Chat now with support
Chat with Support

KACE Systems Management Appliance 13.2 Common Documents - Administrator Guide

About the KACE Systems Management Appliance Getting started
Configuring the appliance
Requirements and specifications Power-on the appliance and log in to the Administrator Console Access the Command Line Console Tracking configuration changes Configuring System-level and Admin-level General Settings Configure appliance date and time settings Managing user notifications Enable Two-Factor Authentication for all users Verifying port settings, NTP service, and website access Configuring network and security settings Configuring Agent settings Configuring session timeout and auto-refresh settings Configuring locale settings Configuring the default theme Configure data sharing preferences About DIACAP compliance requirements Configuring Mobile Device Access Enable fast switching for organizations and linked appliances Linking Quest KACE appliances Configuring history settings
Setting up and using labels to manage groups of items Configuring user accounts, LDAP authentication, and SSO Deploying the KACE Agent to managed devices Using Replication Shares Managing credentials Configuring assets
About the Asset Management component Using the Asset Management Dashboard About managing assets Adding and customizing Asset Types and maintaining asset information Managing Software assets Managing physical and logical assets Maintaining and using manual asset information Managing locations Managing contracts Managing licenses Managing purchase records
Setting up License Compliance Managing License Compliance Setting up Service Desk Configure the Cache Lifetime for Service Desk widgets Creating and managing organizations Importing and exporting appliance resources
Managing inventory
Using the Inventory Dashboard Using Device Discovery Managing device inventory
About managing devices Features available for each device management method About inventory information Tracking changes to inventory settings Managing inventory information Finding and managing devices Registering KACE Agent with the appliance Provisioning the KACE Agent Manually deploying the KACE Agent Using Agentless management Adding devices manually in the Administrator Console or by using the API Forcing inventory updates Managing MIA devices Obtaining Dell warranty information
Managing applications on the Software page Managing Software Catalog inventory
About the Software Catalog Viewing Software Catalog information Adding applications to the Software Catalog Managing License assets for Software Catalog applications Associate Managed Installations with Cataloged Software Using software metering Using Application Control Update or reinstall the Software Catalog
Managing process, startup program, and service inventory Writing custom inventory rules
Deploying packages to managed devices
Distributing software and using Wake-on-LAN Broadcasting alerts to managed devices Running scripts on managed devices Managing Mac profiles Using Task Chains
Patching devices and maintaining security
Using the Security Dashboard About patch management Subscribing to and downloading patches Creating and managing patch schedules Managing patch inventory Managing Windows Feature Updates Managing Dell devices and updates Managing Linux package upgrades Maintaining device and appliance security Manage quarantined file attachments
Using reports and scheduling notifications Monitoring servers
Getting started with server monitoring Working with monitoring profiles Managing monitoring for devices Working with alerts
Using the Service Desk
Configuring Service Desk Using the Service Desk Dashboard Managing Service Desk tickets, processes, and reports
Overview of Service Desk ticket lifecycle Creating tickets from the Administrator Console and User Console Creating and managing tickets by email Viewing tickets and managing comments, work, and attachments Merging tickets Using the ticket escalation process Using Service Desk processes Using Ticket Rules Run Service Desk reports Archiving, restoring, and deleting tickets Managing ticket deletion
Managing Service Desk ticket queues About User Downloads and Knowledge Base articles Customizing Service Desk ticket settings Configuring SMTP email servers
Maintenance and troubleshooting
Maintaining the appliance Troubleshooting the appliance
Appendixes Glossary About us Legal notices

Discovering devices on your network

Discovering devices on your network

To discover devices, you can scan your network by creating a Discovery Schedule. The Discovery Schedule specifies the protocols to use during the scan, the IP Address range to be scanned, and the frequency of the scan.

Depending on what you want out of a discovery scan and what devices you are working with, you can choose from various Discovery types.

Thorough Discovery: You can use this type of discovery to get more device information than what is available from the "what and where" type. See Add a Discovery Schedule for a thorough scan of managed Windows, Mac, Linux, and UNIX computers.
External Integration Discovery: A different type of thorough discovery that is aimed at certain computer devices that are not Windows-, Mac Os X-, or Linux-based. For more information, see:

You can scan for devices across a single subnet or multiple subnets. You can also define a scan to search for devices listening on a particular port.

When adding Discovery Schedules, you should balance the scope of the scan (the number of IP addresses you are scanning) with the depth of the probe (the number of attributes you are scanning), so that you do not overwhelm the network or the appliance. For example, if you need to scan a large number of IP addresses frequently, keep the number of ports, TCP/IP connections, and so on, relatively small. As a rule, scan a particular subnet no more than once every few hours.

Add a Discovery Schedule to perform a quick "what and where" scan of your network

Add a Discovery Schedule to perform a quick "what and where" scan of your network

Use one of the available schedules to quickly obtain Discovery Results that show the availability of devices.

