Enter a value by which you want to search and filter.

You can combine individual field filter searches (create a compound filter search) by selecting an AND or an OR operator. The example above will search for and filter users who have “kace” or “kacepartner” in their mail address.

12. Click Save to save your report. The KBOX Reports page is displayed with the new report in the list. To run the new report, click the desired format type (HTML, PDF, CSV, or TXT). For HTML or PDF formats, the report will be displayed in a new window. If you select CSV or TXT format, you will be prompted to open the file or save it to your computer.

Report Title Enter a display name for the report. Make this as descriptive as pos-sible, so you can distinguish this report from others.

Report Category Enter the category for the report. If the category does not already exist, it will be added to the drop-down list on the Reports list page.

Description Describe the information that the report will provide.

Report Type Select a report type from the list. The fields that you will be able to include on the report vary depending on the report type you choose.


To create a new report from scratch:

1. Select Reporting | Reports.

2. Select Add New SQL Report from the Choose action drop-down list.

The KBOX Report: Edit Detail page appears.

3. Specify the following report details:

4. Click Save.

Title Enter a display name for the report. Make this as descriptive as possible, so you can distinguish this report from others.

Report Category Enter the category for the report. If the category does not already exist, it will be added to the drop-down list on the Reports list page.

Output File Name Specify the name for the file generate when this report is run.

Description Describe the information that the report will provide.

Output Types Specify the formats that should be available for this report.

SQL Select Statement Enter the query statement that will generate the report data. For reference, consult the MYSQL documentation.

Break on Columns A comma-separated list of SQL column names. The report will generate break headers and sub totals for these columns. This setting refers to the auto-generated layout.

XML Report Layout When checked, this option will create the XML layout based on the SQL you enter. Select this check box if you have changed the columns that are being returned by the query so that the XML Report Layout is regenerated using the new columns.

For assistance with formatting the report XML, refer to the rlib documentation found here: http://rlib.sicompos.com/.


http://dev.mysql.com/doc/refman/5.0/en/

http://rlib.sicompos.com/

Alert MessagesAlert messages provide a way for you to interact with your users by displaying a message in a pop-up window. The Alerts List page displays the messages you have distributed to users.

From the Alerts list page you can open existing alerts, create new alerts, or delete alerts. You can also search messages using keywords.

Creating alert messagesIf you have information you want to distribute to your network, you can review and modify previous messages you have deployed, or you can create a new message.

To create an alert message:

1. Select Reporting | Alerts.

2. Select Add New Item from the Choose action drop-down list. The Alerts: Edit Detail page appears.

3. In the Message Content field, type the text of your message.

4. In the Keep Alive field, specify the length of time the message will be valid.

Messages will be broadcast to users until either the user's desktop has received the message or the specified time interval has elapsed. This is based on the Run Interval set on the Distribution | KBOX Agent | KBOX Agent Setting.

5. In the Limit Broadcast To area, select the recipient label(s) to which this message will be sent.

Press CTRL and click to select multiple labels.

6. Click Save.


Email AlertsMail alerts differ from Alerts (broadcast messages) in that they allow you to send messages out to administrators based on more detailed criteria. The Mail Alert feature relies on the Inventory | Computers engine to create a notification that will be sent to administrators when computers meet the criteria you specify.

The KBOX 1000 Series checks the computers in inventory against the criteria in the Mail Alert once an hour until one or more computers meet the criteria, then a message is sent to the administrator(s) specified in the alert details.

Creating Email AlertsNotifications are processed every 60 minutes. Should a notification query result in 1 or more machine records, then a notification email is automatically sent to the specified recipient.

To create an Email Alert:

1. Select Reporting | Email Alerts. The Email Alerts page appears.

2. Select Add New Computer Notification in the Choose action drop-down list.

The Inventory | Computers tab appears with the Create Email Notification fields exposed.

3. Enter the search criteria.

4. In the Title field, enter a title for the alert.

The Title will appear in the Subject field.

5. In the Recipient field, enter the email address(es) of the message recipient.

Email addresses must be fully qualified email addresses. The recipient address may be a single email address or a list of addresses separated by commas.


