12 Replies Latest reply on Jul 13, 2018 2:40 AM by phoffmann


    tlman12 Apprentice

      So I'm trying to automate some of my repetitive tasks in LANDesk (but not fully) And I'm so close I'm just stuck on 2 last components.


      I have created a program to pull and compose a list of required vulnerability updates for 2 specific Device Scopes that are either not set to Autofix and/or not in a specific Custom Group. I did this with a SQL query because there was too much to pull together that it didn't make sense to do in API alone.


      So I've figured out the API to move it to the Custom group if it is not there, but I can't figure out how to download the required patches if they are not downloaded and I can't figure out how to set the AutoFix flag for a specific Scope and not globally.


      I have no problem querying information to display from SQL but I would rather have the safety net of an API to actually make changes.


      Are my 2 missing components even possible in API?


      I am currently on LDMS 9.60 SP2 but am in the process of moving to Ivanti 2017.3 so an API that would work on both would be ideal but if it's only gonna work on 2017.3 that's fine too.

        • 1. Re: LANDesk MBSDK API
          phoffmann SupportEmployee

          So first up - make sure you're familiar with this -- Getting Started with the MBSDK (Example Scripts Included) .


          Second - the MBSDK isn't / wasn't getting any new functions / methods added to it since 9.6 - a new (REST-ful) API is slowly taking over (the LDAPI) ... but because MBSDK has had so many years of development put into it, it's still ahead of the LDAPI in terms of functionality, so we're currently having both in parallel.


          At some point, I hope to have an article like the above for the LDAPI stuff, but ... time (and many other projects on the side).


          Now - in regards to your question in particular ...


          Can patches be content be downloaded via the MBSDK?

          Yes - they can. See the method below called "DownloadPatches":




          Can you set scope-based AUTOFIX via the MBSDK?

          Regerettably - you cannot. Scope-based autofix was introduced after the introduction of LDAPI, so the MBSDK doesn't have (and won't get) that particular method. While MBSDK still will get maintenance updates (for any defects found), it will not get new functions added.


          Hope that helps?

          • 2. Re: LANDesk MBSDK API
            tlman12 Apprentice

            I have read that multiple times and I kept referring to it until I had it mostly figured out. Great document by the way.


            I did see the DownloadPatches but was confused when it said "Security Group" and when I tested the Invoke in the web interface it would come up timed out (I'm guessing now that's something in IIS?) because when I put it into my program it functioned the way I needed.


            I guess I'll just do the other part in SQL and add my own precaution layers to make sure nothing else gets modified.


            I found a while back a class for MBSDK, it was written in C and I converted it to VB.NET so I could use it and it's been working perfectly for me I just can't for the life of me remember how or where I found it. Maybe you've seen it? If not I'll try to find it again and link it. It makes calling a MBSDK method very simple though.


            Is there anything on the LDAPI like the http://coreserver/MBSDKService url that I could start poking around?

            • 3. Re: LANDesk MBSDK API
              phoffmann SupportEmployee

              I have not seen a class, sorry - though I'd argue that calling an MBSDK method via 1 line (as per my example scripts) is a reasonably painless way of getting to it .


              In regards to patch download -- all that THAT really does is ultimately call VAMINER (the binary on the Core). So depending on where your script runs -- if it's on the Core, you can just call VAMINER.EXE directly (in the ManagementSuite directory)  . Not as flash, but can be useful.


              The following 3 CMD-line switches will come in useful when calling VAMINER withwhat you have in mind. (VAMINER will continue to use whatever settings you have set - so if you configure it to "download detected patches only", you can use this after you've detected your latest round of naughtiness. Or - you can just schedule content / patch download to happen at regular intervals -- I'm assuming you've got a bigger process in mind here).


              1 - /DONTPROMPT

              => This will allow VAMINER to just run and try to download anything that's been previously enabled in the UI for downloading.


              2 - /AUTOCLOSE

              => If the the UI is to be enabled, this will automatically close the VAMINER window when it's finished downloading (otherwise, the window will need to be closed manually).


              - and/or -

              3 - /NOUI

              => If this is used instead of "/AUTOCLOSE" then no UI is displayed at all (and it won't be necessary to close the window). It's a matter of what the respective preference is.


              Also check the PDF attached to this article out -- SECB300 - Security Suite- What's Under the Hood (2016)_v5.pdf  -- especially 54 onward detail VAMINER stuff, so quite useful for you (including forcing a switch to do detected only, etc).


              A lot of the deepdive / "under the hood" stuff in the various Momentum / Interchange documents may be of interest .