This type of Discovery scans for any device type in your network: managed computers or non-computer devices.

If you want to add an Nmap Discovery Schedule, there are several issues to consider. See Things to take into consideration with Nmap discovery.

1.
Go to the Discovery Schedule Detail page:
a.
Log in to the appliance Administrator Console, https://appliance_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
b.
On the left navigation bar, click Inventory, then click Discovery Schedules.
c.
Select Choose Action > New.
2.
Select the Discovery Type to display the form with the options for the selected type.
Ping. DNS Lookup and Ping discovery options appear.
Socket. DNS Lookup and Socket discovery options appear.
Active Directory. DNS Lookup and Active Directory discovery options appear.
External Integration [KACE Cloud Mobile Device Manager, G Suite, Workspace ONE]. KACE Cloud Mobile Device Manager, G Suite, and Workspace ONE discovery options appear.
Authenticated [WinRM, SNMP, SSH, VMware, Hyper-V]. DNS Lookup, Relay, WinRM, Hyper-V, VMM, SNMP, SSH, and VMware discovery options appear.
Nmap. DNS Lookup and Nmap discovery options appear.
Custom. DNS Lookup, Ping, Nmap, WinRM, SNMP, SSH, and VMware discovery options appear.
3.
In the Name field, enter a name for the scan.
This name appears on the Discovery Schedules page.
4.
In the IP Address Range field, enter an IP address range to scan. Use hyphens to specify individual IP address class ranges. For example, type 192.168.2-5.1-200 to scan for all IP addresses between 192.168.2-5.1 and 192.168.2-5.200, inclusive.

Option

Item

Description

DNS Lookup

Enable Discovery to identify the name of the device. DNS Lookup is important if you want device names to appear in the Discovery Results and Inventory lists. You can select the DNS Lookup options for each Discovery type.

Name Server for Lookup

The hostname or IP address of the name server.

Timeout

The time, in seconds, after which a DNS lookup expires. If an address is not found during this time, the process “times out.”

Relay

Enable a KACE Agent to act as a tunnel WinRM, SSH and SNMP traffic to the agent connection protocol for WinRM, SSH and SNMP discovery schedules, agentless inventory, and agent provisioning.

Relay Device

Specify the device that you want to use as a relay for agentless device inventory.

A relay device that is used during discovery as a relay is used for agentless inventory, when a new device is provisioned automatically from discovery results.

Selected relay devices are listed on the following pages:

On the Agentless Device Connection Details page, when a new device is provisioned automatically from discovery results. For more information about this page, see Enable Agentless management by entering device information manually.
On the Provisioning Schedule Detail page, when agent provisioning is initiated from discovery results. For more information, see Install the KACE Agent on a device or multiple devices.
On the Agentless Device Connection Details page, when a new device is provisioned automatically from discovery results. For more information about this page, see Enable Agentless management by entering device information manually.

Ping

Perform a ping test during the network scan. During this test, the appliance sends a ping test to determine whether a system responds.

Socket

Perform a connection test during the network scan. During this test, the appliance sends a packet to the port to determine whether the port is open.

TCP Port List

Enable a port scan using TCP (Transmission Control Protocol). Use a comma to separate each port number.

UDP Port List

Enable a port scan using UDP (User Datagram Protocol). Use a comma to separate each port number.

Active Directory

Enable the appliance to check for device information on an Active Directory server. During Active Directory scans, the status is indicated as an approximate percentage instead of the number of devices scanned.

Use Secure LDAP (LDAPS)

Enable the appliance to use a secure port for LDAP communication.

Privileged User

The username of the administrator account on the Active Directory server. For example, username@example.com.

Privileged User Password

The password of the administrator account on the Active Directory server.

Search Context

The criteria used to search for devices. This criteria specifies a location or container in the Active Directory structure to be searched. Enter the most specific combination of OUs, DCs, or CNs that match your criteria, ranging from left (most specific) to right (most general). For example: DC=company,DC=com

KACE Cloud Mobile Device Manager

This option allows you to access mobile devices such as smart phones and tablets connected to the KACE Cloud Mobile Device Manager (MDM). You must obtain a tenant name and a Secret Key from the KACE Cloud MDM in order to access the devices associated with it.

Tenant Name

The name of the tenant on the KACE Cloud MDM associated with the devices that you want to manage.

Credentials

The details of the account that is used to connect to the KACE Cloud MDM device. Select an existing credential from the drop-down list, or select Add new credential to add a new credential, as required.

For more information, see Add and edit Secret Key credentials.

Auto Provision Devices

If selected, all mobile devices discovered in the next scan are added to inventory.

G Suite

Working with G Suite devices requires credentials that grant the appliance access to a Google Apps Domain using the Admin SDK API. You must obtain a Client ID and a Client Secret from Google so that you can get an approval code for the appliance to use.

