KACE Systems Management Appliance 9.1 Common Documents - Administrator Guide

About the KACE Systems Management Appliance (SMA) Getting started
Configuring the appliance
Requirements and specifications Power-on the appliance and log in to the Administrator Console Access the Command Line Console Tracking configuration changes Configuring System-level and Admin-level General Settings Configure appliance date and time settings Enable Two-Factor Authentication for all users Verifying port settings, NTP service, and website access Configuring network and security settings Configuring Agent settings Configuring session timeout and auto-refresh settings Configuring locale settings Configuring the default theme Configure data sharing preferences About DIACAP compliance requirements Configuring Mobile Device Access Enable fast switching for organizations and linked appliances Linking Quest KACE appliances Configuring history settings
Setting up and using labels to manage groups of items Configuring user accounts, LDAP authentication, and SSO Using Replication Shares Managing credentials Configuring assets
About the Asset Management component Using the Asset Management Dashboard About managing assets Adding and customizing Asset Types and maintaining asset information Managing Software assets Managing physical and logical assets Maintaining and using manual asset information Managing locations Managing contracts Managing licenses Managing purchase records
Setting up License Compliance Managing License Compliance Setting up Service Desk Configure the Cache Lifetime for Service Desk widgets Creating and managing organizations Importing and exporting appliance resources
Managing inventory
Using the Inventory Dashboard Using Device Discovery Managing device inventory
About managing devices Features available for each device management method About inventory information Tracking changes to inventory settings Managing inventory information Finding and managing devices Provisioning the KACE SMA Agent Manually deploying the KACE SMA Agent Using Agentless management Adding devices manually in the Administrator Console or by using the API Forcing inventory updates Managing MIA devices Obtaining Dell warranty information
Managing applications on the Software page Managing Software Catalog inventory
About the Software Catalog Viewing Software Catalog information Adding applications to the Software Catalog Managing License assets for Software Catalog applications Associate Managed Installations with Cataloged Software Using software metering Using Application Control Update or reinstall the Software Catalog
Managing process, startup program, and service inventory Writing custom inventory rules
Deploying packages to managed devices
Distributing software and using Wake-on-LAN Broadcasting alerts to managed devices Running scripts on managed devices Managing Mac profiles Using Task Chains
Patching devices and maintaining security
About patch management Subscribing to and downloading patches Creating and managing patch schedules Managing patch inventory Managing Dell devices and updates Maintaining device and appliance security
Using reports and scheduling notifications Monitoring servers
Getting started with server monitoring Working with monitoring profiles Managing monitoring for devices Working with alerts
Using the Service Desk
Configuring Service Desk Using the Service Desk Dashboard Managing Service Desk tickets, processes, and reports
Overview of Service Desk ticket lifecycle Creating tickets from the Administrator Console and User Console Creating and managing tickets by email Viewing tickets and managing comments, work, and attachments Merging tickets Using the ticket escalation process Using Service Desk processes Using Ticket Rules Run Service Desk reports Archiving, restoring, and deleting tickets Managing ticket deletion
Managing Service Desk ticket queues About User Downloads and Knowledge Base articles Customizing Service Desk ticket settings Configuring SMTP email servers
Maintenance and troubleshooting
Maintaining the appliance Troubleshooting the KACE SMA
Appendixes Glossary About us Legal notices

Configure security settings for the appliance

Configure security settings for the appliance

You must configure appliance security settings to enable certain capabilities such as Samba share, SSL, SNMP, SSH, database access, and FTP access.

To enable SSL, you need to have the correct SSL private key file and a signed SSL certificate. If your private key has a password, the appliance cannot restart automatically. If you have this issue, contact Quest Support at https://support.quest.com/contact-support.

NOTE: In some cases, the Firefox® browser does not display the Administrator Console login page correctly after you enable access to port 443 and restart the appliance. If that happens, clear the Firefox browser cache and cookies, then try again.
1.
Go to the appliance Control Panel:
If the Organization component is enabled on the appliance, log in to the KACE SMA System Administration Console, http://KACE_SMA_hostname/system, or select System in the drop-down list in the top-right corner of the page, then click Settings.
2.
Click Security Settings to display the Security Settings page.

Option

Description

Enable SSH

Permit SSH logins to the appliance. When SSH is enabled, SSH encrypted communications are permitted over port 22.

Enable webserver compression

Enable the appliance to compress web pages. This compression reduces the time it takes to load Administrator Console and User Console pages in the browser.

