12 Replies Latest reply on Apr 25, 2018 2:10 AM by phoffmann

    How to make mandatory Package ?

    MNABET Apprentice

      Hello,

       

      In our domain we have some applications we needs to be installed after domain integration because the location of the computer will change some settings.

       

      Currently we use script for install software in GPO but it's too heavy (We have almost 5-6 applications like that).

       

      I would know if it's possible to create something like "mandatory package distribution"

       

      Each computer in specific scope, must have a specific list of applications (installed by EPM)

       

      Thanks for your help.

        • 1. Re: How to make mandatory Package ?
          phoffmann SupportEmployee

          Yes, you can do that.

           

          Effectively there's a few ways of doing that / to help you here.

           

          One is dealing with it via a "custom vulnerability" approach (basic reading is here -- How To: Create a Custom Vulnerability Definition in Patch and Compliance Manager ).

           

          So for instance:

          • You define your "custom vulnerability" to be "you MUST have application A, B, C, D and E".
          • You set the custom vulnerability to auto-repair (based on the scope of devices that you want these applications to have).
          • You can even create a custom group for these vulnerabilities & a separate agent setting that scans JUST for this custom group of custom vulns, and then target your devices based on a query / static list or whatnot.
          • This is particularly useful if you find that people end up uninstalling things (in which case -- the "proper" solution is to remove their rights to do so).
          • The main benefit here is that you can add a LOT of logic around this (in case there's a lot of "IF x then Y" requirement for you).

           

          You can similarly do things like this via more regular policies.

          • You can define a REQUIRED policy (so doesn't need to prompt / show up) and use either a Device Group (or - better - a QUERY for your scope) and we'll resolve the query every few hours ... if a new device gets added to it, we'll add it to the target list.
          • Or you can target based on an AD-group (if that's helpful), in which case when a device checks in, it'll immediately state "Hey, I'm a member of OU=MustHaveSoftware" and get the software added to it.
          • The above tends to be a one-off though (so not a "constant check").

           

          ... that'd be the easiest options I think to address your issue?

          • 2. Re: How to make mandatory Package ?
            MNABET Apprentice

            Thanks, it is not possible to use Software Distribution ? Custom Vulnerability is the only way ?

             

            It's more easy to update Software Distribution. My mandatory packages was updated every 3-6 months

            • 3. Re: How to make mandatory Package ?
              phoffmann SupportEmployee

              Note the 2nd half of my reply ...

               

              You can similarly do things like this via more regular policies.

              • You can define a REQUIRED policy (so doesn't need to prompt / show up) and use either a Device Group (or - better - a QUERY for your scope) and we'll resolve the query every few hours ... if a new device gets added to it, we'll add it to the target list.
              • Or you can target based on an AD-group (if that's helpful), in which case when a device checks in, it'll immediately state "Hey, I'm a member of OU=MustHaveSoftware" and get the software added to it.
              • The above tends to be a one-off though (so not a "constant check").

               

              That is using regular software distribution policies.

               

              Depending on your requirements, I wanted to give you alternative approaches, since there's usually a lot of context not mentioned.

              • 4. Re: How to make mandatory Package ?
                MNABET Apprentice

                Sorry my english was not really good and i not understand all sometimes ....

                 

                If i understand i make Task with specific SCOPE or specific request launched every Day/hours etc... for computers who never launch it and all my new computer added on my scope/request will have my "mandatory" software.

                • 5. Re: How to make mandatory Package ?
                  phoffmann SupportEmployee

                  So what version of EPM are you using? Respectively - how familiar are you with the product? I'm not trying to be judgmental here - just trying to understand if this is a language issue or if you're reasonably fresh to the product (in which case I'd take a bit of time to explain a few concepts).

                   

                  You *CAN* (re-)start the task from the Core side, but it's usually much easier just to ensure that your clients check for policies at a regular interval (and that's part of agent config).

                   

                  That way you can just "let the policy go active" ... and clients will check in periodically (when they run policysync) ... and any required policies will go down automatically.

                   

                  Both approaches will work -- just that the 2nd option (clients pulling) is easy enough to do & much more preferable overall.

                   

                  It's usually much easier to have clients PULL requests, than having the Core push them out, as a general rule.

                  • 6. Re: How to make mandatory Package ?
                    MNABET Apprentice

                    I'm new with the product, i'm not know all tips.

                    I know how to deploy task with specifc hour or specific frequency. How to select scope/request for target. Deploy in push,policy or both.

                     

                    But i don't know how i can have Task always enabled and let the policysync do the job.For me when the task is launched, all new computer not launch the task. It's maybe very simple.

                    • 7. Re: How to make mandatory Package ?
                      phoffmann SupportEmployee

                      That's no problem - everyone needs to start learning from the same place .

                       

                      It'd help if you clarify which version you're running on, but I'll assume that you're on EPM 2016.x or 2017.x ?

                       

                      So - I'll try to explain this with a few screenshots to help back things up.

                       

                      GENERAL POINT:

                      If you're on a vaguely new version (LDMS 9.6 / EPM 2016.x or EPM 2017.x) then effectively *EVERY* task is a policy. So they all "behave the same" at the end of the day. You just have "optional" things that you can do in addition, in effect.

                       

                      PUSHING tasks:

                      This is done as an optional part of the task itself.