Discover Chrome Devices

If selected, any Chrome devices will be discovered in the next scan.

Discover Mobile Devices

If selected, any G Suite mobile devices will be discovered in the next scan.

Credentials

The details of the account that is used to connect to the Chrome device. Select an existing credential from the drop-down list, or select Add new credential to add a new credential, as required. The selected credential must have an approval code that can be associated with the appropriate device type. For example, if you want to discover G Suite mobile devices, you cannot use a credential whose approval code is generated for Chrome devices.

For more information, see Add and edit Google Workspace credentials.

Auto Provision Devices

If selected, all Chrome and mobile devices discovered in the next scan are added to inventory.

Workspace ONE

VMware® Workspace ONE® is an enterprise-level mobility management platform that allows you to manage a wide range of different device types.

Host

The host name of the Workspace ONE administration console.

REST API Key

The REST API key, available in the Workspace ONE administration console. The key must be provided to enable integration with Workspace ONE through API calls.

Credentials

The details of the service account required to connect to the device and run commands. Select an existing credential from the drop-down list, or select Add new credential to add a new credential, as required.

See Add and edit User/Password credentials.

Auto Provision Devices

If selected, all Workspace ONE devices discovered in the next scan are added to inventory.

WinRM, Hyper-V, VMM

WinRM is the connection type to use for Windows devices.

Timeout

The time, in seconds, up to 1 minute, after which the connection is closed if there is no activity.

Require Kerberos

If selected, Kerberos is required for authentication. NTLM will not be used as an alternative when Kerberos is unavailable.

Using Kerberos requires DNS Lookup to be enabled in the same discovery configuration. The DNS Server is also required in the local appliance network settings.

Scan for Hyper-V and Virtual Machine Manager

If selected, the appliance imports a Microsoft Hyper-V or System Center Virtual Machine Manager infrastructure using agentless management. For more information about this feature, see Add a Discovery Schedule for a Microsoft Hyper-V or System Center Virtual Machine Manager.

Port

If this field is left blank, the default port 5985 is used.

Credentials

The details of the service account required to connect to the device and run commands. Select an existing credential from the drop-down list, or select Add new credential to add a new credential, as required.

See Add and edit User/Password credentials.

SNMP

SNMP (Simple Network Management Protocol) is a protocol for monitoring managed devices on a network.

SNMP Full Walk

Enable a Full Walk of data in the MIB (management information base) on devices. If this option is cleared, the appliance does a Bulk GET, which searches three core OIDs (object identifiers). When selecting this option, be aware that a Full Walk can take up to 20 minutes per device. The default, Bulk GET, takes approximately one second and acquires all of the information needed for Discovery.

Timeout

The time, in seconds, after which the scan ends if no response is returned.

Maximum Attempts

The number of times the connection is attempted.

Credentials(SNMPv1/v2)

The details of the SNMP v1/v2 credentials required to connect to the device and run commands. Select an existing credential from the drop-down list, or select Add new credential to add a new credential, as required.

See Add and edit SNMP credentials.

Credentials(SNMPv3)

The details of the SNMP v3 credentials required to connect to the device and run commands. Select an existing credential from the drop-down list, or select Add new credential to add a new credential, as required.

See Add and edit SNMP credentials.

SSH

Use the SSH protocol with authentication.

Timeout

The time, up to 5 minutes, after which the connection is closed if there is no activity.

Try SSH2 Connection

Enable the SSH2 protocol for connecting to and communicating with devices.

Use SSH2 if you want device communications to be more secure (recommended).

Credentials

The details of the service account required to connect to the device and run commands. Select an existing credential from the drop-down list, or select Add new credential to add a new credential, as required.

See Add and edit User/Password credentials.

VMware

Timeout

The time after which the scan ends if no response is returned.

Credentials

The details of the service account required to connect to the device and run commands. Select an existing credential from the drop-down list, or select Add new credential to add a new credential, as required.

See Add and edit User/Password credentials.

Nmap

Timeout

The time after which the scan ends if no response is returned.

Fast Scan

Enable the appliance to quickly scan 100 commonly used ports. If this option is cleared, all available TCP ports are scanned, which can take much longer than the fast scan.

Nmap Operating System Detection (Best Guess)

Enable the appliance to detect the operating system of the device based on fingerprinting and port information. This option might increase the time required for the scan.

TCP Port Scan

Enable a port scan using TCP (Transmission Control Protocol) of 1000 commonly used TCP ports. If this option is cleared, and UDP is selected, the appliance performs a UDP scan. If both TCP and UDP are cleared, the appliance uses a TCP scan.

If you select this option, Quest recommends that you set the Timeout value to 10 minutes to decrease the likelihood of erroneous results.

Do not combine this scan with the Fast Scan option. Doing so results in only 100 commonly used ports being scanned.

