KACE Systems Management Appliance 9.1 Common Documents - Administrator Guide

About the KACE Systems Management Appliance (SMA) Getting started
Configuring the appliance
Requirements and specifications Power-on the appliance and log in to the Administrator Console Access the Command Line Console Tracking configuration changes Configuring System-level and Admin-level General Settings Configure appliance date and time settings Enable Two-Factor Authentication for all users Verifying port settings, NTP service, and website access Configuring network and security settings Configuring Agent settings Configuring session timeout and auto-refresh settings Configuring locale settings Configuring the default theme Configure data sharing preferences About DIACAP compliance requirements Configuring Mobile Device Access Enable fast switching for organizations and linked appliances Linking Quest KACE appliances Configuring history settings
Setting up and using labels to manage groups of items Configuring user accounts, LDAP authentication, and SSO Using Replication Shares Managing credentials Configuring assets
About the Asset Management component Using the Asset Management Dashboard About managing assets Adding and customizing Asset Types and maintaining asset information Managing Software assets Managing physical and logical assets Maintaining and using manual asset information Managing locations Managing contracts Managing licenses Managing purchase records
Setting up License Compliance Managing License Compliance Setting up Service Desk Configure the Cache Lifetime for Service Desk widgets Creating and managing organizations Importing and exporting appliance resources
Managing inventory
Using the Inventory Dashboard Using Device Discovery Managing device inventory
About managing devices Features available for each device management method About inventory information Tracking changes to inventory settings Managing inventory information Finding and managing devices Provisioning the KACE SMA Agent Manually deploying the KACE SMA Agent Using Agentless management Adding devices manually in the Administrator Console or by using the API Forcing inventory updates Managing MIA devices Obtaining Dell warranty information
Managing applications on the Software page Managing Software Catalog inventory
About the Software Catalog Viewing Software Catalog information Adding applications to the Software Catalog Managing License assets for Software Catalog applications Associate Managed Installations with Cataloged Software Using software metering Using Application Control Update or reinstall the Software Catalog
Managing process, startup program, and service inventory Writing custom inventory rules
Deploying packages to managed devices
Distributing software and using Wake-on-LAN Broadcasting alerts to managed devices Running scripts on managed devices Managing Mac profiles Using Task Chains
Patching devices and maintaining security
About patch management Subscribing to and downloading patches Creating and managing patch schedules Managing patch inventory Managing Dell devices and updates Maintaining device and appliance security
Using reports and scheduling notifications Monitoring servers
Getting started with server monitoring Working with monitoring profiles Managing monitoring for devices Working with alerts
Using the Service Desk
Configuring Service Desk Using the Service Desk Dashboard Managing Service Desk tickets, processes, and reports
Overview of Service Desk ticket lifecycle Creating tickets from the Administrator Console and User Console Creating and managing tickets by email Viewing tickets and managing comments, work, and attachments Merging tickets Using the ticket escalation process Using Service Desk processes Using Ticket Rules Run Service Desk reports Archiving, restoring, and deleting tickets Managing ticket deletion
Managing Service Desk ticket queues About User Downloads and Knowledge Base articles Customizing Service Desk ticket settings Configuring SMTP email servers
Maintenance and troubleshooting
Maintaining the appliance Troubleshooting the KACE SMA
Appendixes Glossary About us Legal notices

Tracking changes to Mac profile settings

Tracking changes to Mac profile settings

If History subscriptions are configured to retain information, you can view the details of the changes made to settings, assets, and objects. This information includes the date the change was made and the user who made the change, which can be useful during troubleshooting.

See About history settings.

Adding, editing, and uploading Mac profiles

Adding, editing, and uploading Mac profiles

You can add Mac user and system profiles to the KACE SMA, and you can edit Mac profiles as needed. In addition, you can upload MOBILECONFIG files that contain the configuration information to the KACE SMA.