KBOX 1000 Series SummaryThe KBOX 1000 Series Summary page provides information about the configuration and operation of your KBOX 1000 Series appliance. When you log on to the KBOX Administrator Console, the Summary tab appears by default.

To view KBOX Summary:

1. Select Reporting | Summary.

The KBOX Summary page appears.

2. The sections that follow provide a description of the summary information displayed.

3. Click Refresh to refresh the information displayed.

Client Check-In RateDisplays the total number of clients that have checked in to the server in an hour.

The counter automatically adjusts if the number increases beyond one hundred.


DistributionsDisplays the number of managed installations, scripts, and file synchronizations that are enabled. This also displays the number of alerts that you have configured.

The counter automatically adjusts if the number increases beyond thirty.


Software Threat LevelDisplays the number of machines on various software threat levels.

License ComplianceDisplays the number of machines that use a particular licensed software. For example, the following figure displays a licensed software named Adobe flash player 9, which can be used on one thousand machines. In this example, this software is used by twelve machines.

The number of machines displayed on the Y axis automatically adjusts if the number of machines found on a particular threat level increases beyond twelve.


KBOX Network LoadDisplays the number of sockets connected to the server.

Managed Operating SystemsDisplays the number, in percentage, of various operating systems present in the inventory.

The counter automatically adjusts if the number of sockets connected increases beyond one hundred.


To view KBOX Summary Details:

1. Select Reporting | Summary.

The KBOX Summary page appears.

2. Scroll down, and then click View Details.

The KBOX Summary Details page appears.

3. The sections that follow provide a description of the summary details provided.

Computer statisticsProvides a summary of the computers on your network, including a breakdown of the operating systems in use. In addition, if the number of computers on your network exceeds the number allowed by your KBOX 1000 Series license key, a notification to that effect will be displayed here.

Software statisticsProvides a summary of the software in KBOX 1000 Series Inventory. Includes the number of software titles that have been uploaded to the KBOX 1000 Series.

Software Distribution SummaryProvides a summary of the packages that have been distributed to the computers on your network, separated out by distribution method. Also indicates the number of packages that are enabled vs. disabled.

Alert SummaryProvides a summary of the alerts that have been distributed to the computers on your network, separated by message type. This also indicates the number of alerts that are active vs. expired.

As this page is refreshed, the record count information is refreshed. New KBOX 1000 Series installations will mostly contain zero or no record counts.

The IT Advisory refers to the number of Knowledge Base Articles in Help Desk.


Patch Bulletin InformationProvides a summary of the patches received from Microsoft. Includes the date and time of the last patch download (successful and attempted) and the number of bulletins in the KBOX 1000 Series.

OVAL InformationProvides a summary of the OVAL definitions received and the number of vulnerabilities detected on your network. Includes the date and time of the last OVAL download (successful and attempted) and the number of OVAL tests in the KBOX 1000 Series, in addition to the numbers of computers that have been scanned.

Network Scan SummaryProvides a summary of the results of Network Scans run on the network. Includes the number of IP addresses scanned, the number of services discovered, the number of devices discovered, as well as the number of detected devices that are SNMP-enabled.


LDAP BrowserThe LDAP Browser allows you to browse and search the data located on the LDAP Server. For example, Active Directory Server.

You must have the Bind DN and the Password to log on to the LDAP Server.

To use the LDAP Browser:

1. Select Reporting | LDAP Browser.

2. Specify the LDAP Server Details

3. Click test.

4. On a successful connection to the LDAP server, a list of possible base DNs (Distinguished Names) available on that directory is displayed. These base DNs can be used as a start point to browse and search the directory.

If the connection was not established, the Operation Failed message appears, which could be due to one of the following reasons:

The IP or Host Name provided is incorrect.

The LDAP server is not up.

The login credentials provided are incorrect.

5. Click a Base DN or click next.

A new window displays the Search Base DN and the Search Filter. The Search Base DN is populated on the basis of the Base DN that you selected in the previous screen. You can modify the Search Base DN and the Search Filter.

6. You can also use the Filter Builder to create complex filters. Click Filter Builder. The Query Builder is displayed. Specify the following information.

LDAP Server Specify the IP or the Host Name of the LDAP Server.


LDAP Port Specify the LDAP Port number, which could be either 389/636 (LDAPS).

