Chat now with support
Chat with Support

KACE Systems Management Appliance 10.0 Common Documents - Administrator Guide

About the KACE Systems Management Appliance (SMA) Getting started
Configuring the appliance
Requirements and specifications Power-on the appliance and log in to the Administrator Console Access the Command Line Console Tracking configuration changes Configuring System-level and Admin-level General Settings Configure appliance date and time settings Enable Two-Factor Authentication for all users Verifying port settings, NTP service, and website access Configuring network and security settings Configuring Agent settings Configuring session timeout and auto-refresh settings Configuring locale settings Configuring the default theme Configure data sharing preferences About DIACAP compliance requirements Configuring Mobile Device Access Enable fast switching for organizations and linked appliances Linking Quest KACE appliances Configuring history settings
Setting up and using labels to manage groups of items Configuring user accounts, LDAP authentication, and SSO Using Replication Shares Managing credentials Configuring assets
About the Asset Management component Using the Asset Management Dashboard About managing assets Adding and customizing Asset Types and maintaining asset information Managing Software assets Managing physical and logical assets Maintaining and using manual asset information Managing locations Managing contracts Managing licenses Managing purchase records
Setting up License Compliance Managing License Compliance Setting up Service Desk Configure the Cache Lifetime for Service Desk widgets Creating and managing organizations Importing and exporting appliance resources
Managing inventory
Using the Inventory Dashboard Using Device Discovery Managing device inventory
About managing devices Features available for each device management method About inventory information Tracking changes to inventory settings Managing inventory information Finding and managing devices Provisioning the KACE SMA Agent Manually deploying the KACE SMA Agent Using Agentless management Adding devices manually in the Administrator Console or by using the API Forcing inventory updates Managing MIA devices Obtaining Dell warranty information
Managing applications on the Software page Managing Software Catalog inventory
About the Software Catalog Viewing Software Catalog information Adding applications to the Software Catalog Managing License assets for Software Catalog applications Associate Managed Installations with Cataloged Software Using software metering Using Application Control Update or reinstall the Software Catalog
Managing process, startup program, and service inventory Writing custom inventory rules
Deploying packages to managed devices
Distributing software and using Wake-on-LAN Broadcasting alerts to managed devices Running scripts on managed devices Managing Mac profiles Using Task Chains
Patching devices and maintaining security
About patch management Subscribing to and downloading patches Creating and managing patch schedules Managing patch inventory Managing Dell devices and updates Maintaining device and appliance security
Using reports and scheduling notifications Monitoring servers
Getting started with server monitoring Working with monitoring profiles Managing monitoring for devices Working with alerts
Using the Service Desk
Configuring Service Desk Using the Service Desk Dashboard Managing Service Desk tickets, processes, and reports
Overview of Service Desk ticket lifecycle Creating tickets from the Administrator Console and User Console Creating and managing tickets by email Viewing tickets and managing comments, work, and attachments Merging tickets Using the ticket escalation process Using Service Desk processes Using Ticket Rules Run Service Desk reports Archiving, restoring, and deleting tickets Managing ticket deletion
Managing Service Desk ticket queues About User Downloads and Knowledge Base articles Customizing Service Desk ticket settings Configuring SMTP email servers
Maintenance and troubleshooting
Maintaining the appliance Troubleshooting the KACE SMA
Appendixes Glossary About us Legal notices

Configure SAML for single sign on

Configure SAML for single sign on

You can configure the appliance to authenticate users without providing their credentials on the Welcome page using a third-party authentication tool.

Security Assertion Markup Language (SAML) is an XML-based protocol that uses security tokens between identity and service providers. The security tokens contain assertion elements that provide information about the user's identity.

