12 Replies Latest reply on Apr 25, 2018 2:10 AM by phoffmann

    How to make mandatory Package ?

    MNABET Apprentice

      Hello,

       

      In our domain we have some applications we needs to be installed after domain integration because the location of the computer will change some settings.

       

      Currently we use script for install software in GPO but it's too heavy (We have almost 5-6 applications like that).

       

      I would know if it's possible to create something like "mandatory package distribution"

       

      Each computer in specific scope, must have a specific list of applications (installed by EPM)

       

      Thanks for your help.

        • 1. Re: How to make mandatory Package ?
          phoffmann SupportEmployee

          Yes, you can do that.

           

          Effectively there's a few ways of doing that / to help you here.

           

          One is dealing with it via a "custom vulnerability" approach (basic reading is here -- How To: Create a Custom Vulnerability Definition in Patch and Compliance Manager ).

           

          So for instance:

          • You define your "custom vulnerability" to be "you MUST have application A, B, C, D and E".
          • You set the custom vulnerability to auto-repair (based on the scope of devices that you want these applications to have).
          • You can even create a custom group for these vulnerabilities & a separate agent setting that scans JUST for this custom group of custom vulns, and then target your devices based on a query / static list or whatnot.
          • This is particularly useful if you find that people end up uninstalling things (in which case -- the "proper" solution is to remove their rights to do so).
          • The main benefit here is that you can add a LOT of logic around this (in case there's a lot of "IF x then Y" requirement for you).

           

          You can similarly do things like this via more regular policies.

          • You can define a REQUIRED policy (so doesn't need to prompt / show up) and use either a Device Group (or - better - a QUERY for your scope) and we'll resolve the query every few hours ... if a new device gets added to it, we'll add it to the target list.
          • Or you can target based on an AD-group (if that's helpful), in which case when a device checks in, it'll immediately state "Hey, I'm a member of OU=MustHaveSoftware" and get the software added to it.
          • The above tends to be a one-off though (so not a "constant check").

           

          ... that'd be the easiest options I think to address your issue?

          • 2. Re: How to make mandatory Package ?
            MNABET Apprentice

            Thanks, it is not possible to use Software Distribution ? Custom Vulnerability is the only way ?

             

            It's more easy to update Software Distribution. My mandatory packages was updated every 3-6 months

            • 3. Re: How to make mandatory Package ?
              phoffmann SupportEmployee

              Note the 2nd half of my reply ...

               

              You can similarly do things like this via more regular policies.

              • You can define a REQUIRED policy (so doesn't need to prompt / show up) and use either a Device Group (or - better - a QUERY for your scope) and we'll resolve the query every few hours ... if a new device gets added to it, we'll add it to the target list.
              • Or you can target based on an AD-group (if that's helpful), in which case when a device checks in, it'll immediately state "Hey, I'm a member of OU=MustHaveSoftware" and get the software added to it.
              • The above tends to be a one-off though (so not a "constant check").

               

              That is using regular software distribution policies.

               

              Depending on your requirements, I wanted to give you alternative approaches, since there's usually a lot of context not mentioned.

              • 4. Re: How to make mandatory Package ?
                MNABET Apprentice

                Sorry my english was not really good and i not understand all sometimes ....

                 

                If i understand i make Task with specific SCOPE or specific request launched every Day/hours etc... for computers who never launch it and all my new computer added on my scope/request will have my "mandatory" software.

                • 5. Re: How to make mandatory Package ?
                  phoffmann SupportEmployee

                  So what version of EPM are you using? Respectively - how familiar are you with the product? I'm not trying to be judgmental here - just trying to understand if this is a language issue or if you're reasonably fresh to the product (in which case I'd take a bit of time to explain a few concepts).

                   

                  You *CAN* (re-)start the task from the Core side, but it's usually much easier just to ensure that your clients check for policies at a regular interval (and that's part of agent config).

                   

                  That way you can just "let the policy go active" ... and clients will check in periodically (when they run policysync) ... and any required policies will go down automatically.

                   

                  Both approaches will work -- just that the 2nd option (clients pulling) is easy enough to do & much more preferable overall.

                   

                  It's usually much easier to have clients PULL requests, than having the Core push them out, as a general rule.

                  • 6. Re: How to make mandatory Package ?
                    MNABET Apprentice

                    I'm new with the product, i'm not know all tips.

                    I know how to deploy task with specifc hour or specific frequency. How to select scope/request for target. Deploy in push,policy or both.

                     

                    But i don't know how i can have Task always enabled and let the policysync do the job.For me when the task is launched, all new computer not launch the task. It's maybe very simple.

                    • 7. Re: How to make mandatory Package ?
                      phoffmann SupportEmployee

                      That's no problem - everyone needs to start learning from the same place .