LDAP Login Specify the Bind DN

For example:

CN=Administrator,CN=Users,DC=kace,DC=com


Attribute Name Specify the Attribute Name. For example, samaccountname.

Relational Operator Select the relational operator from the drop-down list. For example, =.

Attribute Value Specify the attribute value. For example, admin.


7. To add more than one attribute:

8. Click OK. The query appears in the Search Filter text area. For example, (samaccountname=admin).

9. Click Browse to display all the immediate child nodes for the given base DN and search filter. Click Search to display all the direct and indirect child nodes for the given base DN and search filter.

The search results are displayed in the left panel.

10. Click a child node to view its attributes.

The attributes are displayed in the right panel.

Conjunction Operator Select the conjunction operator from the drop - down list. For example, AND.

Note: This field is available for the previous attribute only when you add a new attribute.

Add Click Add. You can add multiple attributes.

Search Scope Click One level to search at the same level or click Sub-tree level to search at the sub-tree level.


A P P E N D I X A

203

Adding steps to a Task

This appendix documents steps for tasks of a script. The steps documented here are available on the Scripting tab. For more information, see “Scripting,” on page 91.

“Steps for Task sections,” on page 204

Steps for Task sectionsRefer to the following table when adding steps to a Policy or Job Task. These are the steps available in the step drop-down lists in the Verify, On Success, Remediation, On Remediation Success, and On Remediation Failure sections of a task. The Column headings V, OS, R, ORS, and ORF indicate whether a particular step is available in the corresponding Task sections.

Step Explanation V OS R ORS ORF

Always Fail X X

Call a Custom DLL Function

Call function "%{procName}" from "%{path}\%{file}"

X X X

Create a Custom DLL Object

Create object "%{className}" from "%{path}\%{file}"

X X X

Create a message window

Create a message window named "%{name}" with title "%{title}", message "%{message}" and timeout "%{timeout}" seconds.

X X X X X

Delete a registry key

Delete "%{key}" from the registry. X X

Delete a registry value

Delete "%{key}!%{name}" from the reg-istry.

X X

Destroy a message window

Destroy the message window named "%{name}".

X X X X X

Install a software package

Install "%{name}" with arguments "%{install_cmd}". Note: This step requires you to choose from a list of software packages already uploaded using the functionality in the Inventory/Software tab. For more infor-mation, see “Adding Software to Inven-tory,” on page 39.

X X

Kill a process Kill the process "%{name}". X X X X X

Launch a program Launch "%{path}\%{program}" with params "%{parms}".

X X X X X

Log a registry value Log “%{key}!%{name}”. X

Log file information Log “%{attrib}”from “%{path}\%{file}” X X X

Log message Log “%{message}”to “%{type}” X

Restart a service Restart service “%{name}” X

Table A-1: Steps for Tasks in Policy & Job scripts


Run a batch file Run the batch file "%{_fake_name}" with params "%{parms}".

Note: In this step, you do not need to upload the batch file. You create the batch file by pasting the script in the space pro-vided.

X X X

Search the file sys-tem

Search for "%{name}" in "%{startingDi-rectory}" on "%{drives}" and "%{action}".

X

Set a registry key Set "%{key}". X X

Set a registry value Set "%{key}!%{name}" to "%{newValue}".

X X

Start a service Restart service “%{name}” X

Stop a service Stop service “%{name}” X

Unzip a file Unzip "%{path}\%{file}" to "%{target}". X X X X

Update message window text

Set the text in the message window named "%{name}" to "%{text}".

X X X X

Update Policy and Job schedule

Update policy and job schedule from KBOX 1000 Series

X

Upload a file Upload "%{path}\%{file}" to the server. X X

Upload \ logs Upload KBOX Agent logs to KBOX 1000 Series

X X X X

Verify a directory exists

Verify that the directory "%{path}" exists. X

Verify a file exists Verify that the file "%{path}\%{file}" exists.

X

Verify a file version is exactly

Verify that the file "%{path}\%{file}" has version "%{expectedValue}".

X

Verify a file version is greater than

Verify that the file "%{path}\%{file}" has version greater than "%{expectedValue}".

X

Verify a file version is greater than or equal to...