When SAML is enabled and configured on the appliance, and the user logs in using this single sign-on method, the appliance sends an authorization request to your Identity Provider (IdP). The identity provider then confirms the user's identity and sends an authentication response to the appliance. Next, the appliance logs the user in to the Administrator Console (or User Console) and establishes the user session. When a SAML user logs out of the appliance, they are logged out of their IdP account. If you want to continue to be logged into your IdP account after using the appliance, simply close the Administrator Console browser window without signing out. If a SAML user's session times out, and they are still logged into their IdP account, the appliance automatically starts a new session for that user.

If you have multiple organizations, you can configure SAML in each organization that uses this method of authentication, and keep the local login method for other organizations.

2.
Log in to the KACE SMA Administrator Console, https://KACE_SMA_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
3.
Go the SAML Settings page:
a.
On the left navigation bar, click Settings, then click SAML Configuration.
b.
On the SAML Settings page, under Security Assertion Markup Language (SAML), select the SAML Service Provider Enabled check box.
4.
In the Remote Identity Provider (IdP) Settings section, specify your IdP metadata to authenticate users by completing one of the following steps.
Recommended. If your IdP provides an URL to the XML page containing the IdP metadata (suggested option), click Get Metadata From IdP. In the IdP Metadata URL field that appears, type that URL, and click Import IdP Metadata.
To use your IdP metadata XML file, click Enter XML Metadata, and in the IdP Metadata XML field that appears, copy and paste the contents of the XML file. Then click Import IdP Metadata. The appliance parses the provided XML content and populates the settings required to establish a connection with the IdP.
The Remote Identity Provider (IdP) Settings section refreshes, showing the details of your IdP configuration. The listed options specify the appliance page redirects during SAML authentication. For more information, visit https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security.
5.
In the IdP Attribute Mappings section, select the option that you want to use to grant the SAML user access to the appliance.
Use Local User Table: Relies on the user list stored locally on the appliance.
Use LDAP Lookup: Imports user information from an external LDAP server. For more information, see Using an LDAP server for user authentication.
Use SAML: Uses the values specified on this page to map to the fields used by your IdP to the appliance user records, such as name, email address, and so on. For example, if the IdP uses LDAP to authenticate users, you can set UID and Login to objectGUID and cn, respectively. For more information, see your IdP documentation.
6.
If you selected the Use SAML option, specify the roles that you want to grant to the SAML-authenticated user. Under Role Mapping, specify the conditions that you want to check when granting the roles.
For example, you can grant the Administrator role to the members of an LDAP group whose name contains a specific text string (such as admin), set the Administrator role as follows:
Administrator memberOf Contains admin
Role mapping is optional. If no matches are found, the appliance assigns the default role. To specify the default role, click Default Role for Unmatched Users, and choose a role from the available options, as applicable: Administrator, No Access, Read Only Administrator, or User Console Only.
7.
Optional. To view the appliance-specific SAML settings on the appliance, in the Local Service Provider (SP) Settings section, click View Metadata, and review the options that appear.
8.
Click Save.
c.
Open the Administrator Console or User Console Welcome page.
TIP: When SAML is enabled on the appliance, click Local Sign In, and specify your user credentials.
The Administrator Console or User Console page appears.

Example: Using Microsoft Active Directory in Azure as a SAML Identity Provider

Example: Using Microsoft Active Directory in Azure as a SAML Identity Provider

When you use Active Directory in Azure as a SAML Identity Provider (IdP), some additional steps are required. This topic describes the process of configuring SAML with Active Directory as an IdP.