                       

                      This is actually "not a lot" to do, as literally all this amounts to is the Core contacting the client and saying "Hey - check for policies".

                       

                      Which the client then does, and from this point onward, it's EXACTLY the same as if the client were pulling the policy.

                       

                      This is NOT a case of "Core executes installer on the client". The Core just tells the client "check for policies", the client does so (and notices "oh, I have new stuff to do") and works this down (as detailed below).

                       

                      And you configure this HERE in the properties of a scheduled task (click on picture to see the full size version):

                       

                      PULLING:

                      So there's a few ways that clients can be "made to pull / check for policies":

                      • You have scheduled a policy sync schedule as part of agent settings (see screenshot below).
                      • You remotely or "through any other means" kick off policysync.exe on the client.
                      • You start a task on the Core as a "Push" or "Policy-supported Push" task ...

                       

                      Net effect of all those is "PolicySync" runs -- which then does the following:

                      • Gathers MACHINE context data (i.e. "what AD information is there on this MACHINE")
                      • Gathers USER-context data (sensitive to the context that "started the task").
                        This CAN be important if you want "user X" to install a policy, but you only launch policies as a LOCAL SYSTEM context for instance.
                      • Reports to the Core saying "Here's who I am - what do I need to do?"
                      • Downloads any policy files it needs to work off ...
                      • ... and works them down one at a time, reporting to the Core on how it's doing.

                       

                      And you configure this HERE in the properties of a scheduled task (click on picture to see the full size version):

                       

                      What's the difference between PUSH / POLICY / POLICY-SUPPORTED-PUSH ?

                      Not much really..

                       

                      PUSH -- "Create a policy" ++ tell clients to check for new policies as a one-off.

                       

                      POLICY -- "Create a policy" ++ don't do anything else. (Wait for clients to check in).

                       

                      POLICY-SUPPORTED-PUSH -- "Create a policy -- TRY to tell clients to check for policy updates now" ... and any clients that don't get contacted right away, will be notified when the check for policies as regular.

                       

                      It's quite simple really (and the 3 different names are more for historical reasons, as PUSH <=> PULL used to have VERY different approaches in how they'd get worked down).

                       

                      Does that help clarify things for you?

                      1 of 1 people found this helpful
                      • 8. Re: How to make mandatory Package ?
                        MNABET Apprentice

                        Thanks for this resume. It's clear for understand the difference between all options.

                        For the push i understand how it works.

                         

                        For my "mandatory package" i thing "policy" settings is the best way. (As you say me )

                         

                        So my policysync works if created task

                        For my example i have created scope with 1 computer inside and deploy with "policy" Adobe reader. (I force policy with portal manager).

                         

                         

                        I added new computer inside the scope without change the task and the software was not installed on my new computer.

                        I tried to force policysync on my new computer but no installation is performed.

                         

                        The task must have what inside "schedule task" for the starting time ?

                        If i choose "Start now", the new computers not take the policy (Maybe because the scope is resolved only when the task is launched)

                         

                        I must set repeat every day the task for computers who never try to launch task ?

                         

                        (Sorry, the screen are in french)

                         

                        • 9. Re: How to make mandatory Package ?
                          MNABET Apprentice

                          My version is 2017.3. The only last thing for have my mandatory package is the settings inside task. Wich frequency i must choose and wich "start time". I must launch only once and all new computer will take the policy or launch every hour the task for computer who never take the task. Maybe something else.

                          • 10. Re: How to make mandatory Package ?
                            phoffmann SupportEmployee

                            Post converted to pdf and attached for migration.

                            1 of 1 people found this helpful
                            • 11. Re: How to make mandatory Package ?
                              MNABET Apprentice

                              Thanks, your answer is very good and helpful.

                               

                              The "target query" and "target scope" works as same ?

                               

                              For resume, i create my package. I create my task who target my scope with "policy" settings. I launch run now and each new computer will install the package in this case :

                              • The core server must resolve the query (after a specific time put inside services settings)
                              • The computers run the policy sync with the settings put inside agent settings.
                              • The computer install our software

                               

                              Each computer launch just once. This will delete all software installation in GPO. Thanks for your time and helps.

                              • 12. Re: How to make mandatory Package ?
                                phoffmann SupportEmployee

                                Yes, Scope-based queries are the exact same as the query I've shown above.

                                 

                                They get resolve the same / with the same frequency / the same setting .

                                 

                                Just a word of caution - keep an eye on the SCHEDQRY log and especially on the line about how long it took. Example beng here:

                                04/25/2018 09:08:35 INFO  2772:3 RollingLog : Total resolution time: 0h:0m:22s

                                 

                                If you resolve all queries every 60 minutes, and you'd need 65 minutes to do so (which is why we mention it in the log), you WILL run into a problem, as we start resolving queries again before we're done. Depending on how big you are / how many queries you use, this is something that MAY need to be increased (some of the larger accounts may only have it set to 4 hours, for instance).

                                 

                                Other than that, you're pretty much smooth sailing.

                                 

                                Re-try the steps / query I lined out above in your own lab, so that you get a bit more comfort factor in how the tech works with a small, controlled handful of devices.

                                 

                                That should give you more confidence in implementing your proper solution I hope .

                                 

                                There's a lot to learn in the product -- just take it 1 step at a time. There's LOTS of useful free materials & guides on the community, use these to excell .