                       

                      It'd help if you clarify which version you're running on, but I'll assume that you're on EPM 2016.x or 2017.x ?

                       

                      So - I'll try to explain this with a few screenshots to help back things up.

                       

                      GENERAL POINT:

                      If you're on a vaguely new version (LDMS 9.6 / EPM 2016.x or EPM 2017.x) then effectively *EVERY* task is a policy. So they all "behave the same" at the end of the day. You just have "optional" things that you can do in addition, in effect.

                       

                      PUSHING tasks:

                      This is done as an optional part of the task itself.

                       

                      This is actually "not a lot" to do, as literally all this amounts to is the Core contacting the client and saying "Hey - check for policies".

                       

                      Which the client then does, and from this point onward, it's EXACTLY the same as if the client were pulling the policy.

                       

                      This is NOT a case of "Core executes installer on the client". The Core just tells the client "check for policies", the client does so (and notices "oh, I have new stuff to do") and works this down (as detailed below).

                       

                      And you configure this HERE in the properties of a scheduled task (click on picture to see the full size version):

                       

                      PULLING:

                      So there's a few ways that clients can be "made to pull / check for policies":

                      • You have scheduled a policy sync schedule as part of agent settings (see screenshot below).
                      • You remotely or "through any other means" kick off policysync.exe on the client.
                      • You start a task on the Core as a "Push" or "Policy-supported Push" task ...

                       

                      Net effect of all those is "PolicySync" runs -- which then does the following:

                      • Gathers MACHINE context data (i.e. "what AD information is there on this MACHINE")
                      • Gathers USER-context data (sensitive to the context that "started the task").
                        This CAN be important if you want "user X" to install a policy, but you only launch policies as a LOCAL SYSTEM context for instance.
                      • Reports to the Core saying "Here's who I am - what do I need to do?"
                      • Downloads any policy files it needs to work off ...
                      • ... and works them down one at a time, reporting to the Core on how it's doing.

                       

                      And you configure this HERE in the properties of a scheduled task (click on picture to see the full size version):

                       

                      What's the difference between PUSH / POLICY / POLICY-SUPPORTED-PUSH ?

                      Not much really..

                       

                      PUSH -- "Create a policy" ++ tell clients to check for new policies as a one-off.

                       

                      POLICY -- "Create a policy" ++ don't do anything else. (Wait for clients to check in).

                       

                      POLICY-SUPPORTED-PUSH -- "Create a policy -- TRY to tell clients to check for policy updates now" ... and any clients that don't get contacted right away, will be notified when the check for policies as regular.

                       

                      It's quite simple really (and the 3 different names are more for historical reasons, as PUSH <=> PULL used to have VERY different approaches in how they'd get worked down).

                       

                      Does that help clarify things for you?

                      1 of 1 people found this helpful
                      • 8. Re: How to make mandatory Package ?
                        MNABET Apprentice

                        Thanks for this resume. It's clear for understand the difference between all options.

                        For the push i understand how it works.

                         

                        For my "mandatory package" i thing "policy" settings is the best way. (As you say me )

                         

                        So my policysync works if created task

                        For my example i have created scope with 1 computer inside and deploy with "policy" Adobe reader. (I force policy with portal manager).

                         

                         

                        I added new computer inside the scope without change the task and the software was not installed on my new computer.

                        I tried to force policysync on my new computer but no installation is performed.

                         

                        The task must have what inside "schedule task" for the starting time ?

                        If i choose "Start now", the new computers not take the policy (Maybe because the scope is resolved only when the task is launched)

                         

                        I must set repeat every day the task for computers who never try to launch task ?

                         

                        (Sorry, the screen are in french)

                         

                        • 9. Re: How to make mandatory Package ?
                          MNABET Apprentice

                          My version is 2017.3. The only last thing for have my mandatory package is the settings inside task. Wich frequency i must choose and wich "start time". I must launch only once and all new computer will take the policy or launch every hour the task for computer who never take the task. Maybe something else.

                          • 10. Re: How to make mandatory Package ?
                            phoffmann SupportEmployee

                            OK - so this will be a bit longer, but I'll walk you through things from start to finish.

                             

                            I want to deploy a policy -- (this is a batch that "just calls NOTEPAD.EXE" and is run in LOGGED ON USER context, so that the process is seen). And I want to do so dynamically, adding devices that meet certain criteria. Here's how this works.

                             

                            NOTE -- click on the pictures to see the full-size image.

                             

                            First off - my batch files:

                             

                            ... nothing amazing here (one calls CALC, the other calls NOTEPAD. They're nice for testing). To ensure you SEE (and can CLOSE the window), ensure this setting is set:

                             

                            Now I want a Query ... I want to dynamically add devices to the task. In this case, to keep things nice & controlled, I wanted to ensure that "only devices that sent inventory TODAY" will get used/added to this task.