Verify that the file "%{path}\%{file}" has version greater than or equal to "%{expectedValue}”

X

Verify a file version is less than

Verify that the file "%{path}\%{file}" has version less than "%{expectedValue}".

X

Verify a file version is less than or equal to

Verify that the file "%{path}\%{file}" has version less than or equal to "%{expected-Value}

X




Verify a file version is not

Verify that the file "%{path}\%{file}" does not have version "%{expectedValue}".

X

Verify a file was modified since

Verify that the file "%{path}\%{file}" was modified since "%{expectedValue}".

X

Verify a process is not running

Verify the process "%{name}" is not run-ning.

X

Verify a process is running

Verify the process "%{name}" is running. X

Verify a product ver-sion is exactly..

Verify that the product "%{path}\%{file}" has version "%{expectedValue}"

X

Verify a product ver-sion is greater than

Verify that the product "%{path}\%{file}" has version greater than "%{expected-Value}".

X

Verify a product ver-sion is greater than or equal to...

Verify that the product "%{path}\%{file}" has version greater than or equal to "%{expected-Value}”

X

Verify a product ver-sion is less than

Verify that the product "%{path}\%{file}" has version less than "%{expectedValue}".

X

Verify a product ver-sion is less than or equal to

Verify that the product "%{path}\%{file}" has version less than or equal to "%{expectedValue}”

X

Verify a product ver-sion is not

Verify that the product "%{path}\%{file}" does not hav version "%{expectedValue}"

X

Verify a registry key does not exist

Verify that "%{key}" does not exist. X

Verify a registry key exists

Verify that "%{key}" exists. X

Verify a registry key’s subkey count is exactly

Verify that "%{key}" has exactly "%{expectedValue}" subkeys.

X

Verify a registry key’s subkey count is greater than

Verify that "%{key}" has greater than "%{expectedValue}" subkeys.

X

Verify a registry key’s subkey count is greater than or equal to

Verify that "%{key}" has greater than or equal to "%{expectedValue}" subkeys.

X

Verify a registry key’s subkey count is less than

Verify that "%{key}" has less than "%{expectedValue}" subkeys.

X




Verify a registry key’s subkey count is less than or equal to

Verify that "%{key}" has less than or equal to "%{expectedValue}" subkeys.

X

Verify a registry key’s subkey count is not

Verify that "%{key}" does not have exactly "%{expectedValue}" subkeys.

X

Verify a registry key’s value count is exactly

Verify that "%{key}" has exactly "%{expectedValue}" values.

X

Verify a registry key’s value count is greater than

Verify that "%{key}" has greater than "%{expectedValue}" values.

X

Verify a registry key’s value count is greater than or equal to

Verify that "%{key}" has greater than or equal to "%{expectedValue}" values.

X

Verify a registry key’s value count is less than

Verify that "%{key}" has less than "%{expectedValue}" values.

X

Verify a registry key’s value count is less than or equal to

Verify that "%{key}" has less than or equal to "%{expectedValue}" values.

X

Verify a registry key’s value count is not

Verify that "%{key}" does not have exactly "%{expectedValue}" values.

X

Verify a registry pat-tern doesn’t match

Verify that "%{key}!%{name}=%{expect-edValue}" doesn't match.

X

Verify a registry pat-tern matches

Verify that "%{key}!%{name}=%{expect-edValue}" matches.

X

Verify a registry value does not exist

Verify that "%{key}!%{name}" does not exist

X

Verify a registry value exists

Verify that "%{key}!%{name}" exists X

Verify a registry value is exactly

Verify that "%{key}!%{name}" is equal to "%{expectedValue}"

X

Verify a registry value is greater than

Verify that "%{key}!%{name}" is greater than "%{expectedValue}"

X

Verify a registry value is greater than or equal to

Verify that "%{key}!%{name}" is greater than or equal to "%{expectedValue}"

X




Verify a registry value is less than

Verify that "%{key}!%{name}" is less than "%{expectedValue}"

X

Verify a registry value is less than or equal to

Verify that "%{key}!%{name}" is less than or equal to "%{expectedValue}"

X

Verify a registry value is not

Verify that "%{key}!%{name}" is not equal to "%{expectedValue}"

X

Verify a service exists

Verify the service "%{name}" exists X

Verify a service is running

Verify the service "%{name}" is running X




A P P E N D I X B

209

Database tables

This appendix contains a list of the table names used in the KBOX 1000 Series database. Use this as a reference when creating custom reports.