Enable inventory API access

Use API (application programming interface) commands to update inventory information. If you want to upload device information using the API, you must enable this setting. See Adding devices manually using the API.

API Password

The password for API (application programming interface) access to inventory information. This password is used only for API access and it does not need to match any other passwords.

Enable SNMP READ access

Enable unidirectional (read-only) SNMP access to managed devices on the network.

SNMP Community String

The SNMP community string that enables read-only SNMP access. The default value is public.

Enable SNMP Trap monitoring

Enable SNMP (Simple Network Management Protocol), a protocol for monitoring managed devices on a network. SNMP is supported by Dell Open Manage and many third-party products. If you do not want to receive SNMP traps from network devices, clear this option.

When you enable this feature on the appliance, and the related devices are also enabled for monitoring, the appliance can receive SNMP traps from the monitored network devices such as printers, projectors, and routers. This feature only applies to network devices managed through the SNMP-managed devices, such as agentless devices using SNMP connections.

For information on how to enable device monitoring, see Enable monitoring for one or more devices.

SNMP traps are messages initiated by network devices and sent to the trap receiver on the appliance. For example, a router can send a message when its power supply fails. Or, a printer initiates a message when it runs out of paper. The appliance receives these traps and generates alerts when certain pre-defined thresholds are reached.

SNMP version 1 or 2: This version only requires a valid community string. A community string is required to allow the appliance to receive SNMP trap messages from monitored network devices. The appliance supports multiple security strings. To add a community string, open the v1/v2 tab, click , type the community string, and click Save.
SNMP version 3: This version implements enhanced security and remote configuration features and requires a valid user name and encryption information. To add a security name, open the v3 tab, click , and provide the following information:
Security Name: The name of the User-based Security Model (USM) account that sends the SNMP trap.
Engine ID: The ID of the SNMP application engine that sends the SNMP trap.
Authentication Password: The password associated with the Security Name.
Authentication Protocol: The protocol used for authenticating the user: MD5 or SHA.
Privacy Password: The encryption key for the data packet.
Privacy Protocol: The encryption protocol: AES or DES.
Security Level: Indicates the level of security:
authPriv: The identity of the sender is verified and the information is encrypted.
authNoPriv: The identity of the sender is verified, but the information is not.
noAuthNoPriv: The identity of the sender is not verified and the information is not encrypted.

MIB Files

Upload vendor-specific MIB (management information base) files. A MIB file allows the trap receiver on the appliance to translate SNMP traps into human-readable messages. These files are optional.

To upload a MIB file, on the Security Settings page, under MIB Files, in the Upload MIB area, click Browse, and select a MIB file.
A MIB file must meet certain standards. The appliance validates every MIB file that you upload. If you upload an invalid MIB file, an error message appears along the top of the Security Settings page. If you do not want to validate the contents of the MIB file, select the Skip MIB validation check box.

Enable Secure backup files

Require username and password authentication for access to KACE SMA backup files, which are available by entering a URL in a browser.

Clear this option to enable access to backup files through a URL without username or password authentication. This is useful for external process that require access. See About appliance backups.

Enable backup via FTP

Enable access to the database backup files through a read-only FTP server. This enables you to create a process on another server to access the backup files.

If you do not need this access, clear this option.

Make FTP writable

Enable the upload of backup files using FTP. FTP is useful for backup files that are too large for the default HTTP mechanism and cause browser timeouts.

New FTP user password

Require a password for FTP access to the backup files.

Enable mDNS

Enable the appliance to respond to multicast Domain Name System (mDNS) and DNS Service Discovery (DNS-SD) requests. This option makes it easier for users and administrators to locate the Administrator Console and User Console. If you do not need the appliance to respond to these requests, clear this option.

Enable webserver diagnostic graphs

Enable the KACE SMA to display usage information for the appliance web server, such as Apache access and volume statistics. This information appears in graphs in the System Performance log. If this option is cleared, the graphs are not updated. See View appliance logs.

Enable database access

Enable users to run reports on the KACE SMA database using an external tool, such as Microsoft Access or Excel, over port 3306. If you do not need to expose the database in this way, clear this option.

Enable secure database access (SSL)

Enable SSL access to the database and access additional SSL options.

4.
In the Two-Factor Authentication section, configure the Two-Factor Authentication (2FA) feature. 2FA provides stronger security for users logging into the appliance by adding an extra step to the login process. It relies on the Google Authenticator app to generate verification codes. The app generates a new six-digit code at regular intervals. When enabled, end users will be prompted for the current verification code each time they log in.
Enable Two-Factor Authentication for the System Portal: Select this check box if you want to use 2FA for the System Administration Console. To enable 2FA for all users, select Required for all Users.
Enable Two-Factor Authentication for the Admin Portal: This option only appears if you enabled 2FA for the System Administration Console, or if your appliance has only one organization. Select this check box if you want to use 2FA for the Administrator Console. Next, specify the users that will require 2FA during login by selecting one of the following options:
Required for all Users: Appliances with one organization only. To enable 2FA for all users, select this option.
Defined by Organization: Appliances with multiple organizations only. Apply the same 2FA configuration to all users in each Organization in the Administrator Console, as applicable.
Required for all Users: Appliances with multiple organizations only. Enable 2FA for all users in the Administrator Console.
Not required: Appliances with multiple organizations only. Disable 2FA for all users in the Administrator Console.
Enable Two-Factor Authentication for the User Portal: This option only appears if you enabled 2FA for the Administrator Console. Select this check box if you want to use 2FA for the User Console. Next, specify the users that will require 2FA during login by selecting one of the following options:
Defined by Organization: Apply the same 2FA configuration to all users in each Organization in the User Console, as applicable.
Required for all Users: Enable 2FA for all users in the User Console.
Not required: Disable 2FA for all users in the User Console.
b.
Under Transition Window, specify the amount of time during which users who require 2FA will be able to bypass the 2FA configuration step.
5.
Optional: In the Appliance Encryption Key section, click Generate Key to generate a new encryption key. This key is used to enable Quest Support to access your appliance for troubleshooting using a tether. It is not necessary to generate a new key unless you believe that the current key has been compromised. See Enable a tether to Quest Support.
6.
In the Single Sign On section, specify authentication settings:

Option

Description

Disabled

Prevent the KACE SMA from using single sign on. Single sign on enables users who are logged on to the domain to access the KACE SMA Administrator Console and User Console without having to re-enter their credentials on the KACE SMA login page.

Active Directory

Use Active Directory for authentication. Active Directory uses the domain to authenticate users on the network. See Using Active Directory for single sign on.

7.
In the Samba Share Settings section, specify the following settings:

Option

Description

For appliances with the Organization component enabled:

Enable Organization File Shares

For appliances without the Organization component:

Enable File Sharing

Use the appliance's client share to store files, such as files used to install applications on managed devices.

The appliance’s client share is a built-in Windows file server that can be used by the provisioning service to assist in distributing the Samba client on your network. Quest recommends that this file server only be enabled when you perform application installations on managed devices.

Require NTLMv2 to appliance file shares

Enable NTLMv2 authentication for the KACE SMA files shares. When this is enabled, managed devices connecting to the KACE SMA File Shares require support for NTLMv2 and they authenticate to the KACE SMA using NTLMv2. Although NTLMv2 is more secure than NTLM and LANMAN, non-NTLMv2 configurations are more common and this option is usually turned off. Enabling this option disables lanman auth and ntlm auth on the Samba server. NTLMv2 Levels 1-4 are supported. If you need NTLM v2 Level 5, consider manually provisioning the KACE SMA Agent. See Manually deploying the KACE SMA Agent.

Require NTLMv2 to off-board file shares

Force certain KACE SMA functions that are supported through the Samba client, such as Agent Provisioning, to authenticate to off-board network file shares using NTLMv2. Even though NTLMv2 is more secure than NTLM and LANMAN, non-NTLMv2 configurations are more common and this option is usually disabled. Enabling this option enables the client ntlmv2 auth option for Samba client functions.

8.
Optional: In the SSL section, specify SSL settings:

Option

Description

Enable Port 80 access

Enable access to the appliance over port 80.

If you disable port 80 access, contact Quest Support to adjust the Agent deployment scripts to handle SSL.

Enable SSL

Enable managed devices to connect to the appliance using SSL (HTTPS).

Enable this setting only after you have properly deployed the appliance on your LAN in non-SSL mode.

To enable SSL, you need to load an SSL certificate as described in step 9.