                             

                            So here's my query:

                            "Computer"."Last Updated By Inventory Server" > "GetDate()-1"

                            The "GetDate() -1" means "Get CURRENT date && reduce it by 1". So "Anything that's been updated since YESTURDAY" (dynamically) is target of that query.

                             

                            At the moment, only 2 devices are resolved by this query (which is what I want to demonstrate things). These are my Core (Atreyu) and a Win-7 client.

                             

                            Now - under CONFIGURE SERVICES...

                             

                            Note THIS setting...

                             

                            ... this configures how long the Core waits between re-running queries attached to tasks. 1 Hour is the default minimum.

                             

                            ====================

                             

                            So - I'm creating my SWD task, and I target the QUERY I created above.

                             

                            ... I set the task up as a policy-supported push ...

                             

                            ... and I make sure that I run the policy AUTOMATICALLY (so I don't have to deal with Launchpad stuff -- it just automatically comes down):

                             

                            ... and now I can start the task (with "just my 2 devices" for now). Note that I do *NOT* set it to re-start (though I could if I wanted, there's no need):

                             

                            ======================

                             

                            On my Win-7 client, the SWD task kicks off (I've got UI enabled to make it more visible)

                             

                            ... and Notepad Launches (in USER CONTEXT!).

                             

                            Yay. Now we can close it ... and get a notification (again, I enabled this in my agent setting) that the task is done.

                             

                            After repeating this on my Core, I've got a task with devices that are all completed. Yay. These 2 devices were dealt with via the PUSH side of things. Now that that's done with, anything new will be set as a POLICY for devices.

                             

                            So - how do I get "a new device in"?

                             

                            Well - for my query, I just need to run inventory on my Win-10 client ...

                             

                            ... and now it resolves as part of the query (I re-ran the query by hand here to show the results):

                             

                            .... after waiting for 1 hour (and the scheduler re-resolving the task + query), note that my task has changed. I now have a PENDING device (the blue bar).

                             

                            Here's why -- My scheduler service has re-resolved my queryes (check the SCHEDQRY.LOG under MANAGEMENTSUITE\LOG):

                             

                            ... how do I know that my Task ID is # 12 ? Easy - that's displayed as part of the task itself...

                             

                            So - now that the NEW device has been automatically added and is in PENDING status -- what needs to happen?

                             

                            1 thing. The client needs to check for policies (by running POLICYSYNC.EXE). In this case, I run it by hand ...

                             

                            ... I'm showing you the log & log-entries on the client that are associated with this to help you along.

                             

                            And after having NOTEPAD opened & closing it, our task is done ... (the time lag was because I had to use my lab for other stuff in the meantime).

                             

                            ===============

                             

                            • So - as long as you make a policy REQUIRED, it'll get pushed down and "just installed".
                            • If you use QUERIES (either DB-queries, or LDAP queries), things get resolved DYNAMICALLY ... and automatically added to tasks.
                            • So you don't need to "DO" anything. As long as you configure things properly, it'll all happen automatically.

                             

                            That should about cover it.

                            1 of 1 people found this helpful
                            • 11. Re: How to make mandatory Package ?
                              MNABET Apprentice

                              Thanks, your answer is very good and helpful.

                               

                              The "target query" and "target scope" works as same ?

                               

                              For resume, i create my package. I create my task who target my scope with "policy" settings. I launch run now and each new computer will install the package in this case :

                              • The core server must resolve the query (after a specific time put inside services settings)
                              • The computers run the policy sync with the settings put inside agent settings.
                              • The computer install our software

                               

                              Each computer launch just once. This will delete all software installation in GPO. Thanks for your time and helps.

                              • 12. Re: How to make mandatory Package ?
                                phoffmann SupportEmployee

                                Yes, Scope-based queries are the exact same as the query I've shown above.

                                 

                                They get resolve the same / with the same frequency / the same setting .

                                 

                                Just a word of caution - keep an eye on the SCHEDQRY log and especially on the line about how long it took. Example beng here:

                                04/25/2018 09:08:35 INFO  2772:3 RollingLog : Total resolution time: 0h:0m:22s

                                 

                                If you resolve all queries every 60 minutes, and you'd need 65 minutes to do so (which is why we mention it in the log), you WILL run into a problem, as we start resolving queries again before we're done. Depending on how big you are / how many queries you use, this is something that MAY need to be increased (some of the larger accounts may only have it set to 4 hours, for instance).

                                 

                                Other than that, you're pretty much smooth sailing.

                                 

                                Re-try the steps / query I lined out above in your own lab, so that you get a bit more comfort factor in how the tech works with a small, controlled handful of devices.

                                 

                                That should give you more confidence in implementing your proper solution I hope .

                                 

                                There's a lot to learn in the product -- just take it 1 step at a time. There's LOTS of useful free materials & guides on the community, use these to excell .