“KBOX 1000 Series database tables,” on page 210

KBOX 1000 Series database tablesRefer to the following table when creating custom reports. For more information, see Chapter 13,“Reporting,” starting on page 183.

Table Used In

ADVISORY HelpDesk

ADVISORY_LABEL_JT HelpDesk

AUTHENTICATION KBOX

CLIENTDIST_LABEL_JT KBOX

CLIENT_DISTRIBUTION KBOX

CR_CLIENT_CRASH KBOX

CR_SERVER_CRASH KBOX

CUSTOM_FIELD_DEFINITION Custom Fields

FILTER Labeling

FS File Synchronization

FS_LABEL_JT File Synchronization

FS_MACHINE_JT File Synchronization

GLOBAL_OPTIONS KBOX

HD_ATTACHMENT Help Desk

HD_CATEGORY Help Desk

HD_EMAIL_EVENT Help Desk

HD_IMPACT Help Desk

HD_MAIL_TEMPLATE Help Desk

HD_PRIORITY Help Desk

HD_QUEUE Help Desk

HD_QUEUE_PRIORITY Help Desk

HD_QUEUE_STATUS Help Desk

HD_STATUS Help Desk

HD_TICKET Help Desk

HD_TICKET_CHANGE Help Desk

HD_TICKET_RELATED Help Desk

HD_WORK Help Desk

KBOT Scripting

Table B-1: KBOX 1000 Series database table names


KBOT_CRON_SCHEDULE Scripting

KBOT_DEPENDENCY Scripting

KBOT_EVENT_SCHEDULE Scripting

KBOT_FORM Scripting

KBOT_FORM_DATA Scripting

KBOT_GRAMMAR Scripting

KBOT_GRAMMAR_ATTRIBUTE Scripting

KBOT_LABEL_JT Scripting

KBOT_LOG Scripting

KBOT_LOG_DETAIL Scripting

KBOT_LOG_LATEST Scripting

KBOT_OS_JT Scripting

KBOT_RUN Scripting

KBOT_RUN_MACHINE Scripting

KBOT_RUN_TOKEN Scripting

KBOT_UPLOAD Scripting

KBOT_UPLOAD_TOKEN Scripting

KBOT_VERIFY Scripting

KBOT_VERIFY_STEPS Scripting

KBOX_VERSION KBOX

LABEL Labeling

LDAP_FILTER Labeling

LDAP_IMPORT_USER User

LICENSE Inventory

LICENSE_MODE Inventory

MACHINE Inventory

MACHINE_CUSTOM_INVENTORY Inventory

MACHINE_DISKS Inventory

MACHINE_KUID Inventory

MACHINE_LABEL_JT Inventory

MACHINE_NICS Inventory

Table Used In



MACHINE_NTSERVICE_JT Inventory

MACHINE_PROCESS Inventory

MACHINE_PROCESS_JT Inventory

MACHINE_SOFTWARE_JT Inventory

MACHINE_STARTUP_PROGRAMS Inventory

MACHINE_STARTUPPROGRAM_JT Inventory

MESSAGE Alerts

MESSAGE_LABEL_JT Alerts

MI Managed Installs

MI_ATTEMPT Managed Installs

MI_LABEL_JT Managed Installs

METER Software Metering

METER_COUNTER Software Metering

MSP_AFFECTEDPRODUCT Patching

MSP_AFFECTEDSERVICEPACK Patching

MSP_BULLETIN Patching

MSP_BULLETIN_STATUS Patching

MSP_LOCATION Patching

MSP_MI_TEMPLATE Patching

MSP_MI_TEMPLATE_LABEL_JT Patching

MSP_PATCH Patching

MSP_PATCH_OS_VERSION Patching

MSP_PRODUCT Patching

MSP_SERVICEPACK Patching

MSP_SERVICEPACK_MACHINE_JT Patching

MSP_SEVERITY Patching

MSP_UPDATE_STATUS Patching

NETWORK_SETTINGS KBOX

NODE Network Scan

NODE_LABEL_JT Network Scan

NODE_PORTS Network Scan

Table Used In



NODE_SNMP_IF Network Scan

NODE_SNMP_SYSTEM Network Scan

NOTIFICATION Alerts

NTSERVICE Inventory

OPERATING_SYSTEMS Inventory

OVAL_DEFINITION OVAL

OVAL_STATUS OVAL

OVAL_UPDATE_STATUS OVAL

PORTAL User Portal

PORTAL_LABEL_JT User Portal

PROCESS Inventory

PORT_SERVICES KBOX

REPLICATION_SHARE Replication

REPORT Reporting

REPORT_FIELD Reporting

REPORT_FIELD_GROUP Reporting

