Chat now with support
Chat with Support

KACE Asset Management Appliance 7.1 - Administrator Guide

About the KACE Systems Management Appliance (K1000) Getting started
Configuring the appliance
Requirements and specifications Power-on the appliance and log in to the Administrator Console Access the Command Line Console Tracking configuration changes Configuring System-level and Admin-level General Settings Configure appliance date and time settings Verifying port settings, NTP service, and website access Configuring network and security settings Configuring Agent settings Configuring session timeout and auto-refresh settings Configuring locale settings Configure data sharing preferences About DIACAP compliance requirements Configuring Mobile Device Access Enable fast switching for organizations and linked appliances Linking Quest KACE appliances Configuring history settings
Setting up and using labels to manage groups of items Configuring user accounts, LDAP authentication, and SSO Using Replication Shares Managing credentials Configuring assets
About the Asset Management component About managing assets Adding and customizing Asset Types and maintaining asset information Managing Software assets Managing physical and logical assets Maintaining and using manual asset information Managing locations
Setting up License Compliance Managing License Compliance Setting up Service Desk Creating and managing organizations Importing and exporting appliance resources
Managing inventory
Using Device Discovery Managing device inventory
About managing devices Features available for each device management method About inventory information Tracking changes to inventory settings Managing inventory information Finding and managing devices Provisioning the K1000 Agent Manually deploying the K1000 Agent Using Agentless management Adding devices manually in the Administrator Console or by using the API Forcing inventory updates Managing MIA devices Obtaining Dell warranty information
Managing applications on the Software page Managing Software Catalog inventory
About the Software Catalog Viewing Software Catalog information Adding applications to the Software Catalog Managing License assets for Software Catalog applications Using software metering Using Application Control Update or reinstall the Software Catalog
Managing process, startup program, and service inventory Writing custom inventory rules
Deploying packages to managed devices
Distributing software and using Wake-on-LAN Broadcasting alerts to managed devices Running scripts on managed devices Managing Mac profiles
Patching devices and maintaining security
About patch management Subscribing to and downloading patches Creating and managing patch schedules Managing patch inventory Managing Dell devices and updates Maintaining device and appliance security
Using reports and scheduling notifications Monitoring servers
Getting started with server monitoring Working with monitoring profiles Managing monitoring for devices Working with alerts
Using the Service Desk
Configuring Service Desk Managing Service Desk tickets, processes, and reports
Overview of Service Desk ticket lifecycle Creating tickets from the Administrator Console and User Console Creating and managing tickets by email Viewing tickets and managing comments, work, and attachments Using the ticket escalation process Using Service Desk processes Using Ticket Rules Run Service Desk reports Archiving, restoring, and deleting tickets Managing ticket deletion
Managing Service Desk ticket queues About User Downloads and Knowledge Base articles Customizing Service Desk ticket settings Configuring SMTP email servers
Maintenance and troubleshooting
Maintaining the appliance Troubleshooting the K1000
Appendixes Glossary About us Legal notices

Enable organization-level file sharing with the Organization component enabled

Enabling file sharing

To provision Agent software, you must enable file sharing.

If the Organization component is enabled on your appliance, see Enable file sharing at the System level. Otherwise, see Enable file sharing without the Organization component enabled.

Enable file sharing at the System level

If the Organization component is enabled on your appliance, you must enable file sharing at the System level to provision the Agent.

1.
Go to the Security Settings page:
a.
Log in to the K1000 System Administration Console, http://K1000_hostname/system, or select System from the drop-down list in the top-right corner of the page.
c.
On the Control Panel, click Security Settings.
2.
In the Samba section, specify the following settings:

Option

Description

For appliances with the Organization component enabled:

Enable Organization File Shares

Use the appliance's client share to store files, such as files used to install applications on managed devices.

The appliance’s client share is a built-in Windows file server that the provisioning service can use to assist in distributing the Samba client on your network. Quest recommends that this file server only be enabled when you perform application installations on managed devices.

Require NTLMv2 authentication to appliance file shares

Enable NTLMv2 authentication for the K1000 files shares. When this setting is enabled, managed devices connecting to the K1000 File Shares require support for NTLMv2 and authenticate to the K1000 using NTLMv2. Even though NTLMv2 is more secure than NTLM and LANMAN, non-NTLMv2 configurations are more common and this option is usually turned off. Enabling this option disables lanman auth and ntlm auth on the Samba server. NTLMv2 Levels 1-4 are supported. If you need NTLM v2 Level 5, consider manually provisioning the K1000 Agent. See Manually deploying the K1000 Agent.