b.
Log in to https://portal.azure.com and select Azure Active Directory.
c.
Under App Registrations, create a new registration, leaving the Redirect URI settings cleared.
d.
In the newly created App Registration, on the Endpoints page, copy the contents of the Federation metadata document field.
3.
Log in to the KACE SMA Administrator Console, https://KACE_SMA_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
4.
Go the SAML Settings page:
a.
On the left navigation bar, click Settings, then click SAML Configuration.
b.
On the SAML Settings page, under Security Assertion Markup Language (SAML), select the SAML Service Provider Enabled check box.
5.
In the Remote Identity Provider (IdP) Settings section, specify your IdP metadata to authenticate users by completing the following steps.
a.
Click Get Metadata From IdP.
b.
In the IdP Metadata URL field that appears, enter the contents from the Federation metadata document field that you recorded in 2.d, and click Import IdP Metadata.
The Remote Identity Provider (IdP) Settings section refreshes, showing the details of your IdP configuration. The listed options specify the appliance page redirects during SAML authentication. For more information, visit https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security.
6.
In the Security Assertion Markup Language (SAML) section, ensure the IdP Does Not Support Passive Authentication check box is selected.
7.
In the IdP Attribute Mappings section, select the option that you want to use to grant the SAML user access to the appliance.
Use Local User Table: Relies on the user list stored locally on the appliance.
Use LDAP Lookup: Imports user information from an external LDAP server. For more information, see Using an LDAP server for user authentication.
Select Use SAML, and set the following options:
UID: http://schemas.microsoft.com/identity/claims/objectidentifier
Login: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Name: http://schemas.microsoft.com/identity/claims/displayname
Primary Email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
8.
If you selected the Use SAML option, under Role Mapping, specify the following condition for the role that you want to grant to SAML-authenticated users (for example, the Administrator role):
Where <Object ID> is the object ID of the group.
9.
Optional. To view the appliance-specific SAML settings on the appliance, in the Local Service Provider (SP) Settings section, click View Metadata, and review the options that appear.
a.
In the Local Service Provider (SP) Settings section, click View Metadata
c.
d.
In the Redirect URIs section, select Web and set it to the SP Assertion Consumer Service (url) value from the SAML Settings page, under Local Service Provider (SP) Settings.
e.
In the Advanced settings, set the Logout URL field to the SP SLO Endpoint (url) value from the Local Service Provider (SP) Settings section.
f.
In Azure, click Expose an API, and click Set next to Application ID URI. Set this field to the SP Entity Identifier (uri) value from the Local Service Provider (SP) Settings section.
g.
In Azure, click Manifest, and in the editor that appears on the right, add or update the "groupMembershipClaims" attribute and set its value to "SecurityGroup" or "All".
For example: "groupMembershipClaims": "SecurityGroup",
11.
Click Save.
c.
Open the Administrator Console or User Console Welcome page.
TIP: When SAML is enabled on the appliance, click Local Sign In, and specify your user credentials.
The Administrator Console or User Console page appears.

Using Replication Shares

Using Replication Shares

Replication Shares are devices that keep copies of files for distribution, and they are especially useful if your managed devices are deployed across multiple geographic locations.

For example, using a Replication Share, a device in New York could download files from another device at the same office, rather than downloading those files from a KACE SMA in Los Angeles. A Replication Share is a full replication of all digital assets and is managed automatically by the appliance. Whenever a Replication Share is specified for a label, devices in that label go to the Replication Share to get files.

In addition, you can use Replication Shares to deploy of Managed Installations, patches, or Dell Updates where network bandwidth and speed are issues. Replication Shares are good alternatives to downloading directly from an appliance.

Replication Shares enable an appliance to replicate application installers, patches, upgrades, and script dependencies to a shared folder on a device. If any replication item is deleted from the appliance, it is marked for deletion in the Replication Share and deleted in the replication task cycle. The figure shows a Replication Share configuration and task flow.

Figure 7. Replication Share configuration

In the task flow, an arrow goes from a KACE SMA to a Replication Agent. The arrow has a tag reading "copy replication files. Restarts are supported. Bandwidth can be limited. The Replication Agent can run be a Windows device, a Mac OS X device, or a Linux device. An arrow goes from the Replication Agent to the Replication Share. The has a tag reading "Place file on Share, either local drive or smb network drive." From the Replication Share, arrows go to various Replication Clients that are defined by a Replication Share Label.

To create a Replication Share, identify one device at each remote location to act as a Replication Device. The appliance copies all the replication items to the Replication Device at the specified destination path. The replication process automatically restarts if it is stopped due to a network failure or replication schedule. If stopped, the replication process restarts at the point it was stopped.

