3 Replies Latest reply on Mar 15, 2018 8:30 AM by phoffmann

    Updating software based on inventory scan results?

    marypha Rookie

      Hi there-  I'm a pretty new admin, so still learning what it can and can't do... basically, I've been asked to accomplish the following:

      1. Immediately scan any workstation when it boots up.
      2. Determine whether or not it has the specific version of software (Citrix Receiver) that we currently support.
      3. If necessary, either downgrade or update the endpoint based on whatever was scanned into the inventory.

       

      I'm not really seeing, nor finding an article for, an obvious way to accomplish this and I'm wondering if it's something EPM (Landesk) can even do.  We also have workspace management (appsense).. again with a fresh new admin who is still learning, and part of me wonders if that is a better way of accomplishing this task?

      TIA!

        • 1. Re: Updating software based on inventory scan results?
          phoffmann SupportEmployee

          Heyas - welcome to the "greater" Ivanti family & the community.

           

          No problem at all with your request. Just as a simple request/guideline for the future -- please always state what major/minor version you're on (i.e. "I'm on EPM 2017.3 + SU1" or so), as depending on what your question / issue is, there MAY be differences or fine points or known issues or somesuch.

           

          For the AppSense side of things -- I'd suggest that you re-post your question(s) for AppSense stuff in the AppSense section of the community as well (it's a completely separate community, they won't be looking here ... we make it appear to be all "under one roof" but it's still actually separate systems as we try to figure out how to move them together).

           

          Meanwhile, I can have a stab at helping you with the EPM based question(s).

           

          Now - on to your questions.


          ====================

           

          As an introductory statement, something I've been saying for the last 10+ years now, is that "pretty much for ANYTHING you can do with LANDesk/EPM, there's at least 3 completely different ways to achieve the same thing".

           

           

          I'll highlight a few different ways I'd approach your problem, to give you a few options which you can then decide whether or not you like the sound of.

           

          • Can we scan at boot-up?

            Absolutely we can. This can be done via a cmd-line entry in the RUN-key, something in the users' logon script or so.

            However, boot-up is usually a "sensitive" time (and users tend to complain that "LANDesk is slowing my computer down") if we have to run a full software scan during boot up. So ... I would advise caution here. There are better ways of tackling this problem that don't require an inventory scan at all (so you can continue doing inventory scans during "quiet" times).""

            What I'd suggest doing instead is a "Custom Vulnerability". "But isn't that a patching thing?" I hear you say ... well - "yes and no". Custom vulnerabilities are *FANTASTICALLY" abusable for all manner of things, and I think your specific scenario is hiding quite a few potential annoyance, so I think it's a good idea to give you more freedom.

            First up -- make sure you read this -- How To: Create a Custom Vulnerability Definition in Patch and Compliance Manager .

            ... next step would be to create a "custom vulnerability ONLY" agent behaviour ... (with / without UI, etc - the important thing is that you ONLY scan for custom vulnerabilities and/or ONLY scan for a specific group of "vulnerabilities" so as to keep things quick).

            ... and finally the last step would be to create a "scan task" for this, so that you can snatch the command line, which should look something like so:

            {Path-to-LDCLIENT-dir}\vulscan.exe /AgentBehavior={AgentBehaviorID}

            So for example:
            ""

            "C:\Program Files (x86)\LANDesk\LDCLIENT\vulscan /AgentBehavior=AgentBehavior_ATREYU_v1683.xml
            ""


            For more information on vulscan's command line options, see here -- About Vulscan switches for Windows clients .
            You'll find all agent behaviour on the Core here -- C:\Program Files\LANDesk\ManagementSuite\ldlogon\AgentBehaviors\ (assuming you installed to the default location)!

            After having created the "custom vulns only" behaviour as "the latest one", just sort the directory by modified date .

           

          • Determining whether a specific version is acceptable
            You can do this in pretty much "whatever way you like". This is "you're detecting that the device is vulnerable" (/non-compliant) ... you can even use as simple a check as "file X *MUST* be version Y" ... doesn't HAVE to be super sophisticated. If you can nail it down to a single file, with a single version ... use that.


            You have the choice of going quite sophisticated if you need to, though, in a custom detection script!

            So "up to you" how complex or how simple you want it to be here.

            Since Patch related info is usually about a MINIMUM version, you can either do a custom script (in the scripting language of by and large your preference), or use something like a checksum value instead!


          • How to act on "non-compliant" versions...
            By and large, this is "the patch" you're looking for.

            You need to define the file(s) to download & what commands to be run.

            I'd suggest including something about killing off any relevant processes ... and you can then mark the "vulnerability" as it were to be "autofix"-ed automatically .

            This can then also include any "force"-type switches in case you need to downgrade your software thing "by force" ... or uninstall it first, or whatnot.

            ==========================

          • Why I'm not recommending a policy / "regular" software package ....
            So we *do* have policies ... and you *CAN* run a pre-req query for those (essentially, you'd be after a "Software X != my desired version") ... and you could run/force that policy to apply/check every day. Absolutely - doable.

            Here's the section that you'd do it in as part of a software package: (Ignore the fact that I've not got anything in here - I'm just pointing you in the right direction)

            (click on the picture for a bigger version -- in effect, you're creating a LANDesk query here)

            ... but I suspect that you'll find more "freedom" with a Custom Vulnerability overall. Plus - the fact that you can configure JUST a scan for custom vulnerabilities (which should be pretty fast) allows you do something pretty light, yet have "all of the power" that you need (i.e. - killing off processes , etc), and effectively all you'd need to do is to treat your "intended version" as the "patch".

            Also - vulscan will be guaranteed to be "in real time", so that seems more useful for your scenario!

           

           

          ... right - try that as a starter for 10?

          • 2. Re: Updating software based on inventory scan results?
            marypha Rookie

            Whoah - I'll step through all of this through the weekend/next week and check back in.  Thank you so much for taking the time - this is super helpful!

            • 3. Re: Updating software based on inventory scan results?
              phoffmann SupportEmployee

              Happy to help.

               

              You've got a bit of a learning curve ahead of you, but it's worth it.

               

              Just ... take it a bite at a time. Don't let the possibilities overwhelm you .