Environment Manager Automation action failing to run due to missing RunAs Certificate

Version 1

    Verified Product Versions

    Environment Manager 2018.3

    Introduction

     

    As of Environment Manager 2018.3, it is now possible to trigger Ivanti Automation Tasks, within your Policy Configuration. You find that after configuring the action, it fails to run the task.

     

    Detail

     

    Enabling Auditing within your configuration for automation, to confirm if the task has failed to run. These events can be enabled by opening the configuration, selecting Manage > Auditing, sending the events to an event log and checking:

     

    9672  - Workspace Automation action scheduled scheduling

    9673  - Workspace Automation action scheduling failed

     

    Once enabled, deploy this configuration to your endpoint, and recreate the issue. Below shows the example of a failed event:

     

    Workspace Automation action scheduling failed (Action description: Automation Task > Install of Notepad++ Through UWM, Workspace task name: Install of Notepad++ Through UWM, Workspace task ID: 854B388E-5F9C-47FC-BE2C-24F48FCE60AC, Workspace task type: 0), http error: 404.

     

    Running Environment Manager debug logs, will also show something similar to the below:

     

    L4 T7236 131946171306564966 [CDecryptBuffer::GetCertificate] [ENTER]

    L3 T7236 131946171306580433 [CDecryptBuffer::GetCertificate] Retrieving certificate using thumbprint [2C169FBB18EDED4576FA40900F6261D0D0AC1E1B]

    L1 T7236 131946171306585245 [CDecryptBuffer::GetCertificate] CertFindCertificateInStore failure [0]

    L3 T7236 131946171306585310 [CDecryptBuffer::GetCertificate] Retrieved certificate.

    L4 T7236 131946171306585354 [CDecryptBuffer::GetCertificate] [EXIT]

    L1 T7236 131946171306585458 [CDecryptBuffer::Decrypt] Error - failed to find a certificate to match the specified thumbprint

    L4 T7236 131946171306585496 [CDecryptBuffer::Decrypt] [EXIT]

    L1 T7236 131946171306585548 [DecryptPassword] Failed to decrypt data [2148081668]

    Solution

     

    As part of the configuration for Automation, a RunAs user account will need to be specified in the Automation settings of the Policy configuration and a certificate specified. On the endpoints, this certificate (that has been exported *with* its private key, and protected with another password) needs to be copied and securely placed in the endpoint certificate store. The EM agent looks into the Local Computer\Personal store on each endpoint (which is the localMachine\My store in PowerShell) to find the certificate and its private key. Here is a PowerShell script that can be used to copy it from a file share to the correct store. The file share should be secured so that ordinary users cannot access it. Note that the private key password is required since the private key is in the file alongside the certificate.

     

    Information on RunAs can be found in the following:

     

    Changes to RunAs and Drive Mapping in EM 2018.3 – Why you need a Certificate and How to Deploy it to Endpoints