How to Patch Clients through a Cloud Service Appliance (CSA)

Version 5

    Verified Product Versions

    Endpoint Manager 2016.xEndpoint Manager 2017.xEndpoint Manager 2018.x


    Need to patch clients using a Cloud Services Appliance


    This document assumes you have a good understanding of how to use Endpoint Management to create tasks and modify and deploy agent settings.  Browse hidden files and run commands in CMD.

    Clicking on a photo will enlarge it.


    Correct Functioning of the CSA

    Patching through the CSA relies on inventory, brokerconfig (certificates) and policysync to all be functioning on the client to the CSA which then creates a tunnel to the core.  If any one of these components are not functioning you will need to troubleshoot them first before patching tasks will work or even can be troubleshot.  Usually if one of these components if failing it is due to the CSA not being setup correctly.

    Once you have verified that inventory, brokerconfig and policysync are all working correctly through the CSA we can create patching tasks on the core to the clients.


    How the Clients Operate through the CSA

    Direct core to client communications is not possible when clients are outside the network.  The core must rely on the clients themselves to check in and get any pending tasks created on the core through the CSA. This is done through the policysync task that runs on the clients themselves periodically.  It is recommended if devices are going to be mostly communicating through the CSA to change the policysync schedule on CSA clients to check in several times a day.

    The schedule for policy sync can be adjusted in Agent Settings>Distribution and Patch settings and then in the Policy sync schedule item on the left-hand list.  Click Change Settings to alter the schedule.


    Remember to push out the agent setting through a Change Settings task or allow time for it to update through a daily vulscan for the change to take effect.


    Creating a Patch Task on the Core

    As mentioned earlier, the clients themselves must check in with the core and get the tasks assigned. As such any Push tasks will fail, since the core does not know where the client is on the outside network.  All tasks to CSA clients must be policy-based tasks on the core.  You can do this by creating a repair task by right clicking a patch or patch group and clicking Repair.  In the dialog box that comes up click Task settings and choose Policy as the Task Type.

    Make any other changes to the task you like and save it.  This will create a repair task in Scheduled Tasks.  Add the devices you want to the task and start it by right clicking the task and clicking Start now>All.  Once started the task will go active for a bit then go to pending again.  The clients will be listed under Pending with the Result field of Policy has been made available.


    Following the Task

    Once the task is in a Policy has been made available state you can wait for the clients policysync to run and download the policy on its own.  As a test you can force a check in and get the policy manually by running a few commands on the client itself.  First, on the core right click the task and click Info.  In the dialog that comes up make a note of the number in the ID field.  In our example it is 31.

    Next logon to the client and as administrator run the following command:


    C:\Program Files (x86)\LanDesk\LDClient\Policysync.exe /taskid=####


    Where #### is the task ID number noted earlier.  In our example it is 31.

    Once run you can browse to the C:\Programdata\LANDesk\Policies folder(Programdata is a hidden folder on the C: drive.  In the folder you should see a file that starts with CP. and the number of the task ID.  Once the policy file is downloaded it will run as setup in the task.


    Basic Troubleshooting



    Patch tasks when started, soon after show as failed in the console with Cannot Find Agent.



    Task is likely set as a Push or Policy supported Push. Push tasks rely on the cores ability to see the client first.  This cannot be done if the client is off the network.  A Push task will fail and not run.  A Policy supported Push task will fail in the console but will still run on the clients once they get the policy.  It is best still to use only Policy based tasks.




    Tasks are running but patch files(EXE, MSU and MSI) are not downloading from the core to the client through the CSA.  Internal clients work fine.  I’m using the core IP Address in Patch location.



    Due to the way the CSA handles requests IP addresses and UNC paths cannot be used in the Patch Location.

    Click the Patch Location tab and verify that the Web URL field is setup to use the cores short name or FQDN name and is a working URL in the field.