REPORT_JOIN Reporting

REPORT_OBJECT Reporting

SCAN_FILTER Labeling

SCAN_SETTINGS Network Scan

SERVER_LOG KBOX

SOFTWARE Inventory

SOFTWARE_LABEL_JT Inventory

SOFTWARE_OS_JT Inventory

STARTUPPROGRAM Inventory

THROTTLE KBOX

TIME_SETTINGS KBOX

TIME_ZONE KBOX

USER User

USER_HISTORY User Portal

USER_KEYS User Portal

Table Used In



USER_LABEL_JT User

Table Used In




A P P E N D I X C

216

Manual Deployment of KBOX Agent

This appendix contains a list of tasks and commands that you can carry out using the command line interface.

“Manual Deployment of KBOX Agent on Linux,” on page 217

“Manual Deployment of KBOX Agent on Solaris,” on page 219

“Manual Deployment of KBOX Agent on Macintosh,” on page 221

Manual Deployment of KBOX Agent on Linux

Installing and Configuring the KBOX Agent1. Ensure that you have kboxagent-buildnumber.i386.rpm on your computer.

2. Open the command line interface.

3. Type rpm -ivh kboxagent-buildnumber.i386.rpm, and then press ENTER.

The installer creates the following directories on your computer:

/KACE

/KACE/bin

/KACE/lib

/KACE/data

/var/KACE/kagentd. This directory contains the kbot_config.yaml file.

4. Type cd KACE/bin, and then press ENTER.

5. Set the name of the KBOX server by typing ./setkbox name_of_kbox_server.

6. Restart all KBOX Agent services and connect to the KBOX server by typing ./runallkbots.

Upgrading the KBOX Agent1. Ensure that you have kboxagent-buildnumber.i386.rpm on your computer.


3. Type rpm -uvh kboxagent-linux_buildnumber.rpm, and then press ENTER.

Removing the KBOX Agent1. Open the command line interface.

2. Type rpm -e kboxagent-buildnumber.i386, and then press ENTER.

Verifying Deployment of the KBOX AgentThis section describes the various tasks you can perform to manage the KBOX agent using the command line interface.

Starting and Stopping the KBOX Agent1. Open the command line interface.


3. To start the KBOX agent, type ./kagentctl start, and then press ENTER.

To stop the KBOX agent, type ./kagentctl stop, and then press ENTER.

Checking Whether the Agent is Running1. Open the command line interface.

2. Type ps aux | grep kagentd, and then press ENTER.


Checking the Version of the KBOX Agent1. Open the command line interface.

2. Type cat /KACE/data/version, and then press ENTER.

Performing an Inventory1. Open the command line interface.

2. Type sudo /KACE/bin/inventory, and then press ENTER.

If you want to save the inventory results to a file, type sudo /KACE/bin/inventory > 'uname -n'.txt, and then press ENTER. This command saves the inventory results to a file named yourcomputer.txt, where yourcomputer is the name of your computer.

Enabling Debugging1. Open the command line interface.

2. Type sudo touch /var/kace/kagentd/debug_agent.tag, and then press ENTER.

3. Type sudo /etc/rc.d/init.d/kagentctl stop, and then press ENTER.

4. Type sudo /etc/rc.d/init.d/kagentctl start, and then press ENTER.

The debug_agent.log file contains debug logs.