UDP Port Scan

Enable a port scan using UDP (User Datagram Protocol) of up to 1000 UDP ports. UDP scans are generally less reliable, and have lower processor overhead, than TCP scans because TCP requires a handshake when communicating with devices whereas UDP does not. However, UDP scans might take longer than TCP scans, because UDP sends multiple packets to detect ports, whereas TCP sends a single packet.

If you select this option, Quest recommends that you set the Timeout value to 30 minutes to decrease the likelihood of erroneous results.

Do not combine this scan with the Fast Scan option. Doing so results in only 100 commonly used ports being scanned.

If this option is cleared, the appliance does not scan ports using UDP.

6.
Optional: Enter an email address for being notified of when the discovery scan completes. The email includes the name of the discovery schedule.

Option

Description

None

Run in combination with an event rather than on a specific date or at a specific time.

Every n hours

Run at a specified interval.

Every day/specific day at HH:MM

Run daily at a specified time, or run on a designated day of the week at a specified time.

Run on the nth of every month/specific month at HH:MM

Run on the same day every month, or a specific month, at the specified time.

Run on the nth weekday of every month/specific month at HH:MM

Run on the specific weekday of every month, or a specific month, at the specified time.

Custom

Run according to a custom schedule.

Use standard 5-field cron format (extended cron format is not supported):

Use the following when specifying values:

Spaces ( ): Separate each field with a space.
Asterisks (*): Include the entire range of values in a field with an asterisk. For example, an asterisk in the hour field indicates every hour.
Commas (,): Separate multiple values in a field with a comma. For example, 0,6 in the day of the week field indicates Sunday and Saturday.
Hyphens (-): Indicate a range of values in a field with a hyphen. For example, 1-5 in the day of the week field is equivalent to 1,2,3,4,5, which indicates Monday through Friday.
Slashes (/): Specify the intervals at which to repeat an action with a slash. For example, */3 in the hour field is equivalent to 0,3,6,9,12,15,18,21. The asterisk (*) specifies every hour, but /3 restricts this to hours divisible by 3.

Examples:

View Task Schedule

Click to view the task schedule. The Task Schedule dialog box displays a list of scheduled tasks. Click a task to review the task details. For more information, see View task schedules.

8.
Click Save.
Things to take into consideration with Nmap discovery

For successful outcomes with Nmap discovery, there are some issues to consider and best practices to adopt to improve speed and accuracy and to avoid problems.

Best practices for improving the speed and accuracy of discovery

To improve the speed and accuracy of Nmap discovery:

Avoid using DNS Lookup. DNS Lookup can slow down scan times by up to 500 percent if you specify an invalid or unreachable IP address for the DNS.
Run one discovery type at a time. Although it is possible to run multiple discovery types simultaneously, doing so can extend the length of a run and can cause erratic OS detection results.
Select Nmap Operating System Detection (Best Guess) if you are unsure what to run. This selection can give you a reasonable view into your subnet or subnets. At a minimum, using Best Guess can identify what OSs are on what devices. If you do not get the expected results, for example if some devices appear with unknown as the Operating System, try increasing the timeout value and rerunning the discovery.
Discovery does not work correctly through a VPN. Use another source for access to the devices.

Issues that can impede discovery

Be aware that devices that are offline or otherwise inaccessible at the time of a scan are ignored because they appear to be nonexistent.

If you know that there are devices that should be reported, but are not, they are either:

Some devices, typically security devices, hide themselves from view, or misrepresent themselves to avoid detection.

Troubleshooting unknown operating systems

If the Operating System appears as unknown in the Discovery Results list page:

Check to see if the Nmap checkmark is present in the Nmap column. If not, the device was offline during the scan, and the operating system could not be determined.
If the Nmap checkmark is present, but the Operating System is unknown, the most likely cause is a firewall that is blocking the ports that Nmap is using to determine what OS is running on the device.

For example, if you scan using only UDP ports 7 and 161, the device appears online with the Nmap checkmark displayed. However, the Operating System appears unknown, because UDP ports alone are not sufficient to determine what OS is running on the device.

Things to take into consideration with Nmap discovery

Add a Discovery Schedule to perform a quick "what and where" scan of your network

Use one of the available schedules to quickly obtain Discovery Results that show the availability of devices.

This type of Discovery scans for any device type in your network: managed computers or non-computer devices.

If you want to add an Nmap Discovery Schedule, there are several issues to consider. See Things to take into consideration with Nmap discovery.