              • 4. Re: LANDesk MBSDK API
                tlman12 Apprentice

                I agree with you (mostly), most of the API calls are fairly simple, but this also defines classes for return values and collections and shows what data is required in what format instead of having to look it up every time or try to memorize it all. It also creates invoke calls for running the API asynchronously (haven't really had a need for that yet, I want to stop the UI when it running a call). But over all saves a ton of time. Capture.PNG


                I'll look through that PDF

                • 5. Re: LANDesk MBSDK API
                  phoffmann SupportEmployee

                  Right - gotcha. That all makes sense. But - sadly - can't help with that .

                  • 6. Re: LANDesk MBSDK API
                    tlman12 Apprentice

                    Wouldn't expect you to, Just throwing it out there in case it was something you'd want to link too. But then like you said you'd probably have to support it to an extent.


                    You've helped more then enough. Thank you. I'll be looking forward to the full implementation of the new API

                    • 7. Re: LANDesk MBSDK API

                      Asking for a co-worker:


                      Do you have anything you can point me to for the LDAPI as far as documentation?

                      We are looking to integrate Ivanti with Service-Now.

                      This would be extremely hopeful.


                      Thank you for your time and consideration.



                      • 8. Re: LANDesk MBSDK API
                        phoffmann SupportEmployee

                        "No and yes".


                        I don't have an article as I do for the MBSDK above - it's on my "get around to it" list of things to do / research / write, but that's quite a bit of work.


                        Your best bet at the moment will be to make use of INTERCHANGE documents (where LDAPI was covered a few times). This year (2018) the lab on LDAPI was particularly good & included a good few things, but those materials aren't signed off by legal yet. The thing to look out for is "UEML 610 - Play with EPM APIs and Gain Greater Integration Using Endpoint Manager".


                        That lab walks you through authentication, using POSTMAN and such things.


                        If your colleague is used to dealing with RESTful API's, then feel free to look at last years' materials on LDAPI from Interchange, which can be found here -- Interchange 17 Labs Group -- for insance.


                        There may be some stuff for LDAPI in older Interchange docs too - here's the 2015 stuff for instance:

                        - http://cswebtools.landesk.com/downloads/interchange15/LabPresentations.zip

                        - http://cswebtools.landesk.com/downloads/interchange15/interchange15LabGuides.zip


                        I can't find much at present that's openly accessible, so am loathe to just dump it on here as I don't want to get into trouble. If you're seriously looking at the LDAPI stuff, chances are you'll need to get some documentation from dev anyway (RESTful applications are a little less happy to advertise their functions, you don't really get an equivalent to the old WSDL stuff).


                        That said, you can certainly use the older MBSDK "as is" with ServiceNow - you can use it to pull data / push actions / "get device X added to task Y" type activities plenty easy as is.


                        Keep an eye out for Interchange 2018 docs being announced - the above lab doc is the one that you'll be certainly interested in.

                        • 9. Re: LANDesk MBSDK API


                          Thanks for the response.


                          I am unable to access the Interchange 17 Labs Group, I am guessing because I wasn't at the event?

                          I attended Interchange 2016.


                          Also when I attempt to access the two zip files I get:






                          Jason Breech

                          • 10. Re: LANDesk MBSDK API
                            phoffmann SupportEmployee

                            Hmm - yep - looks like you're right ... the links aren't valid anymore & if you didn't attend the interchange, there's a strong chance you won't have access .


                            Hmmm -- OK -- how about a (slightly odd) middle-ground, but bear with me.


                            Open up a support ticket -- get the relevant support person to give me a poke, and I can swing them a bunch of documentation.


                            The reason why I don't want (/ can't) just dump it on here is that it'd be quite publically accessible and that may get me into trouble due to it being potentially non-legally signed off stuff & so on.


                            Whereas going through somewhat less formal channels, we should be fine (if you're OK with that)?


                            Otherwise, if you / your colleague aren't in a rush, subscribe to the MBSDK article, that way you'll get notified when I update it (as I will do, linking to the intended "getting started with the LDAPI" type articles as that would make sense).


                            Would that work for you ?

                            • 11. Re: LANDesk MBSDK API

                              Would that count as a support ticket that would go against our yearly allotment?




                              • 12. Re: LANDesk MBSDK API
                                phoffmann SupportEmployee

                                Huh - you have a yearly quota of tickets? That makes things more awkward.


                                I would be careful & assume that "yes" ... since it'd need to be registered somehow & thus likely end up as a ticket ... so - in all likelyhood, I would expect it to be as one.


                                How many do you get / how far through are you? If you've got (say) 20 left and only use 2 per month, given that it's July you should be OK. If you're down to (say) 2, then that's obviously trickier.