11 Replies Latest reply on Aug 10, 2009 8:55 AM by mrspike

    How to force software installation upon client detection on the network

    Rookie

      I'd like to be able to have LANDesk force X software packages to be deployed on a PC when it comes back on the network after being gone for 1 day, 1 week, 1 month.  I believe the way to do this is with "Policies" but I really have no idea how/where to go with this.  Can someone point me in the right direction of documentation explaining how to do this?  The documentation I'm currently reading about policies seems complicated and difficult to follow.

        • 1. Re: How to force software installation upon client detection on the network
          Specialist

          If I am undertstanding your question... and am correct myself.  It's fairly simple to do this.

           

          If you want to install X software on any machine, simply create an installation point.  Create a package pointing to the installation point.  Then create a query that will find the machines that don't have X software.

           

          Then create a schedule task, that is a policy and use the query you created and associate with that scheduled task.  Then start the policy (scheduled task) and as machines check in for policies which they should do, depending on your agent settings they should initiate the installation of X software.

          • 2. Re: How to force software installation upon client detection on the network
            Rookie

            When you say create a scheduled task that is a policy can you ellaborate on what you mean?  How does a "policy scheduled task" differ from just a regular "scheduled task"?

            • 3. Re: How to force software installation upon client detection on the network
              Specialist

              Kahlid74 wrote:

               

              When you say create a scheduled task that is a policy can you ellaborate on what you mean?  How does a "policy scheduled task" differ from just a regular "scheduled task"?

              Sure let me get some screen shots... give me a little bit.

              • 4. Re: How to force software installation upon client detection on the network
                Specialist

                Kahlid74 wrote:

                 

                When you say create a scheduled task that is a policy can you ellaborate on what you mean?  How does a "policy scheduled task" differ from just a regular "scheduled task"?

                As I mentioned in the process of creating the scheduled task, in the delivery method you can se it as a Policy, and then based on which delivery methods work best for you, you can adjust accordingly.  For your particular question, the "Required - Once - 1" process should work (adjusting networking sections of course), as this will attempt to install the application until successful based on the Policy "check-in" schedule that the client has.

                 

                8-7-2009 9-28-53 AM.png

                 

                Anyone else, please slap me around if I am incorrect/incomplete.

                 

                Chris

                • 5. Re: How to force software installation upon client detection on the network
                  Employee

                  CCzech is exactly right in how to set up a policy task.

                   

                  The difference between a policy task and a regular scheduled task is that with a regular scheduled task the core server is going to go find the device and tell it what to do (so the core starts the communication).  On a policy task the core server gets a list of what it wants the client to do, but then it waits for the client to contact it to find out what those tasks are (so the client starts the communication).

                   

                  The client can be scheduled to check for policies at a particular interval, or when the IP Address changes (such as coming onto a network), etc.  If you set up the required policies how CCzech mentioned and have your agents set to do a policy check when the change IP Address then it should run the task at that time.

                  • 6. Re: How to force software installation upon client detection on the network
                    Apprentice

                    Everything that has been mentioned here is accurate, however there is one tricky bit, which I'll explain at the end of this text.  The best way to execute something on a machine would be to create a policy and base it on a query:

                     

                    1- Create the Software Distribution Package you wish to run.

                    2- Create a delivery method. There are four delivery methods, however for the sake of simplicity we'll focus on two:  A 'Push' delivery method essentially runs on all available machines that are targeted when the task is scheduled to execute.  If you create a job to deploy Adobe Acrobat at noon today on 100 machines and use the push delivery method, the core server will try to communicate with each of the 100 systems and deploy the package at noon.  Systems that are off or encounter an issue during the installation will fail.  In contrast, if you use a 'Policy' delivery method under the same circumstances, at noon the core server 'Publishes' the fact that the 100 systems need to install Adobe Acrobat.  When the systems actually install the software is dictated by when the policy agent on each client checks in -- this is set in the agent configuration.  If your agent configuration tells all of your systems to check in daily between 2pm and 3pm, each system will say to the core server "I am x system with device id abcdefgh... do you have any policies that I need to run?".  If there are published policies which are targeted for that machine, the core will respond "Yes", and the clients get the details on the task they are to run.  The difference between policies and pushes is that a push delivery method is driven by the core server, and a policy is client driven.

                    3- Create a scheduled task to run the package.  The delivery method should be set to policy, based on the previous detail.

                    4- The target group should be based on a query.  If you build a query to say "Show me all machines with 1GB of RAM",  you can use that query to target systems for a scheduled job.  The nice part about this feature is that the query is re evaluated periodically, so if you had a machine that didn't have 1GB of RAM when you first scheduled the job but then upgraded it, the next time the query is evaluated it will fall into the criteria and will then be a part of the targeted systems in the job.

                     

                    The tricky bit is with building a query that says "Show me all machines that have come back onto the network after not being online for x days".  LANDesk has a field named 'Last updated by Inventory Server', which notes the last time a system has sent inventory and had it processed by the core server, however consider this:

                    - You build a query that says "return all systems that haven't been online in 2 days", based on the last updated by inventory server field.  you get 20 machines as a result.

                    - When a machine comes back online, it will send inventory and update the last updated by inventory server field.  That will remove it from the query results.  You won't be able to target it based on that query.

                     

                    That having been said, it is still possible to achieve what you are hoping to.  It requires forcing the clients to store a separate inventory value for the previous time it updated its inventory.  Then there is the question of using the LANDesk Query engine's precompiler to evaluate the two values in the database.