Require NTLMv2 to off-board file shares

Force certain K1000 functions that are supported through the Samba client, such as Agent Provisioning, to authenticate to offboard network file shares using NTLMv2. Even though NTLMv2 is more secure than NTLM and LANMAN, non-NTLMv2 configurations are more common and this option is usually disabled. Enabling this option enables the client ntlmv2 auth option for Samba client functions.

3.
Click Save.

When the appliance restarts, enable file sharing at the organization level. See Enable organization-level file sharing with the Organization component enabled.

Enable organization-level file sharing with the Organization component enabled

If the Organization component is enabled on your appliance, you must enable file sharing at the organization level to provision the Agent.

Verify that organization file shares are enabled. For instructions, see Enable file sharing at the System level.

1.
Go to the Admin-level General Settings page:
a.
Log in to the K1000 Administrator Console, http://K1000_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
c.
On the Control Panel, click General Settings.
2.
Select Enable File Sharing in the Samba Share Settings section.
3.
Optional: Enter a password for the File Share User.
4.
Click Save Samba Settings.
Enable file sharing without the Organization component enabled

If the Organization component is not enabled on your appliance, you must enable file sharing in the appliance security settings to provision the Agent.

1.
Go to the Security Settings page:
a.
Log in to the K1000 Administrator Console, http://K1000_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
c.
On the Control Panel, click Security Settings.
2.
In the Samba section, select Enable File Sharing.
3.
Optional: Select authentication options:

Option

Description

Require NTLMv2 to authenticate appliance file shares

Enable NTLMv2 authentication for the K1000 files shares. When this setting is enabled, managed devices connecting to the K1000 File Shares require support for NTLMv2 and authenticate to the K1000 using NTLMv2. Even though NTLMv2 is more secure than NTLM and LANMAN, non-NTLMv2 configurations are more common and this option is usually turned off. Enabling this option disables lanman auth and ntlm auth on the Samba server. NTLMv2 Levels 1-4 are supported. If you need NTLM v2 Level 5, consider manually provisioning the K1000 Agent. See Manually deploying the K1000 Agent.

Require NTLMv2 authentication to off-board file shares

Force certain K1000 functions that are supported through the Samba client, such as Agent Provisioning, to authenticate to offboard network file shares using NTLMv2. Even though NTLMv2 is more secure than NTLM and LANMAN, non-NTLMv2 configurations are more common and this option is usually disabled. Enabling this option enables the client ntlmv2 auth option for Samba client functions.

4.
Click Save.

Enable file sharing without the Organization component enabled

Enabling file sharing

To provision Agent software, you must enable file sharing.

If the Organization component is enabled on your appliance, see Enable file sharing at the System level. Otherwise, see Enable file sharing without the Organization component enabled.

Enable file sharing at the System level

If the Organization component is enabled on your appliance, you must enable file sharing at the System level to provision the Agent.

1.
Go to the Security Settings page:
a.
Log in to the K1000 System Administration Console, http://K1000_hostname/system, or select System from the drop-down list in the top-right corner of the page.
c.
On the Control Panel, click Security Settings.
2.
In the Samba section, specify the following settings:

Option

Description

For appliances with the Organization component enabled:

Enable Organization File Shares

Use the appliance's client share to store files, such as files used to install applications on managed devices.

The appliance’s client share is a built-in Windows file server that the provisioning service can use to assist in distributing the Samba client on your network. Quest recommends that this file server only be enabled when you perform application installations on managed devices.

Require NTLMv2 authentication to appliance file shares

Enable NTLMv2 authentication for the K1000 files shares. When this setting is enabled, managed devices connecting to the K1000 File Shares require support for NTLMv2 and authenticate to the K1000 using NTLMv2. Even though NTLMv2 is more secure than NTLM and LANMAN, non-NTLMv2 configurations are more common and this option is usually turned off. Enabling this option disables lanman auth and ntlm auth on the Samba server. NTLMv2 Levels 1-4 are supported. If you need NTLM v2 Level 5, consider manually provisioning the K1000 Agent. See Manually deploying the K1000 Agent.

Require NTLMv2 to off-board file shares

Force certain K1000 functions that are supported through the Samba client, such as Agent Provisioning, to authenticate to offboard network file shares using NTLMv2. Even though NTLMv2 is more secure than NTLM and LANMAN, non-NTLMv2 configurations are more common and this option is usually disabled. Enabling this option enables the client ntlmv2 auth option for Samba client functions.

3.
Click Save.

When the appliance restarts, enable file sharing at the organization level. See Enable organization-level file sharing with the Organization component enabled.

