7 Replies Latest reply on Jun 22, 2016 12:05 PM by Rick.Smith1

    Brokerconfig.EXE /r during Provisioning

    jpozucek Apprentice

      I've added a batch file that runs the following to my Provisioning Template:

      ----

      call "C:\Program Files (x86)\LANDesk\LDClient\brokerconfig.exe" /r

      exit /B %ERRORLEVEL%

      --------

       

      This runs and I can see the cert files in the "C:\Program Files (x86)\LANDesk\Shared Files\cbaroot\broker\" folder, however when I try to run a Security Scan when the device is off the network it does not connect back to the core.  It keeps retrying.  If I connect the device back on the network and manually run the the same batch file I get new cert files and now the device connects back to the core while off the network.

       

      I tried creating a distribution package that runs it under the Local System Account and as a Specific User that's a Domain Admin Service Account.  Same results.

       

      Is there a specific user context it needs to run in?  How can I add this to my template?

       

      Thanks,

       

      Jim

        • 1. Re: Brokerconfig.EXE /r during Provisioning
          cwarren SupportEmployee

          Is you CSA configured and working properly?

          Running brokerconfig (as admin) on the end device and running test should tell you more about where it is failing.

          Also, I assume you are not running 2016, as this is no longer necessary with 2016.

          • 2. Re: Brokerconfig.EXE /r during Provisioning
            jpozucek Apprentice

            Everything seems to be running correctly.  It only seems to not work when brokerconfig is run in the provisioning template.  I have a task based on the batch file and that works when I push to a device after imaging or if I run it manually.  I was thinking that it has something to do with the fact that the device is logged in with a local admin account but not a domain account during imaging but I tried running it(brokerconfig) in different user context during the image process but it still does not work.

            • 3. Re: Brokerconfig.EXE /r during Provisioning
              Rick.Smith1 Specialist

              Jim,

               

              I assume /r works. I use -r, however I run this as a custom security scan.

              I check to see if the .crt, .csr. .key files exists. If any are missing I call it with the -r.

               

              This seems to work for us, I am getting ready to move it into a provisioning step as well so I can try to let you know if there seems to be a difference.

               

              Another test you might do in the mean time (assuming your CSA is working good) is to run your bat file. Copy off the 3 files, and then run it yourself or however you get it to work. Then compare those 3 files to the original to see if any difference.

               

              Rick

              • 4. Re: Brokerconfig.EXE /r during Provisioning
                cwarren SupportEmployee

                One more thing to be aware of. Running brokerconfig -r assumes the agent can communicate with the core.

                If it can't reach the core, then this will fail also.

                 

                Another way to do this rather than doing it as part of your provisioning is to add it to your agent config.

                This also assumes the agent will have connection to the core during install though.

                • 5. Re: Brokerconfig.EXE /r during Provisioning
                  Rick.Smith1 Specialist

                  Using LDMS 9.6, how do you add this to your agent config? We had the CSA specified in our agent config under 'Client Connectivity Settings', but you still had to manually run the broker config manually.

                   

                  We had been told previously that all you had to do was setup the client connectivity settings and it would be good, but recently we discovered that it wasn't working and had been told we would have to manually run broker config until LDMS 2016 is in place. 

                  • 6. Re: Brokerconfig.EXE /r during Provisioning
                    phoffmann SupportEmployee

                    Bunch of ways to do it. Here's the basics (the variations tend to come in how the detail gets executed usually).

                     

                    One of them is through the use of MERGEINI - which essentially adds "stuff you want" to agent configurations. Documented here - MERGEINI - What is it and how to use it - with examples to help you along .

                     

                    You can edit existing agent deployment .INI files (but those changes would get overwritten the next time someone would save an agent, thus the recommendation for Mergeini).

                     

                    Essentially, you can configure the brokerconfig as an additional file to be downloaded (/included as a file in the self-contained agent) and include it being run / calling a script you wrote that runs it in a specific context).

                     

                    Overall, the much "nicer" way is via LD 2016 (where each agent just "flat out" creates its own cert & you then decide whether to approve it or not & don't actually need an AD-user permission at any point).

                     

                    Does that help answer your question?

                    • 7. Re: Brokerconfig.EXE /r during Provisioning
                      Rick.Smith1 Specialist

                      Interesting, I have never used the MERGEINI stuff. I'll have to take a look.