Manual Deployment of KBOX Agent on Solaris

Installing and Configuring the KBOX Agent1. Ensure that you have KBOX-agent-all-buildnumber.pkg.gz on your computer.


3. Type /usr/bin/gunzip KBOX-agent-all-buildnumber.pkg.gz, and then press ENTER.

4. Type /usr/sbin/pkgadd -n -d KBOX-agent-all-buildnumber.pkg all, and then press ENTER.


/KACE

/KACE/bin

/KACE/lib

/KACE/data

/var/KACE/kagentd. This directory contains the kbot_config.yaml file.




Upgrading the KBOX Agent1. Ensure that you have KBOX-agent-all-buildnumber.pkg.gz on your computer.


3. Type /etc/init.d/kagentctl stop, and press ENTER.

4. Type /usr/sbin/pkgrm -A -n KBOX-agent, and press ENTER.

5. Type /usr/bin/rm -rf /KACE/, and press ENTER.

6. Type /usr/bin/gunzip -v KBOX-agent-all*.pkg.gz, and press ENTER.

7. Type /usr/sbin/pkgadd -n -d KBOX-agent-all*.pkg all, and press ENTER.

8. Type /etc/init.d/kagentctl start, and press ENTER.

Removing the KBOX Agent1. Open the command line interface.

2. Type /etc/init.d/kagentctl stop, and press ENTER.

3. Type /usr/sbin/pkgrm -A -n KBOX-agent, and press ENTER.

4. Type /usr/bin/rm -rf /KACE/, and press ENTER.



Starting and Stopping the KBOX Agent1. Open the command line interface.




Checking Whether the Agent is Running1. Open the command line interface.

2. Type ps ef | grep kagentd, and then press ENTER.

Checking the Version of the KBOX Agent1. Open the command line interface.

2. Type cat /KACE/data/version, and then press ENTER.

Performing an Inventory1. Open the command line interface.

2. Type sudo /KACE/bin/inventory, and then press ENTER.

If you want to save the inventory results to a file, type sudo /KACE/bin/inventory > 'uname -n'.txt, and then press ENTER. This command saves the inventory results to a file named yourcomputer.txt, where yourcomputer is the name of your computer.

Enabling Debugging1. Open the command line interface.


3. Type sudo /etc/init.d/kagentctl stop, and then press ENTER.

4. Type sudo /etc/init.d/kagentctl start, and then press ENTER.



Manual Deployment of KBOX Agent on Macintosh

Installing and Configuring the KBOX Agent1. Double-click KBOX Agent 3.1.buildnumber.dmg.

2. Double-click KBOX Agent.pkg.

3. In the Introduction page, and then click Continue.

4. In the Read Me page, click Continue.

5. In the Select Destination page, select the destination volume where you want to install the KBOX agent, and then click Continue.

6. In the Installation Type page, click Install.

7. In the Finish Up page, click Close.


/Library/KBOXAgent/Home/bin

/Library/KBOXAgent/Home/data

/Library/KBOXAgent/Home/lib

/var/kace/kagentd. This directory contains the kbot_config.yaml file.

8. Type cd Library/KBOXAgent/Home/bin, and then press ENTER.



Upgrading the KBOX Agent1. Double-click KBOX Agent 3.1.buildnumber.dmg.

2. Double-click KBOX Agent.pkg.

3. In the Introduction page, and then click Continue.

4. In the Read Me page, click Continue.

5. In the Select Destination page, select the destination volume where you want to install the KBOX agent, and then click Continue.

6. In the Installation Type page, click Upgrade.

7. In the Finish Up page, click Close.

To run the commands the user must be logged in as root.


Removing the KBOX Agent1. Browse to /Library/KBOXAgent.

2. Removing the KBOX Agent, you first need to Drag the KBOXAgent folder to the Trash and then kill the process ID.


Starting and Stopping the KBOX Agent1. Open Terminal from the Applications/Utilities folder.

2. Type cd Library/KBOXAgent/Home/bin, and then press ENTER.



Checking Whether the Agent is Running1. Open Terminal from the Applications/Utilities folder.