Enable organization-level file sharing with the Organization component enabled

If the Organization component is enabled on your appliance, you must enable file sharing at the organization level to provision the Agent.

Verify that organization file shares are enabled. For instructions, see Enable file sharing at the System level.

1.
Go to the Admin-level General Settings page:
a.
Log in to the K1000 Administrator Console, http://K1000_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
c.
On the Control Panel, click General Settings.
2.
Select Enable File Sharing in the Samba Share Settings section.
3.
Optional: Enter a password for the File Share User.
4.
Click Save Samba Settings.
Enable file sharing without the Organization component enabled

If the Organization component is not enabled on your appliance, you must enable file sharing in the appliance security settings to provision the Agent.

1.
Go to the Security Settings page:
a.
Log in to the K1000 Administrator Console, http://K1000_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
c.
On the Control Panel, click Security Settings.
2.
In the Samba section, select Enable File Sharing.
3.
Optional: Select authentication options:

Option

Description

Require NTLMv2 to authenticate appliance file shares

Enable NTLMv2 authentication for the K1000 files shares. When this setting is enabled, managed devices connecting to the K1000 File Shares require support for NTLMv2 and authenticate to the K1000 using NTLMv2. Even though NTLMv2 is more secure than NTLM and LANMAN, non-NTLMv2 configurations are more common and this option is usually turned off. Enabling this option disables lanman auth and ntlm auth on the Samba server. NTLMv2 Levels 1-4 are supported. If you need NTLM v2 Level 5, consider manually provisioning the K1000 Agent. See Manually deploying the K1000 Agent.

Require NTLMv2 authentication to off-board file shares

Force certain K1000 functions that are supported through the Samba client, such as Agent Provisioning, to authenticate to offboard network file shares using NTLMv2. Even though NTLMv2 is more secure than NTLM and LANMAN, non-NTLMv2 configurations are more common and this option is usually disabled. Enabling this option enables the client ntlmv2 auth option for Samba client functions.

4.
Click Save.

Provisioning the K1000 Agent using the GPO Provisioning Tool for Windows devices

Provisioning the K1000 Agent using the GPO Provisioning Tool for Windows devices

Of the methods for provisioning the Agent on Windows devices, Quest recommends the GPO Provisioning Tool because using the tool minimizes the pre-configuration that must happen on the target devices.

The GPO Provisioning Tool uses Active Directory® and Group Policy to distribute the installation settings and to perform the installation of the Agent. The tool creates a GPO, or modifies a pre-existing GPO to install the K1000 Agent when a device authenticates with Active Directory.

The first time a target device refreshes Group Policy after the tool has completed the creation or modification process, a new Group Policy client-side extension dll is registered on the devices applying this GPO. Then the next time that the device refreshes Group Policy, Windows triggers the newly registered client-side extension to install the K1000 Windows Agent.

For the Quest Knowledge Base article that contains the link to download the GPO Provisioning Tool, go to https://support.quest.com/kb/133776.

Prepare to use the GPO Provisioning Tool for Agent deployment

Before you can use the GPO Provisioning Tool to deploy Agents to Windows devices, you must ensure that your system is configured to use the tool.

The following system requirements are necessary for using the GPO Provisioning Tool:

Windows Vista and higher: Remote Server Administration Tools (RSAT) enables IT administrators to remotely manage roles and features in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2 from a computer that is running Windows 8.1, Windows 8, Windows 7, or Windows Vista.

Go to http://social.technet.microsoft.com/wiki/contents/articles/2202.remote-server-administration-tools-rsat-for-windows-client-and-windows-server-dsforum2wiki.aspx.

For Windows XP: Install and enable the Group Policy Console for your Windows operating system.

Go to http://microsoft.com/en-us/download/details.aspx?id=21895.

Distribution Share: Make sure to use a share that everyone can access. For example, do not place the .msi file on the NETLOGON share, because not every user can reach that share and the lack of access will cause your upgrade to fail in the future. This location should be a permanently accessible share. The installer is an MSI (Microsoft Installer) file. To uninstall or upgrade software, MSI needs access to the .msi file. If it is not accessible, msiexec will not uninstall.
Provision K1000 Agents using the K1000 GPO Provisioning Tool

You can install the K1000 Agent on a single device, or on multiple devices by using the K1000 GPO Provisioning Tool, starting within the Agent Provisioning Assistant. You can use this method to provision Windows devices.