1.
Go to the Discovery Schedule Detail page:
a.
Log in to the appliance Administrator Console, https://appliance_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
b.
On the left navigation bar, click Inventory, then click Discovery Schedules.
c.
Select Choose Action > New.
2.
Select the Discovery Type to display the form with the options for the selected type.
Ping. DNS Lookup and Ping discovery options appear.
Socket. DNS Lookup and Socket discovery options appear.
Active Directory. DNS Lookup and Active Directory discovery options appear.
External Integration [KACE Cloud Mobile Device Manager, G Suite, Workspace ONE]. KACE Cloud Mobile Device Manager, G Suite, and Workspace ONE discovery options appear.
Authenticated [WinRM, SNMP, SSH, VMware, Hyper-V]. DNS Lookup, Relay, WinRM, Hyper-V, VMM, SNMP, SSH, and VMware discovery options appear.
Nmap. DNS Lookup and Nmap discovery options appear.
Custom. DNS Lookup, Ping, Nmap, WinRM, SNMP, SSH, and VMware discovery options appear.
3.
In the Name field, enter a name for the scan.
This name appears on the Discovery Schedules page.
4.
In the IP Address Range field, enter an IP address range to scan. Use hyphens to specify individual IP address class ranges. For example, type 192.168.2-5.1-200 to scan for all IP addresses between 192.168.2-5.1 and 192.168.2-5.200, inclusive.

Option

Item

Description

DNS Lookup

Enable Discovery to identify the name of the device. DNS Lookup is important if you want device names to appear in the Discovery Results and Inventory lists. You can select the DNS Lookup options for each Discovery type.

Name Server for Lookup

The hostname or IP address of the name server.

Timeout

The time, in seconds, after which a DNS lookup expires. If an address is not found during this time, the process “times out.”

Relay

Enable a KACE Agent to act as a tunnel WinRM, SSH and SNMP traffic to the agent connection protocol for WinRM, SSH and SNMP discovery schedules, agentless inventory, and agent provisioning.

Relay Device

Specify the device that you want to use as a relay for agentless device inventory.

A relay device that is used during discovery as a relay is used for agentless inventory, when a new device is provisioned automatically from discovery results.

Selected relay devices are listed on the following pages:

On the Agentless Device Connection Details page, when a new device is provisioned automatically from discovery results. For more information about this page, see Enable Agentless management by entering device information manually.
On the Provisioning Schedule Detail page, when agent provisioning is initiated from discovery results. For more information, see Install the KACE Agent on a device or multiple devices.
On the Agentless Device Connection Details page, when a new device is provisioned automatically from discovery results. For more information about this page, see Enable Agentless management by entering device information manually.

Ping

Perform a ping test during the network scan. During this test, the appliance sends a ping test to determine whether a system responds.

Socket

Perform a connection test during the network scan. During this test, the appliance sends a packet to the port to determine whether the port is open.

TCP Port List

Enable a port scan using TCP (Transmission Control Protocol). Use a comma to separate each port number.

UDP Port List

Enable a port scan using UDP (User Datagram Protocol). Use a comma to separate each port number.

Active Directory

Enable the appliance to check for device information on an Active Directory server. During Active Directory scans, the status is indicated as an approximate percentage instead of the number of devices scanned.

Use Secure LDAP (LDAPS)

Enable the appliance to use a secure port for LDAP communication.

Privileged User

The username of the administrator account on the Active Directory server. For example, username@example.com.

Privileged User Password

The password of the administrator account on the Active Directory server.

Search Context

The criteria used to search for devices. This criteria specifies a location or container in the Active Directory structure to be searched. Enter the most specific combination of OUs, DCs, or CNs that match your criteria, ranging from left (most specific) to right (most general). For example: DC=company,DC=com

KACE Cloud Mobile Device Manager

This option allows you to access mobile devices such as smart phones and tablets connected to the KACE Cloud Mobile Device Manager (MDM). You must obtain a tenant name and a Secret Key from the KACE Cloud MDM in order to access the devices associated with it.

Tenant Name

The name of the tenant on the KACE Cloud MDM associated with the devices that you want to manage.

Credentials

The details of the account that is used to connect to the KACE Cloud MDM device. Select an existing credential from the drop-down list, or select Add new credential to add a new credential, as required.

For more information, see Add and edit Secret Key credentials.

Auto Provision Devices

If selected, all mobile devices discovered in the next scan are added to inventory.

G Suite

Working with G Suite devices requires credentials that grant the appliance access to a Google Apps Domain using the Admin SDK API. You must obtain a Client ID and a Client Secret from Google so that you can get an approval code for the appliance to use.

Discover Chrome Devices

If selected, any Chrome devices will be discovered in the next scan.

Discover Mobile Devices

If selected, any G Suite mobile devices will be discovered in the next scan.

Credentials

The details of the account that is used to connect to the Chrome device. Select an existing credential from the drop-down list, or select Add new credential to add a new credential, as required. The selected credential must have an approval code that can be associated with the appropriate device type. For example, if you want to discover G Suite mobile devices, you cannot use a credential whose approval code is generated for Chrome devices.

For more information, see Add and edit Google Workspace credentials.