                     

                    If you give us some more detail on what you want to execute and the rationale behind it, we may be able to give you a more feasible way.  Is this a patch that has to be reapplied to every machine that goes off the network for more than a few days?  Is this a package that you've built yourself -- if so can you build logic into it in order to automatically flag the last install date?  LANDesk's Security and Patch Manager could use a custom definition to accomplish your task, then you could use the vulnerability scanner to do what you're trying to accomplish.  There are a few ways to approach this depending upon what you want to do.

                    • 7. Re: How to force software installation upon client detection on the network
                      Rookie

                      What we're looking to do, is setup tasks where when a computer comes onto the network after being away or offline updates are deployed to it.  By updates I'm pointing towards Adobe Flash/Shockwave/Reader and Sun Java, which all workstations we control have.  We want to keep up to date with the latest versions of these pieces of software.

                       

                      I would love to configure LANDesk to work how WSUS works, where within 5-15 minutes of being on the network it contacts the WSUS server and begins downloading/installing updates except, we want to do it with third party products.

                       

                      I tried using Policy's but it came across very inconsistant.  We have our agent set to contact the policy server when a user logs on (Max Random Interval 1 hour) or after four hours but if I force a logon event, it takes well over 3-6 hours for the policy to try and push the application to the client.

                       

                      So really we're looking for a way to notice a client is now on the network within 15 minutes and to automatically deploy X applications when we notice the client.

                      • 8. Re: How to force software installation upon client detection on the network
                        Apprentice

                        Understood --

                         

                        Based on your feedback the actions you wish to carry out would need to be driven by the client.  Regardless to the means you use, you will need to configure the agents to run the policy agent at startup or on a higher frequency.

                         

                        LANDesk introduced the randomization feature in the agent configuration to avoid overloading the core server at times when actions would execute on all systems at once.  You are able to modify (or even delete) the randomization filter -- the local scheduler service controls when the policy agent, vulnerability scanner and inventory scanner runs.  When you configure the agent in the UI to run the policy agent at startup with a maximum delay of x hours, it creates a local scheduler task on the client.  By modifying the task, you can adjust how the policy agent runs.

                         

                        If you go to a client, navigate to the ldclient directory from a command prompt and execute the following command:

                         

                        localsch.exe /tasks>tasks.txt

                         

                        A text file named tasks.txt will be created in the ldclient directory.  You want to look for a task that runs policy sync.  It will have a task ID.  You can then build a custom job script which can delete that task ID on all computers and replace it with a scheduled task that runs policy sync without the 1 hour delay.  For more details on the local scheduler service you can find information here and here.

                         

                        Keep in mind that you can use security and patch manager to keep applications like flash up to date if you have Security Suite as part of your installation.  It has features designed to do what you're trying to accomplish.

                        • 9. Re: How to force software installation upon client detection on the network
                          Rookie

                          Copy.  Have any good links for how to use/configure the Security and Patch Manager?  How do you use it for applications like Flash, where they don't release a patch, but only a full brand new executable?

                          • 10. Re: How to force software installation upon client detection on the network
                            Apprentice

                            I don't know of any particularly good docs off hand at this present moment, but try searching the forums for best known methods documents or articles related to vulscan or security and patch.

                             

                            As far as I know, applications like flash have definitions in security suite already.  The installation/patch logic is already built into the definition, so you have nothing to worry about. Do a search for the application name (such as Flash) in the definitions to see if the apps you need are covered.

                             

                            If you have a subset of applications you are particularly concerned about, you can create a custom group in the security and patch section and drop only the definitions into that scan group.  You can configure the agent to run the vulnerability scanner at startup and automatically remediate machines needing updates.

                            • 11. Re: How to force software installation upon client detection on the network
                              mrspike SSMMVPGroup

                              Kahlid,

                               

                              Flash and many other products are included in the Security Suite, tru they are not "patches" but full executables, but you just push those to "patch" the product to the latest version.

                               

                              Even when you go get these "patches" using other means, they are really full product updates, with the exception of the new Acrobat patches which are .msp files.

                               

                               

                              Here is a quick way of keeping your systems patched:

                               

                              Go to Security and Patch Manager (S&PM), expand "Groups"

                              Right click on Groups and create new group

                              Name it "Baseline Patches"

                              Now go up to "Scan" and choose the patches you want to patch and drag them to this new group

                              Once you have the patches you want to patch, right click on the "Baseline Patches" group and choose "Repair"


                              Choose "repair as a policy" and set the "scan and repair setting" to the one you want.  Give the task a name like "Baseline Patching August 2009"

                               

                              Click OK

                               

                              I would use a query to target the systems you want to patch, in our location we have servers, "normal computers" and computers that are used for scientific experiments.  The "normal computers" I can patch at almost any time, so I have a query that only includes these. If you have your AD set up with containers for this type of setup you can query that...

                               

                              Any ways, drag the query or manually drag the systems you want to target to the task

                               

                              Now right click on the task and set the delivery method to Policy (or Policy Support Push if desired) and choose a delivery method.  You should customize or create a delivery method that suits your needs before this step.  I always use one that is silent and never reboots, I let the "scan and repair" settings handle the reboots and UI

                               

                               

                              Once you are ready, right click and "start"

                               

                              Now when a system checks in it will look for policies and run these.

                               

                              Now, when ever you add new patches to the baseline group you will need to go to your existing task and right click on it, cancel it and then delete it.

                               

                              Then repeat the steps above.  Once a repair task has been created the list of patches to include are "baked" into it, adding new patches to the baseline group will not update in the task that exist, thus the need to delete the old task and create a new one.

                               

                              if you follow this method your systems should get patched with very little effort.

                               

                              We do a lot of patching in our shop, we have over 12,000 PC's and we patch almost all MS Severity rated patches, plus some NA's plus most third party applications using LANDesk and it works pretty darn good.

                               

                              Let me know if you have any more questions

                               

                              James