To complete this task, you leave the K1000 appliance to work in the Windows Group Policy Management Console or the Windows Administrative Tools using the K1000 GPO Provisioning Tool before returning to the appliance.

a.
Log in to the K1000 Administrator Console, http://K1000_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
b.
On the left navigation bar, click Settings, then click Provisioning.
c.
On the Provisioning panel, click Agent Provisioning Assistant.
The Agent Provisioning Assistant: Step 1 of 3 page appears.
2.
Select the check box for Provisioning Using Windows Group Policy (recommended), and click Next to display the Agent Provisioning Assistant: Step 2 of 3 page.

Installing and starting the tool requires leaving the K1000 interface.

NOTE: Only GPOs for which you have permission to edit are displayed in the tool.
6.
Return to the Agent Provisioning: Step 2 of 3 page in the K1000 when you have completed working in the tool, and click Next.
7.
Click Finish on the Agent Provisioning: Step 3 of 3 page.

Agents are installed on the client devices after the Group Policy is refreshed on those devices. Depending on the environment, this installation takes place either when the device reboots, or after a 90-minute refresh cycle occurs for the Group Policy.

Go to the Devices page to keep track of the progress of devices having the agents installed and checked in.

Prepare to use the GPO Provisioning Tool for Agent deployment

Provisioning the K1000 Agent using the GPO Provisioning Tool for Windows devices

Of the methods for provisioning the Agent on Windows devices, Quest recommends the GPO Provisioning Tool because using the tool minimizes the pre-configuration that must happen on the target devices.

The GPO Provisioning Tool uses Active Directory® and Group Policy to distribute the installation settings and to perform the installation of the Agent. The tool creates a GPO, or modifies a pre-existing GPO to install the K1000 Agent when a device authenticates with Active Directory.

The first time a target device refreshes Group Policy after the tool has completed the creation or modification process, a new Group Policy client-side extension dll is registered on the devices applying this GPO. Then the next time that the device refreshes Group Policy, Windows triggers the newly registered client-side extension to install the K1000 Windows Agent.

For the Quest Knowledge Base article that contains the link to download the GPO Provisioning Tool, go to https://support.quest.com/kb/133776.

Prepare to use the GPO Provisioning Tool for Agent deployment

Before you can use the GPO Provisioning Tool to deploy Agents to Windows devices, you must ensure that your system is configured to use the tool.

The following system requirements are necessary for using the GPO Provisioning Tool:

Windows Vista and higher: Remote Server Administration Tools (RSAT) enables IT administrators to remotely manage roles and features in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2 from a computer that is running Windows 8.1, Windows 8, Windows 7, or Windows Vista.

Go to http://social.technet.microsoft.com/wiki/contents/articles/2202.remote-server-administration-tools-rsat-for-windows-client-and-windows-server-dsforum2wiki.aspx.

For Windows XP: Install and enable the Group Policy Console for your Windows operating system.

Go to http://microsoft.com/en-us/download/details.aspx?id=21895.

Distribution Share: Make sure to use a share that everyone can access. For example, do not place the .msi file on the NETLOGON share, because not every user can reach that share and the lack of access will cause your upgrade to fail in the future. This location should be a permanently accessible share. The installer is an MSI (Microsoft Installer) file. To uninstall or upgrade software, MSI needs access to the .msi file. If it is not accessible, msiexec will not uninstall.
Provision K1000 Agents using the K1000 GPO Provisioning Tool

You can install the K1000 Agent on a single device, or on multiple devices by using the K1000 GPO Provisioning Tool, starting within the Agent Provisioning Assistant. You can use this method to provision Windows devices.

To complete this task, you leave the K1000 appliance to work in the Windows Group Policy Management Console or the Windows Administrative Tools using the K1000 GPO Provisioning Tool before returning to the appliance.

a.
Log in to the K1000 Administrator Console, http://K1000_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
b.
On the left navigation bar, click Settings, then click Provisioning.
c.
On the Provisioning panel, click Agent Provisioning Assistant.
The Agent Provisioning Assistant: Step 1 of 3 page appears.
2.
Select the check box for Provisioning Using Windows Group Policy (recommended), and click Next to display the Agent Provisioning Assistant: Step 2 of 3 page.

Installing and starting the tool requires leaving the K1000 interface.

NOTE: Only GPOs for which you have permission to edit are displayed in the tool.
6.
Return to the Agent Provisioning: Step 2 of 3 page in the K1000 when you have completed working in the tool, and click Next.
7.
Click Finish on the Agent Provisioning: Step 3 of 3 page.

Agents are installed on the client devices after the Group Policy is refreshed on those devices. Depending on the environment, this installation takes place either when the device reboots, or after a 90-minute refresh cycle occurs for the Group Policy.

Go to the Devices page to keep track of the progress of devices having the agents installed and checked in.

Related Documents