Auto Provision Devices

If selected, all Chrome and mobile devices discovered in the next scan are added to inventory.

Workspace ONE

VMware® Workspace ONE® is an enterprise-level mobility management platform that allows you to manage a wide range of different device types.

Host

The host name of the Workspace ONE administration console.

REST API Key

The REST API key, available in the Workspace ONE administration console. The key must be provided to enable integration with Workspace ONE through API calls.

Credentials

The details of the service account required to connect to the device and run commands. Select an existing credential from the drop-down list, or select Add new credential to add a new credential, as required.

See Add and edit User/Password credentials.

Auto Provision Devices

If selected, all Workspace ONE devices discovered in the next scan are added to inventory.

WinRM, Hyper-V, VMM

WinRM is the connection type to use for Windows devices.

Timeout

The time, in seconds, up to 1 minute, after which the connection is closed if there is no activity.

Require Kerberos

If selected, Kerberos is required for authentication. NTLM will not be used as an alternative when Kerberos is unavailable.

Using Kerberos requires DNS Lookup to be enabled in the same discovery configuration. The DNS Server is also required in the local appliance network settings.

Scan for Hyper-V and Virtual Machine Manager

If selected, the appliance imports a Microsoft Hyper-V or System Center Virtual Machine Manager infrastructure using agentless management. For more information about this feature, see Add a Discovery Schedule for a Microsoft Hyper-V or System Center Virtual Machine Manager.

Port

If this field is left blank, the default port 5985 is used.

Credentials

The details of the service account required to connect to the device and run commands. Select an existing credential from the drop-down list, or select Add new credential to add a new credential, as required.

See Add and edit User/Password credentials.

SNMP

SNMP (Simple Network Management Protocol) is a protocol for monitoring managed devices on a network.

SNMP Full Walk

Enable a Full Walk of data in the MIB (management information base) on devices. If this option is cleared, the appliance does a Bulk GET, which searches three core OIDs (object identifiers). When selecting this option, be aware that a Full Walk can take up to 20 minutes per device. The default, Bulk GET, takes approximately one second and acquires all of the information needed for Discovery.

Timeout

The time, in seconds, after which the scan ends if no response is returned.

Maximum Attempts

The number of times the connection is attempted.

Credentials(SNMPv1/v2)

The details of the SNMP v1/v2 credentials required to connect to the device and run commands. Select an existing credential from the drop-down list, or select Add new credential to add a new credential, as required.

See Add and edit SNMP credentials.

Credentials(SNMPv3)

The details of the SNMP v3 credentials required to connect to the device and run commands. Select an existing credential from the drop-down list, or select Add new credential to add a new credential, as required.

See Add and edit SNMP credentials.

SSH

Use the SSH protocol with authentication.

Timeout

The time, up to 5 minutes, after which the connection is closed if there is no activity.

Try SSH2 Connection

Enable the SSH2 protocol for connecting to and communicating with devices.

Use SSH2 if you want device communications to be more secure (recommended).

Credentials

The details of the service account required to connect to the device and run commands. Select an existing credential from the drop-down list, or select Add new credential to add a new credential, as required.

See Add and edit User/Password credentials.

VMware

Timeout

The time after which the scan ends if no response is returned.

Credentials

The details of the service account required to connect to the device and run commands. Select an existing credential from the drop-down list, or select Add new credential to add a new credential, as required.

See Add and edit User/Password credentials.

Nmap

Timeout

The time after which the scan ends if no response is returned.

Fast Scan

Enable the appliance to quickly scan 100 commonly used ports. If this option is cleared, all available TCP ports are scanned, which can take much longer than the fast scan.

Nmap Operating System Detection (Best Guess)

Enable the appliance to detect the operating system of the device based on fingerprinting and port information. This option might increase the time required for the scan.

TCP Port Scan

Enable a port scan using TCP (Transmission Control Protocol) of 1000 commonly used TCP ports. If this option is cleared, and UDP is selected, the appliance performs a UDP scan. If both TCP and UDP are cleared, the appliance uses a TCP scan.

If you select this option, Quest recommends that you set the Timeout value to 10 minutes to decrease the likelihood of erroneous results.

Do not combine this scan with the Fast Scan option. Doing so results in only 100 commonly used ports being scanned.

UDP Port Scan

Enable a port scan using UDP (User Datagram Protocol) of up to 1000 UDP ports. UDP scans are generally less reliable, and have lower processor overhead, than TCP scans because TCP requires a handshake when communicating with devices whereas UDP does not. However, UDP scans might take longer than TCP scans, because UDP sends multiple packets to detect ports, whereas TCP sends a single packet.

If you select this option, Quest recommends that you set the Timeout value to 30 minutes to decrease the likelihood of erroneous results.

Do not combine this scan with the Fast Scan option. Doing so results in only 100 commonly used ports being scanned.