Add or edit Mac user profiles

Add or edit Mac user profiles

You can add Mac user profiles to the KACE SMA using the Administrator Console. User profiles contain configuration settings that apply to users, such as email settings. User profiles that have been added to the appliance can be deployed to Agent-managed Mac OS X devices running version 10.8, 10.9, or 10.10.

NOTE: You can edit the payloads of profiles you have configured in the Administrator Console. However, you cannot view or edit the payloads of profiles that have been uploaded to the Administrator Console.
1.
Go to the Mac Profile Detail page:
a.
Log in to the KACE SMA Administrator Console, http://KACE_SMA_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
b.
On the left navigation bar, click Scripting, then click Mac Profiles.
Click Choose Action > New User Profile.
2.
In the General Options section, provide the following information:

Option

Description

Profile Name

The name to be displayed on the Mac Profiles list. This name does not need to be unique, but it should be descriptive enough for you to identify the profile in a list.

Description

Additional information about the profile, such as its configuration settings or its intended use.

User ability to remove profile

Whether users can remove the profile from their devices. Options include:

Never: Users are not allowed to remove the profile.
Always: Users are allowed to remove the profile any time without entering a password.
With Password: Users are allowed to remove the profile provided that they enter the password associated with the profile.

Automatically remove profile

Whether the profile will be removed automatically after a specified amount of time. This action is useful when you are configuring devices that need to have different profiles after a specific date, such as the end of a school semester. Options include:

Never: The profile is not scheduled to be removed automatically.
On Date: The profile is scheduled to be removed automatically on the specified date. Dates must be specified in mm/dd/yyyy format.
After: The profile is scheduled to be removed after the specified amount of time has passed. Time can be specified in days or hours.
3.
Optional: In the Payloads section, add or edit configuration settings for Exchange, LDAP, or Mail.

Option

Description

Account Name

The name used to identify the account.

User

The name of the user.

Email Address

The address to use for the email account.

Password

The password of the email account.

Internal Exchange Host and Port

The hostname of the internal Exchange server and the port used for email communication.

External Exchange Host and Port

The hostname of the external Exchange server and the port used for email communication.

Internal Server Path

The path to the server on the internal network.

External Server Path

The path to the server on the external network.

Use SSL for Internal Exchange Host

Whether to use Secure Sockets Layer for email transmitted within the domain.

Use SSL for External Exchange Host

Whether to use Secure Sockets Layer for email transmitted outside the domain.

Option

Description

Account Description

The name of the LDAP account, such as Example Corporation LDAP Account.

Account Username

The username of the account to be used to log in to the LDAP server.

Account Password

The password of the account to be used to log in to the LDAP server.

Account Hostname

The hostname or IP address of the LDAP server.

Use SSL

Whether to use Secure Sockets Layer for connections to the LDAP server.

Search Settings

The settings used to search for information on the LDAP server.

Information that differentiates the search information in a list.

The depth of the search. Whether the search will be conducted on:

Base: Includes objects in the base or zero level only.
One Level: Includes objects immediately subordinate to the base, but not including the base.
Subtree: Includes objects in the base and subtree.

Search Base: The location in the directory from which the search begins. The Search Base specifies a location or container in the LDAP or Active Directory structure, and the criteria should include all the users that you want to authenticate. Enter the Base DN most specific combination of OUs, DCs, or CNs that match your criteria, ranging from left (most specific) to right (most general). For example, this path leads to the container with users that you need to authenticate:

OU=end_users,DC=company,DC=com.

Option

Description

Account Description

The name of the account, such as Example Corporation Mail Account.

Account Type

The protocol (POP or IMAP) used to access the account.

User Display Name

How the user's name appears in the From field in email messages.

Email Address

The user's email address.

Incoming Mail Server and Port

The hostname or IP address and port number used for incoming mail.

Outgoing Mail Server and Port

The hostname or IP address and port number used for outgoing mail. Use the following standard port assignments:

Incoming Mail User Name

The username to use for the incoming mail server.

Outgoing Mail User Name

The username to use for the outgoing mail server.

Incoming Mail Authentication Type

The method of authenticating the user for incoming mail. Authentication types include Password, MD5 Challenge-Response, NTLM, HTTP MD5 Digest.

Outgoing Mail Authentication Type

The method of authenticating the user for outgoing mail. Authentication types include Password, MD5 Challenge-Response, NTLM, HTTP MD5 Digest.

Incoming mail use SSL

Whether to use Secure Socket Layer for mail delivered to the user account.

Outgoing mail use SSL

Whether to use Secure Socket Layer for mail sent from the user account.

4.
(Optional) In the Deploy section, select the target devices for the profile:

Option

Description

All Devices

Distribute the profile to all KACE SMA Agent-managed devices running a supported version of Mac OS X (version 10.8, 10.9, or 10.10). If the Organization component is enabled on your appliance, this distribution includes all supported Mac devices in the selected organization.

Labels

Distribute the profile only to the devices in the labels that you select. Limiting the distribution to labels, especially Smart Labels, helps to ensure that profiles are applied appropriately.

To use this option, you must already have created labels or Smart Labels. See Adding Smart Labels for devices.

Devices

Distribute the profile to the supported Mac OS X devices that you select (version 10.8, 10.9, or 10.10). To search for devices, begin typing in the field.

Operating Systems

The operating systems on which the application runs. Applications are deployed only to devices with the selected operating systems.

a.
Click Manage Operating Systems.
b.
In the Operating Systems dialog box that appears, select the OS versions in the navigation tree, as applicable.

You have an option to select OS versions by their family, product, architecture, or build version. You can choose a specific build versions, or a parent node, as needed. Selecting a parent node in the tree automatically selects the associated child nodes. This behavior allows you to select any future OS versions, as devices are added or upgraded in your managed environment. For example, to select all build current and future versions associated with a Mac 10.11 El Capitan x86 architecture, under Mac > 10.11 El Capitan, select x86.

Remove All

Remove all selected devices from the Devices list in this section.

5.
In the Schedule section, select the options for distributing the profile to target devices:

Option

Description

None

Do not distribute the profile on a schedule. Profiles that have their schedules set to None have a status of Disabled on the Mac Profiles list. However, profiles whose schedule is set to None can still be deployed if you select Run Now at the bottom of the page.

Every n minutes/hours

Run at a specified interval.

Every day/specific day at HH:MM

Run daily at a specified time, or run on a designated day of the week at a specified time.

Run on the nth of every month/specific month at HH:MM

Run on the same day every month, or a specific month, at the specified time.

Run on the nth weekday of every month/specific month at HH:MM

Run on the specific weekday of every month, or a specific month, at the specified time.

Custom

Run according to a custom schedule.

Use standard 5-field cron format (extended cron format is not supported):

Use the following when specifying values:

Spaces ( ): Separate each field with a space.
Asterisks (*): Include the entire range of values in a field with an asterisk. For example, an asterisk in the hour field indicates every hour.
Commas (,): Separate multiple values in a field with a comma. For example, 0,6 in the day of the week field indicates Sunday and Saturday.
Hyphens (-): Indicate a range of values in a field with a hyphen. For example, 1-5 in the day of the week field is equivalent to 1,2,3,4,5, which indicates Monday through Friday.
Slashes (/): Specify the intervals at which to repeat an action with a slash. For example, */3 in the hour field is equivalent to 0,3,6,9,12,15,18,21. The asterisk (*) specifies every hour, but /3 restricts this to hours divisible by 3.

Examples:

View Task Schedule

Click to view the task schedule. The Task Schedule dialog box displays a list of scheduled. Click a task to review the task details. For more information, see View task schedules.

6.
In the Deployment Options section, select the options for prompting users about the profile installation:

Option

Description

Runtime prompt for logged-in users

When the Agent begins the profile installation, a prompt is displayed to users who are logged in to the target device.

Login prompt for all users

Whenever users log in to the target device, they are prompted to install the profile if they have not done so already.

Both runtime and login prompts

When the Agent begins the profile installation, users who are logged in to the target device are prompted to install the profile if they have not done so already. Users who log in after the script runs are also prompted to install the profile.

Option

Description

Save

Save the profile and return to the Mac Profiles list.

Run Now

On target devices that have an active Agent connection to the appliance, install the profile now according to the selected deployment options. See Using the Run and Run Now commands.

Duplicate

Create a copy of the profile with Copy of prepended to the profile name. This option is not available for new profiles that have not yet been saved. See Add Mac profiles using existing profiles as templates.

Remove

Create a profile that can be used to remove the profile from target devices. This option is not available for new profiles that have not yet been saved. See Remove Mac profiles from managed devices.

Delete

Remove the profile from the KACE SMA. This does not remove the profile from devices on which it is installed, and this option is not available for new profiles that have not yet been saved. See Delete Mac profiles from the KACE SMA.

Cancel

Discard changes and return to the Mac Profiles list.

Add or edit Mac system profiles

Add or edit Mac system profiles

You can add Mac system profiles to the KACE SMA using the Administrator Console. System profiles contain configuration settings that apply to devices, such as passcode requirements. System profiles that have been added to the appliance can be deployed to Agent-managed Mac OS X devices running version 10.8, 10.9, or 10.10.

You have established policies for accessing apps and setting passcodes.

NOTE: You can edit the payloads of system profiles you have configured in the Administrator Console. However, you cannot view or edit the payloads of profiles that have been uploaded to the Administrator Console.
1.
Go to the Mac Profile Detail page:
a.
Log in to the KACE SMA Administrator Console, http://KACE_SMA_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
b.
On the left navigation bar, click Scripting, then click Mac Profiles.
Click Choose Action > New System Profile.
2.
In the General Options section, provide the following information:

Option

Description

Profile Name

The name to be displayed on the Mac Profiles list. This name does not need to be unique, but it should be descriptive enough for you to identify the profile in a list.

Description

Additional information about the profile, such as its configuration settings or its intended use.

User ability to remove profile

Whether users can remove the profile from their devices. Options include:

Never: Users are not allowed to remove the profile.
Always: Users are allowed to remove the profile any time without entering a password.
With Password: Users are allowed to remove the profile provided that they enter the password associated with the profile.

Automatically remove profile

Whether the profile will be removed automatically after a specified amount of time. This is useful when you are configuring devices that need to have different profiles after a specific date, such as the end of a school semester. Options include:

Never: The profile is not scheduled to be removed automatically.
On Date: The profile is scheduled to be removed automatically on the specified date. Dates must be specified in mm/dd/yyyy format.
After: The profile is scheduled to be removed after the specified amount of time has passed. Time can be specified in days or hours.
3.
In the Payloads section, add or edit Gatekeeper configuration information.

Option

Description

Allow Apps Downloaded From

Whether users are allowed to download apps from:

Mac App Store: Users can download apps only from the Mac App Store.
Mac App Store and Identified Developers: Users can download apps from the Mac App Store and from developers who have digitally signed their apps with a unique Developer ID from Apple.
Anywhere: Users can download apps from anywhere without restriction.

Don't allow user to override Gatekeeper setting

Whether users are allowed to modify the app download settings.

4.
Add or edit Passcode configuration information.
NOTE: In this section, the term passcode is synonymous with the term password.

Option

Description

Allow simple value

Allow users to select passcodes with character sequences that are repeating, ascending, and descending.

Require alphanumeric value

Require users to select passcodes that contain at least one letter and one number.

Minimum passcode length

The smallest number of characters allowed in passcodes.

Minimum number of complex characters

The smallest number non-alphanumeric characters, such as *or ! allowed in passcodes.

Maximum number of failed attempts

The number of times users can enter incorrect passcodes to unlock devices before being locked out of their accounts.

Maximum grace period for device lock

When system settings specify that devices should be locked after a period of inactivity, this setting provides a window of time during which users can unlock their devices without entering their passcodes. After the grace period expires, users must enter their passcodes to unlock devices.

Maximum passcode age in days

The number of days after which passcodes must be changed.

Passcode history

The number of passcodes that must be unique before a passcode can be reused.

Delay after failed login attempts in minutes

The number of minutes that must pass before users can attempt to log in after reaching the maximum number of failed login attempts.

5.
In the Deploy section, select the target devices for the profile:

Option

Description

All Devices

Distribute the profile to all KACE SMA Agent-managed devices running a supported version of Mac OS X (version 10.8, 10.9, or 10.10). If the Organization component is enabled on your appliance, this includes all supported Mac devices in the selected organization.

Labels

Distribute the profile only to the devices in the labels that you select. Limiting the distribution to labels, especially Smart Labels, helps to ensure that profiles are applied appropriately.

To use this option, you must already have created labels or Smart Labels. See Adding Smart Labels for devices.

Devices

Distribute the profile to the supported Mac OS X devices that you select (version 10.8, 10.9, or 10.10). To search for devices, begin typing in the field.

Operating Systems

The operating systems on which the application runs. Applications are deployed only to devices with the selected operating systems.

a.
Click Manage Operating Systems.
b.
In the Operating Systems dialog box that appears, select the OS versions in the navigation tree, as applicable.

You have an option to select OS versions by their family, product, architecture, or build version. You can choose a specific build versions, or a parent node, as needed. Selecting a parent node in the tree automatically selects the associated child nodes. This behavior allows you to select any future OS versions, as devices are added or upgraded in your managed environment. For example, to select all build current and future versions associated with a Mac 10.11 El Capitan x86 architecture, under Mac > 10.11 El Capitan, select x86.

Remove All

Remove all devices from the Devices list in this section.

6.
In the Schedule section, select the options for distributing the profile to target devices:

Option

Description

None

Do not distribute the profile on a schedule. Profiles that have their schedules set to None have a status of Disabled on the Mac Profiles list. However, profiles whose schedule is set to None can still be deployed if you select Run Now at the bottom of the page.

Every n minutes/hours

Run at a specified interval.

Every day/specific day at HH:MM

Run daily at a specified time, or run on a designated day of the week at a specified time.

Run on the nth of every month/specific month at HH:MM

Run on the same day every month, or a specific month, at the specified time.

Custom

Run according to a custom schedule.

Use standard 5-field cron format (extended cron format is not supported):

Use the following when specifying values:

Spaces ( ): Separate each field with a space.
Asterisks (*): Include the entire range of values in a field with an asterisk. For example, an asterisk in the hour field indicates every hour.
Commas (,): Separate multiple values in a field with a comma. For example, 0,6 in the day of the week field indicates Sunday and Saturday.
Hyphens (-): Indicate a range of values in a field with a hyphen. For example, 1-5 in the day of the week field is equivalent to 1,2,3,4,5, which indicates Monday through Friday.
Slashes (/): Specify the intervals at which to repeat an action with a slash. For example, */3 in the hour field is equivalent to 0,3,6,9,12,15,18,21. The asterisk (*) specifies every hour, but /3 restricts this to hours divisible by 3.

Examples:

Option

Description

Save

Save the profile and return to the Mac Profiles list.

Run Now

On target devices that have an active Agent connection to the appliance, install the profile now according to the selected deployment options. See Using the Run and Run Now commands.

Duplicate

Create a copy of the profile with Copy of prepended to the profile name. This option is not available for new profiles that have not yet been saved. See Add Mac profiles using existing profiles as templates.

Remove

Create a profile that can be used to remove the profile from target devices. This option is not available for new profiles that have not yet been saved. See Remove Mac profiles from managed devices.

Delete

Remove the profile from the KACE SMA. This does not remove the profile from devices on which it is installed, and this option is not available for new profiles that have not yet been saved. See Delete Mac profiles from the KACE SMA.

Cancel

Discard changes and return to the Mac Profiles list.

Documents connexes