Sneaker net share: You can create a folder and copy the contents of an existing replication folder to it. You can then specify this folder as the new replication folder in the appliance. The appliance determines whether the new folder has all the replication items present and replicates only the new ones, which conserves bandwidth. You can manually copy the contents of replication folder to a new folder. The replication folder created in a device follows following hierarchy:

\\machinename\foldername\repl2\replicationitems folder

The device name and folder name is user defined while repl2 is automatically created by appliance. The replication items folder includes the folder for patches, kbots, upgrade files, and applications.

All the replication items are first listed in the replication queue and then copied one at a time to the destination path. Any new replication item is first listed in the replication queue and then copied after an interval of 10 minutes.

Replication items are copied in this order:

Create Replication Shares

Create Replication Shares

You can create Replication Shares on managed devices.

To create a Replication Share you must:

Have write permission on the destination path to write the software files.

Replication Shares can be created only on devices that appear on the Devices list in Inventory. If the device you want to use is not on the Devices list, you need to create an inventory record for the device before you can use it as a Replication Share.

See Managing inventory information.

1.
Go to the Replication Schedule Detail page:
a.
Log in to the KACE SMA Administrator Console, https://KACE_SMA_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
b.
On the left navigation bar, click Distribution, then click Replication.
c.
Select Choose Action > New.
2.
In the Configure section, select the Enabled check box.
3.
Optional: Select Failover To Appliance to use the KACE SMA when the Replication Share is not available.
NOTE: Enable Failover To Appliance only after testing the Replication Share.
4.
In the Device drop-down list, select the device to use as a Replication Share.
5.
Select the Operating System and Locales of the patches to replicate. The lists are populated based on the operating systems and locales selected in the patch subscription.
6.
Select the Include Application Patches and Include Dell Updates check boxes to copy the patch and update files to the Replication Share.
7.
Specify the Destination Share settings:

Option

Description

Path

The path the Replication device uses for the Replication Share. Applications are copied from the KACE SMA to this location. For a local drive, use local drive syntax, for example: C:\kace_sma_share

For a network drive, use UNC format, for example: \\kaceRep\kace_sma_share\

NOTE: $ notation, for example \\KaceRep\e$, is not supported.

Local Share or UNC

Select whether to use a Local Share or UNC.

Credentials

The details of the service account required to connect to the device and run commands. Select existing credentials from the drop-down list, or select Add new credential to add credentials not already listed.

See Add and edit User/Password credentials.

Label

The label of the devices using the Replication Share. Verify that the selected label does not have KACE_ALT_LOCATION specified. KACE_ALT_LOCATION takes precedence over the Replication Share for downloading files to devices.

8.
Specify the Download Share settings:

Option

Description

Path

The path used by devices in the replication label to copy items from the replication drive.

For example, a UNC path:

\\fileservername\directory\kace_sma\

Other devices need read permission to copy replication items from this shared folder.

Credentials

The details of the service account required to connect to the device and run commands. Select existing credentials from the drop-down list, or select Add new credential to add credentials not already listed.

See Add and edit User/Password credentials.

Option

Description

High Bandwidth

The maximum bandwidth to use for replication. If this field is blank, the maximum bandwidth available for replication is used. This field is specified in bytes per second.

Low Bandwidth

The restricted bandwidth to use for replication. If this field is blank, the maximum bandwidth available for replication is used. This field is specified in bytes per second.

Schedule table

The bandwidth used for each hour of the day (24-hour clock format) and each day of the week.

Bandwidth is color-coded:

White: Replication is off
Light blue: Replication is on with low bandwidth
Blue: Replication is on with high bandwidth

Copy Schedule From

Select an existing Replication Schedule in the drop-down list to replicate items according to that schedule.

Notes

Any additional information you want to provide.

10.
Click Save.
The Replication page appears.
11.
Optional: After you have tested the Replication Share, return to 3 and enable Failover To Appliance.
Related Documents