If this option is cleared, the appliance does not scan ports using UDP.

6.
Optional: Enter an email address for being notified of when the discovery scan completes. The email includes the name of the discovery schedule.

Option

Description

None

Run in combination with an event rather than on a specific date or at a specific time.

Every n hours

Run at a specified interval.

Every day/specific day at HH:MM

Run daily at a specified time, or run on a designated day of the week at a specified time.

Run on the nth of every month/specific month at HH:MM

Run on the same day every month, or a specific month, at the specified time.

Run on the nth weekday of every month/specific month at HH:MM

Run on the specific weekday of every month, or a specific month, at the specified time.

Custom

Run according to a custom schedule.

Use standard 5-field cron format (extended cron format is not supported):

Use the following when specifying values:

Spaces ( ): Separate each field with a space.
Asterisks (*): Include the entire range of values in a field with an asterisk. For example, an asterisk in the hour field indicates every hour.
Commas (,): Separate multiple values in a field with a comma. For example, 0,6 in the day of the week field indicates Sunday and Saturday.
Hyphens (-): Indicate a range of values in a field with a hyphen. For example, 1-5 in the day of the week field is equivalent to 1,2,3,4,5, which indicates Monday through Friday.
Slashes (/): Specify the intervals at which to repeat an action with a slash. For example, */3 in the hour field is equivalent to 0,3,6,9,12,15,18,21. The asterisk (*) specifies every hour, but /3 restricts this to hours divisible by 3.

Examples:

View Task Schedule

Click to view the task schedule. The Task Schedule dialog box displays a list of scheduled tasks. Click a task to review the task details. For more information, see View task schedules.

8.
Click Save.
Things to take into consideration with Nmap discovery

For successful outcomes with Nmap discovery, there are some issues to consider and best practices to adopt to improve speed and accuracy and to avoid problems.

Best practices for improving the speed and accuracy of discovery

To improve the speed and accuracy of Nmap discovery:

Avoid using DNS Lookup. DNS Lookup can slow down scan times by up to 500 percent if you specify an invalid or unreachable IP address for the DNS.
Run one discovery type at a time. Although it is possible to run multiple discovery types simultaneously, doing so can extend the length of a run and can cause erratic OS detection results.
Select Nmap Operating System Detection (Best Guess) if you are unsure what to run. This selection can give you a reasonable view into your subnet or subnets. At a minimum, using Best Guess can identify what OSs are on what devices. If you do not get the expected results, for example if some devices appear with unknown as the Operating System, try increasing the timeout value and rerunning the discovery.
Discovery does not work correctly through a VPN. Use another source for access to the devices.

Issues that can impede discovery

Be aware that devices that are offline or otherwise inaccessible at the time of a scan are ignored because they appear to be nonexistent.

If you know that there are devices that should be reported, but are not, they are either:

Some devices, typically security devices, hide themselves from view, or misrepresent themselves to avoid detection.

Troubleshooting unknown operating systems

If the Operating System appears as unknown in the Discovery Results list page:

Check to see if the Nmap checkmark is present in the Nmap column. If not, the device was offline during the scan, and the operating system could not be determined.
If the Nmap checkmark is present, but the Operating System is unknown, the most likely cause is a firewall that is blocking the ports that Nmap is using to determine what OS is running on the device.

For example, if you scan using only UDP ports 7 and 161, the device appears online with the Nmap checkmark displayed. However, the Operating System appears unknown, because UDP ports alone are not sufficient to determine what OS is running on the device.

Add a Discovery Schedule for a thorough scan of managed Windows, Mac, Linux, and UNIX computers

Add a Discovery Schedule for a thorough scan of managed Windows, Mac, Linux, and UNIX computers

To scan your network for devices and capture information about devices, you use Discovery Schedules. After devices are discovered using the Active Directory or Authenticated discovery type, you can add those discovered devices to inventory.

1.
Go to the Discovery Schedule Detail page:
a.
Log in to the appliance Administrator Console, https://appliance_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
b.
On the left navigation bar, click Inventory, then click Discovery Schedules.
c.
Select Choose Action > New.
2.
Select the Discovery Type to display the form with the options for the selected type.
Active Directory. DNS Lookup and Active Directory discovery options appear.
Authenticated [WinRM, SNMP, SSH, VMware, Hyper-V]. DNS Lookup, Relay, WinRM, Hyper-V, VMM, SNMP, SSH, and VMware discovery options appear.
3.
In the Name field, enter a name for the scan.
This name appears on the Discovery Schedules page.
4.
In the IP Address Range field, do one of the following:
If you select the Active Directory Discovery Type, enter the IP address of the Active Directory server to be scanned.

Option

Item

Description

DNS Lookup

Enable Discovery to identify the name of the device. DNS Lookup is important if you want device names to appear in the Discovery Results and Inventory lists. You can select the DNS Lookup options for each Discovery type.