Click SSL Certificate Form to generate certificate requests or load self-signed certificates. See Generate an SSL certificate.
If you have an SSL certificate and private key, click Browse or Choose File in the SSL Private Key File or SSL Certificate File fields to select them. These files must be in Privacy Enhance Mail (PEM) format, similar to those used by Apache-based web servers.
Select Enable Intermediate SSL Certificate to enable and upload intermediate SSL certificates, which are signed certificates provided by certificate issuers as proxies for root certificates. Intermediate SSL certificates must be in PEM format.
If your certificate is in PKCS-12 format, click Browse or Choose File in the PKCS-12 File field to select it, then enter the password for the file in the Password for PKCS-12 file field.
10.
In the Secure Attachments in Service Desk section, choose whether to add security for files that are attached to Service Desk tickets:
11.
Click Save and Restart Services to save changes and restart the appliance.
NOTE: In some cases, the Firefox browser does not display the Administrator Console login page correctly after you enable access to port 443 and restart the appliance. If that happens, clear the Firefox browser cache and cookies, then try again.

Configure Active Directory as the single sign on method

Configure Active Directory as the single sign on method

Active Directory single sign on enables users who are logged on to the domain to access the KACE SMA Administrator Console and User Console without having to re-enter their logon credentials each time.

Before you connect the KACE SMA to an Active Directory server, verify that:

1.
Go to the appliance Control Panel:
If the Organization component is enabled on the appliance, log in to the KACE SMA System Administration Console, http://KACE_SMA_hostname/system, or select System in the drop-down list in the top-right corner of the page, then click Settings.
2.
In the Single Sign On section of the Security Settings page, select Active Directory, then provide the following information:

Option

Description

Domain

The host name of the domain of your Active Directory® server, such as example.com.

Username

The user name of the administrator account on the Active Directory server. For example, username@example.com.

Password

The password of the administrator account on the Active Directory server.

Computer Object Container

The name of the computer object container of the administrator account on the Active Directory server.

Computer Object Name

The name of the computer object container of the administrator account on the Active Directory server.

Service Account Container

The name of the service account container of the administrator account on the Active Directory server.

3.
Click Join.

These tests do not need write access and they do not check for permission to write to any directory. In addition, these tests do not verify username and password credentials. If the credentials are incorrect, the KACE SMA might not be able to join the domain even if the tests are successful.

A message appears stating the results of the test. To view errors, if any, click Logs, then in the Log drop-down list, select Server Errors.

4.
Optional: Select Force Join to join the server to ignore errors and join the domain.
5.
Click Save and Restart Services.

When users are logged in to devices that are joined to the Active Directory domain, they can access the KACE SMA User Console without having to re-enter their credentials. If users are on devices that are not joined to the Active Directory domain, the login window appears and they can log in using a local KACE SMA user account. See Add or edit System-level user accounts.

Generate an SSL certificate

Generate an SSL certificate

You can generate a self-signed SSL certificate, or generate a certificate signing request for third-party certificates, using the Administrator Console.

1.
Go to the appliance Control Panel:
If the Organization component is enabled on the appliance, log in to the KACE SMA System Administration Console, http://KACE_SMA_hostname/system, or select System in the drop-down list in the top-right corner of the page, then click Settings.
2.
Click Security Settings to display the Security Settings page.
3.
In the SSL section, click Enable SSL.
4.
Click SSL Certificate Form to display the SSL Certificate Form page.
5.
In the Configure section, provide the following information:

Option

Description

Company Name

The name of your company.

Organization Name

The name of your organizational unit or business group.

Common Name

The common name of the appliance you are creating the SSL certificate for.

Email

Your email address.

City Name

The name of your locality.

State or Province Name

The name of your state or province.

Country Name

The name of your country.

6.
Click Save.
If this is the first time the SSL Certificate Form has been saved, the Certificate Signing Request section appears. If the form has previously been saved, the Certificate Signing Request section is updated.
1.
Copy all of the text in the Certificate Signing Request section, including the lines "-----BEGIN CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----" and everything in between, then send it to the certificate issuer or the person who provides your company with web server certificates.
1.
Click Generate Self-Signed Certificate to generate and display the certificate below the Certificate Signing Request section.
2.
Click Deploy Self-Signed Certificate, then click Yes.
3.
On the Security Settings page, click Save and Restart Services.
Self-signed certificates are converted to PEM files, named kbox.pem, and the files are placed in KACE SMA Agent data folders.
NOTE: Your private key appears in the Private Key field. It is deployed to the appliance when you deploy a valid certificate. Do not send the private key to anyone. It is displayed here in case you want to deploy this certificate to another web server.

Configuring Agent settings

Configuring Agent settings

Agent settings determine the port and security settings used by the KACE SMA Agent. These settings are specific to the Agent infrastructure and do not affect other appliance configuration settings or runtime operations.

Documents connexes