2. To check if the kagentd process is running enter the command ps aux | grep kagentd, and then press ENTER. The process is running if you see the following result:

root 2159 0.0 1.1 94408 12044 p2 S 3:26PM 0:10.94 /Library/KBOXAgent/Home/bin/kagentd

Checking the Version of the KBOX Agent1. Open Terminal from the Applications/Utilities folder.

2. Type cat Library/KBOXAgent/Home/data/version, and then press ENTER.

Performing an Inventory1. Open Terminal from the Applications/Utilities folder.

2. Type sudo Library/KBOXAgent/Home/bin/inventory, and then press ENTER.

If you want to save the inventory results to a file, type sudo Library/KBOXAgent/Home/bin/inventory > computer_name.txt. Replace computer_name with the name of your computer, and then press ENTER. This command saves the inventory results to a file named computer_name.txt, where computer_name is the computer name that you specified.

Enabling Debugging1. Open Terminal from the Applications/Utilities folder.


3. Type sudo /Library/KBOXAgent/Home/bin/kagentctl stop, and then press ENTER.

4. Type sudo /Library/KBOXAgent/Home/bin/kagentctl start, and then press ENTER.




A P P E N D I X D

224

Agent Customization

This appendix explains the procedure to create a self-ex-ecuting zip file that includes custom installation items like non-standard path or custom server name.

“Agent Customization,” on page 225

Agent CustomizationYou can create a self-executing zip file that includes custom installation items like non-standard path or custom server name.

To create a self-executing zip that includes custom installation:

1. Copy the necessary files for your customization. You will need the following files:

7zip-v442.exe, available at \\kdisk\kace_corporate\software\7-Zip\7zip-v442.exe

7zip-v442_extra.zip, available at \\kdisk\kace_corporate\software\7-Zip\7zip-v442_extra.zip

The KInstallerSetup.exe, from the client version you want to customize. This file is available at the KACE Support Website.

2. Install 7-zip.

3. Unzip the 7zip_v442_extra.zip file into the directory where the 7-zip is installed. (by default the directory is C:\Program Files\7-Zip).

Ensure that the file 7zS.sfx is in the top-level directory. 7-Zip-install path is used for this location. This file is important because it has the actual executable stub for a self-extracting installer executable.

4. Start the 7-Zip File Manager from the start menu.

5. Select the KInstallerSetup.exe executable for the client version to customize using the 7-Zip File Manager.

6. Click the extract button to extract it into a directory of your choice. Keep the Current Pathnames selected in the Path mode box. The Overwrite without prompt option can be selected for the Overwrite Mode. Do not specify a password.

7. Navigate to that folder and edit the kinstaller.exe.config file with a text editor to change any settings for customization. The display_mode can have the values interactive, quiet, and silent. server_name is the hostname of the server.

8. Save your changes. Execution of the kinstaller.exe file in this directory installs with the settings as specified in the .config file.

9. Open the 7-Zip File Manager and select kinstaller.exe, kinstaller.exe.config, es-ES and install_files.

10. Click the Add button. The archive format is 7z, Create SFX archive in the options box is cleared.

11. Save the .7z file and note down the path. I'll call my file "jkboxInstaller.7z" and the path to it will be <<jkbox-installpath>>

12. Create a text file - config.txt - which includes the settings for the self-executing zip. Ensure that the file is saved with UTF-8 encoding. The file should contain the following commands, which will indicate to 7-zip that the kinstaller should run when the self-executing zip runs:

;!@Install@!UTF-8!

Progress="no"

RunProgram="kinstaller.exe"

Directory=""

;!@InstallEnd@!

13. Open a new command-line window.

14. Execute the following command to create a self-executing file from the .7z file.


15. Copy /b "<<7-Zip-install>>\7zS.sfx" + "<<config-file-path>>\config.txt" + "<<jkbox-installpath>>\jkboxInstaller.7z" "<<Installer_Name>>.exe"


A P P E N D I X E

227

Warranty, Licensing, and Support

“Warranty and Support Information,” on page 228.

Warranty and Support Information

Information concerning hardware and software warranty, hardware replacement, product returns, technical support terms and product licensing can be found in the KACE End User License agreement accessible at:

HTTP://WWW.KACE.COM/LICENSE/STANDARD_EULA


http://www.kace.com/license/standard_eula.pdf

Documents

KBOX Administrator Guide 3.3