Name Server for Lookup

The hostname or IP address of the name server.

Timeout

The time, in seconds, after which a DNS lookup expires. If an address is not found during this time, the process “times out.”

Relay

Enable a KACE Agent to act as a tunnel WinRM, SSH and SNMP traffic to the agent connection protocol for WinRM, SSH and SNMP discovery schedules, agentless inventory, and agent provisioning.

Relay Device

Specify the device that you want to use as a relay for agentless device inventory.

A relay device that is used during discovery as a relay is used for agentless inventory, when a new device is provisioned automatically from discovery results.

Selected relay devices are listed on the following pages:

On the Agentless Device Connection Details page, when a new device is provisioned automatically from discovery results. For more information about this page, see Enable Agentless management by entering device information manually.
On the Provisioning Schedule Detail page, when agent provisioning is initiated from discovery results. For more information, see Install the KACE Agent on a device or multiple devices.
On the Agentless Device Connection Details page, when a new device is provisioned automatically from discovery results. For more information about this page, see Enable Agentless management by entering device information manually.

Active Directory

Enable the appliance to check for device information on an Active Directory server. During Active Directory scans, the status is indicated as an approximate percentage instead of the number of devices scanned.

Use Secure LDAP (LDAPS)

Enable the appliance to use a secure port for LDAP communication.

Privileged User

The username of the administrator account on the Active Directory server. For example, username@example.com.

Privileged User Password

The password of the administrator account on the Active Directory server.

Search Context

The criteria used to search for devices. This criteria specifies a location or container in the Active Directory structure to be searched. Enter the most specific combination of OUs, DCs, or CNs that match your criteria, ranging from left (most specific) to right (most general). For example:

DC=company,DC=com.

WinRM, Hyper-V, VMM

WinRM is the connection type to use for Windows devices.

Timeout

The time, in seconds, up to 1 minute, after which the connection is closed if there is no activity.

Require Kerberos

If selected, Kerberos is required for authentication. NTLM will not be used as an alternative when Kerberos is unavailable.

Using Kerberos requires DNS Lookup to be enabled in the same discovery configuration. The DNS Server is also required in the local appliance network settings.

Scan for Hyper-V and Virtual Machine Manager

This field is only used if you want to monitor a a Microsoft Hyper-V or System Center Virtual Machine Manager infrastructure. Ensure this option is cleared. For more information about this feature, see Add a Discovery Schedule for a Microsoft Hyper-V or System Center Virtual Machine Manager.

Port

If this field is left blank, the default port 5985 is used.

Credentials

The details of the service account required to connect to the device and run commands. Select existing credentials from the drop-down list, or select Add new credential to add credentials not already listed.

See Add and edit User/Password credentials.

SSH

Use the SSH protocol with authentication.

Timeout

The time, up to 5 minutes, after which the connection is closed if there is no activity.

Try SSH2 Connection

Enable the SSH2 protocol for connecting to and communicating with devices.

Use SSH2 if you want device communications to be more secure (recommended).

Credentials

The details of the service account required to connect to the device and run commands. Select existing credentials from the drop-down list, or select Add new credential to add credentials not already listed.

See Add and edit User/Password credentials.

6.
Optional: Enter an email address for being notified of when the discovery scan completes. The email includes the name of the discovery schedule.

Option

Description

None

Run in combination with an event rather than on a specific date or at a specific time.

Every n hours

Run at a specified interval.

Every day/specific day at HH:MM

Run daily at a specified time, or run on a designated day of the week at a specified time.

Run on the nth of every month/specific month at HH:MM

Run on the same day every month, or a specific month, at the specified time.

Run on the nth weekday of every month/specific month at HH:MM

Run on the specific weekday of every month, or a specific month, at the specified time.

Custom

Run according to a custom schedule.

Use standard 5-field cron format (extended cron format is not supported):

Use the following when specifying values:

Spaces ( ): Separate each field with a space.
Asterisks (*): Include the entire range of values in a field with an asterisk. For example, an asterisk in the hour field indicates every hour.
Commas (,): Separate multiple values in a field with a comma. For example, 0,6 in the day of the week field indicates Sunday and Saturday.
Hyphens (-): Indicate a range of values in a field with a hyphen. For example, 1-5 in the day of the week field is equivalent to 1,2,3,4,5, which indicates Monday through Friday.
Slashes (/): Specify the intervals at which to repeat an action with a slash. For example, */3 in the hour field is equivalent to 0,3,6,9,12,15,18,21. The asterisk (*) specifies every hour, but /3 restricts this to hours divisible by 3.

Examples:

View Task Schedule

Click to view the task schedule. The Task Schedule dialog box displays a list of scheduled tasks. Click a task to review the task details. For more information, see View task schedules.

8.
Click Save.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating