5 Replies Latest reply on Oct 3, 2012 8:12 AM by AspenSkier

    ? about 'what happens' with policies and LDAP queries


      So I have a question about software distribution and policies...


      After some wrestling I finally managed to get software distribution tasks to work and I would like to begin using policies to control their distribution. Namely I want to assign various SD packages to groups and ensure that those groups always have that software, even if I reimage computers in that group.



      My windows active directory environment is organized to provide logical groupings of machines for various pieces of software and so I have assigned LDAP queries to a handful of SD scheduled tasks using the POLICY->REQUIRED INSTALLATION delivery method.  After imaging some computers I expected to see those machines pull down the required software via those SD tasks...but they are not.  I see these machines stuck in the PENDING portion of the scheduled task with a status of "WAITING", "policy has been made available".   Forcing a policy sync doesn't get the software to install.


      the questions:

      When I assign an SD task to a query with a POLICY delivery method and run that task am I supposed to be done with it?

      Do I have to schedule the task to repeat in order to ensure that machines will continue to pull down the software when they are imaged?

      How do I ensure that only machines that are the target of an LDAP query get the software?  ...or do I need to do anything to ensure the query results are accurate?



      Also, while we're on this topic...once you assign an LDAP query to a scheduled task, HOW CAN YOU REMOVE IT?


      Ex, I have a scheduled task deploying some software to a test group.  After passing the test I decide I want to assign a different LDAP query to the task and remove the test query.  I can see them but can't delete either of them from the scheduled task.  ideas?

        • 1. Re: ? about 'what happens' with policies and LDAP queries
          zman Master

          You need to use a Policy Supported Push with a delivery method that indicates a Type and Frequency of Required Periodic. Then in your scheduled task under Schedule Task - Check Deploy packages .....even if they were previously deployed. You can then create a prerequisite query based on an inventory attribute that indicates the machine already ran the package. Say the package is Office 2007, then you would create an prerequisite query based on the installation of Office 2007.


          It would be easier if you used a machine based query based on computer location. You could then have more flexibility while targeting the scheduled task and could incorporate the prereq query and targeting logic into one query.

          • 2. Re: ? about 'what happens' with policies and LDAP queries

            Thanks Zman,


            I now see the TYPE & FREQUENCY piece of the delivery method that I did not see.  Regarding the 'deploy packages (again)' that option is grey'd out for me and I can't seem to enable it.  I'm not sure I really want that because I don't want to constantly reinstall the software again and again, which is how I am interpreting that option.  Am I wrong there?


            I DO have a machine based query based on location...I have OUs which relate to computer labs and groups of mobile computers.  Software is to be deployed based on those OUs.  I also understand your use of the prerequistie query, however I thought it not necessary because I was specifying a policy that states that it is required.  My thinking is:


            I build a SD task and assign it as REQUIRED software for a group of computers.  Then Landesk magic ensures that those computers have the software.  The end!


            My interpretation of your recommendation is that you are building a policy, manually, by creating a scheduled task that runs against a set of computers which are supposed to have the desired software packages but don't, and then you request that this task rerun itself repeatedly.  Isn't the concept of landesk policy-based administration supposed to be simple and take care of this without this extra work?  Are you stating that a landesk policy is just a one-time event?

            • 3. Re: ? about 'what happens' with policies and LDAP queries

              I am reaching out one time on this because I don't see the results that I expect.


              Here is my updated scenario:


              • I have computers organized by OUs with my active directory structure
              • I have a known working Landesk Software Distribution package which deploys a single .MSI package
              • I have created a delivery method which is a POLICY type with a REQUIRED INSTALLATION component as well as a DAILY frequency of the policy
              • I am using the LDMS 9 Directory Manager to create OU-specific queries that are targed by the SD task
              • Initially, when I run the task the machines take the software w/o any problem


              But this can quickly break down as follows:


              If I reimage any one of the machines targeted by the query then the policy won't reinstall the software. Upon inspecting the SD task I can see that 100% of the machines completed the task, however that was yesterday, last week, or last month. The task does not show psudo-real-time status. I thought establishing a policy more or less solved the problem with compliance, but it seems that the LDMS Scheduled Task model is severely limiting the capabilities of the product since it seems to dictate when to run-and in this case it prevents any additional attempts once it sees 100% of targeted clients being successful.



              Am I missing something about the intended functionality of landesk's product? None of the LD documents or videos remotely suggest that I need to create queries that Zman described in his post above in order to realize a functioning policy.


              Furthermore, a few things are still in limbo:


              • Regarding the 'deploy packages (again)' that option is grey'd out for me and I can't seem to enable it. I'm not sure I really want that because I don't want to constantly reinstall the software again and again, which is how I am interpreting that option. Am I wrong there?
              • Is a landesk policy is just a one-time event when the scheduled task runs just once?
              • What is the point in establishing FREQUENCY inside of a delivery method if ultimately a scheduled task just runs one time?  (as in my scenario above)



              • 4. Re: ? about 'what happens' with policies and LDAP queries
                Frank Wils ITSMMVPGroup

                You need to run the task with a pure policy delivery method. A policy supported push is a combi delivery with characteristics from both push and policy. 1 of the characteristics of push is, that it runs periodic only and that once a device is succesful, it won't be started in the task again. Use the policy supported push for a one time deployment when you are not suvyou can catcch all targets online when you run the task. All reachable devices will get the software as push, the others get the software when the agent checks in.


                That's why you need policy delivery in your situation. The policy is a 'sync' method. The targets, in your case ldap queries, are evaluated constantly to determine the right devices. When the agent on a targets checks in it will download the taskmanifests it doesn't have and will update a local mini-db. Any missing software will be installed and if enabled in the distribution package, uninstalled if the device falls out of the targets from the task.


                This way, after re-imaging the device it will again download the taskmanifests, update the local db and install any software it was targeted for.


                Policy deliveries are like that set-and-forget, just manage the targets by managingbthe content of the targeted ldap group.


                Hope this makes sense to you.



                • 5. Re: ? about 'what happens' with policies and LDAP queries

                  Thank you Frank,


                  I will keep an eye on this for a bit longer and see what happens.


                  That being said I already have a POLICY in place-I am not using Policy Supported Pushes.


                  I'm glad that someone suggested that the Landesk Policy is supposed to be a set and forget as that is how I was interpreting it.  Hopefully I can see that it does indeed work as such.


                  thanks again