Chat now with support
Chat with Support

KACE Systems Management Appliance 11.0 Common Documents - Administrator Guide

About the KACE Systems Management Appliance Getting started
Configuring the appliance
Requirements and specifications Power-on the appliance and log in to the Administrator Console Access the Command Line Console Tracking configuration changes Configuring System-level and Admin-level General Settings Configure appliance date and time settings Enable Two-Factor Authentication for all users Verifying port settings, NTP service, and website access Configuring network and security settings Configuring Agent settings Configuring session timeout and auto-refresh settings Configuring locale settings Configuring the default theme Configure data sharing preferences About DIACAP compliance requirements Configuring Mobile Device Access Enable fast switching for organizations and linked appliances Linking Quest KACE appliances Configuring history settings
Setting up and using labels to manage groups of items Configuring user accounts, LDAP authentication, and SSO Using Replication Shares Managing credentials Configuring assets
About the Asset Management component Using the Asset Management Dashboard About managing assets Adding and customizing Asset Types and maintaining asset information Managing Software assets Managing physical and logical assets Maintaining and using manual asset information Managing locations Managing contracts Managing licenses Managing purchase records
Setting up License Compliance Managing License Compliance Setting up Service Desk Configure the Cache Lifetime for Service Desk widgets Creating and managing organizations Importing and exporting appliance resources
Managing inventory
Using the Inventory Dashboard Using Device Discovery Managing device inventory
About managing devices Features available for each device management method About inventory information Tracking changes to inventory settings Managing inventory information Finding and managing devices Registering KACE Agent with the appliance Provisioning the KACE Agent Manually deploying the KACE Agent Using Agentless management Adding devices manually in the Administrator Console or by using the API Forcing inventory updates Managing MIA devices Obtaining Dell warranty information
Managing applications on the Software page Managing Software Catalog inventory
About the Software Catalog Viewing Software Catalog information Adding applications to the Software Catalog Managing License assets for Software Catalog applications Associate Managed Installations with Cataloged Software Using software metering Using Application Control Update or reinstall the Software Catalog
Managing process, startup program, and service inventory Writing custom inventory rules
Deploying packages to managed devices
Distributing software and using Wake-on-LAN Broadcasting alerts to managed devices Running scripts on managed devices Managing Mac profiles Using Task Chains
Patching devices and maintaining security
Using the Security Dashboard About patch management Subscribing to and downloading patches Creating and managing patch schedules Managing patch inventory Managing Windows Feature Updates Managing Dell devices and updates Maintaining device and appliance security
Using reports and scheduling notifications Monitoring servers
Getting started with server monitoring Working with monitoring profiles Managing monitoring for devices Working with alerts
Using the Service Desk
Configuring Service Desk Using the Service Desk Dashboard Managing Service Desk tickets, processes, and reports
Overview of Service Desk ticket lifecycle Creating tickets from the Administrator Console and User Console Creating and managing tickets by email Viewing tickets and managing comments, work, and attachments Merging tickets Using the ticket escalation process Using Service Desk processes Using Ticket Rules Run Service Desk reports Archiving, restoring, and deleting tickets Managing ticket deletion
Managing Service Desk ticket queues About User Downloads and Knowledge Base articles Customizing Service Desk ticket settings Configuring SMTP email servers
Maintenance and troubleshooting
Maintaining the appliance Troubleshooting the appliance
Appendixes Glossary About us Legal notices

Enable organization-level file sharing with the Organization component enabled

Enabling file sharing

To provision Agent software, you must enable file sharing.

If the Organization component is enabled on your appliance, see Enable file sharing at the System level. Otherwise, see Enable file sharing without the Organization component enabled.

Enable file sharing at the System level

If the Organization component is enabled on your appliance, you must enable file sharing at the System level to provision the Agent.

1.
Go to the Security Settings page:
a.
Log in to the appliance System Administration Console, http://appliance_hostname/system, or select System from the drop-down list in the top-right corner of the page.
b.
On the left navigation bar, click Settings, then click Control Panel.
c.
On the Control Panel, click Security Settings.
2.
In the Samba section, specify the following settings:

Option

Description

For appliances with the Organization component enabled:

Enable Organization File Shares

Use the appliance's client share to store files, such as files used to install applications on managed devices.

The appliance’s client share is a built-in Windows file server that the provisioning service can use to assist in distributing the Samba client on your network. Quest recommends that this file server only be enabled when you perform application installations on managed devices.

Require NTLMv2 authentication to appliance file shares

Enable NTLMv2 authentication for the appliance files shares. When this setting is enabled, managed devices connecting to the appliance File Shares require support for NTLMv2 and authenticate to the appliance using NTLMv2. Even though NTLMv2 is more secure than NTLM and LANMAN, non-NTLMv2 configurations are more common and this option is usually turned off. Enabling this option disables lanman auth and ntlm auth on the Samba server. NTLMv2 Levels 1-4 are supported. If you need NTLM v2 Level 5, consider manually provisioning the KACE Agent. See Manually deploying the KACE Agent.

Require NTLMv2 to off-board file shares

Force certain appliance functions that are supported through the Samba client, such as Agent Provisioning, to authenticate to offboard network file shares using NTLMv2. Even though NTLMv2 is more secure than NTLM and LANMAN, non-NTLMv2 configurations are more common and this option is usually disabled. Enabling this option enables the client ntlmv2 auth option for Samba client functions.

3.
Click Save.

When the appliance restarts, enable file sharing at the organization level. See Enable organization-level file sharing with the Organization component enabled.

Enable organization-level file sharing with the Organization component enabled

If the Organization component is enabled on your appliance, you must enable file sharing at the organization level to provision the Agent.

Verify that organization file shares are enabled. For instructions, see Enable file sharing at the System level.

1.
Go to the Admin-level General Settings page:
a.
Log in to the appliance Administrator Console, https://appliance_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
b.
On the left navigation bar, click Settings, then click Control Panel.
c.
On the Control Panel, click General Settings.
2.
Select Enable File Sharing in the Samba Share Settings section.
3.
Optional: Enter a password for the File Share User.
4.
Click Save Samba Settings.
Enable file sharing without the Organization component enabled

If the Organization component is not enabled on your appliance, you must enable file sharing in the appliance security settings to provision the Agent.

1.
Go to the Security Settings page:
a.
Log in to the appliance Administrator Console, https://appliance_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
b.
On the left navigation bar, click Settings, then click Control Panel.
c.
On the Control Panel, click Security Settings.
2.
In the Samba section, select Enable File Sharing.
3.
Optional: Select authentication options:

Option

Description

Require NTLMv2 to authenticate appliance file shares

Enable NTLMv2 authentication for the appliance files shares. When this setting is enabled, managed devices connecting to the appliance File Shares require support for NTLMv2 and authenticate to the appliance using NTLMv2. Even though NTLMv2 is more secure than NTLM and LANMAN, non-NTLMv2 configurations are more common and this option is usually turned off. Enabling this option disables lanman auth and ntlm auth on the Samba server. NTLMv2 Levels 1-4 are supported. If you need NTLM v2 Level 5, consider manually provisioning the KACE Agent. See Manually deploying the KACE Agent.

Require NTLMv2 authentication to off-board file shares

Force certain appliance functions that are supported through the Samba client, such as Agent Provisioning, to authenticate to offboard network file shares using NTLMv2. Even though NTLMv2 is more secure than NTLM and LANMAN, non-NTLMv2 configurations are more common and this option is usually disabled. Enabling this option enables the client ntlmv2 auth option for Samba client functions.

4.
Click Save.

Enable file sharing without the Organization component enabled

Enabling file sharing

To provision Agent software, you must enable file sharing.

If the Organization component is enabled on your appliance, see Enable file sharing at the System level. Otherwise, see Enable file sharing without the Organization component enabled.

Enable file sharing at the System level

If the Organization component is enabled on your appliance, you must enable file sharing at the System level to provision the Agent.

1.
Go to the Security Settings page:
a.
Log in to the appliance System Administration Console, http://appliance_hostname/system, or select System from the drop-down list in the top-right corner of the page.
b.
On the left navigation bar, click Settings, then click Control Panel.
c.
On the Control Panel, click Security Settings.
2.
In the Samba section, specify the following settings:

Option

Description

For appliances with the Organization component enabled:

Enable Organization File Shares

Use the appliance's client share to store files, such as files used to install applications on managed devices.

The appliance’s client share is a built-in Windows file server that the provisioning service can use to assist in distributing the Samba client on your network. Quest recommends that this file server only be enabled when you perform application installations on managed devices.

Require NTLMv2 authentication to appliance file shares

Enable NTLMv2 authentication for the appliance files shares. When this setting is enabled, managed devices connecting to the appliance File Shares require support for NTLMv2 and authenticate to the appliance using NTLMv2. Even though NTLMv2 is more secure than NTLM and LANMAN, non-NTLMv2 configurations are more common and this option is usually turned off. Enabling this option disables lanman auth and ntlm auth on the Samba server. NTLMv2 Levels 1-4 are supported. If you need NTLM v2 Level 5, consider manually provisioning the KACE Agent. See Manually deploying the KACE Agent.

Require NTLMv2 to off-board file shares

Force certain appliance functions that are supported through the Samba client, such as Agent Provisioning, to authenticate to offboard network file shares using NTLMv2. Even though NTLMv2 is more secure than NTLM and LANMAN, non-NTLMv2 configurations are more common and this option is usually disabled. Enabling this option enables the client ntlmv2 auth option for Samba client functions.

3.
Click Save.

When the appliance restarts, enable file sharing at the organization level. See Enable organization-level file sharing with the Organization component enabled.

Enable organization-level file sharing with the Organization component enabled

If the Organization component is enabled on your appliance, you must enable file sharing at the organization level to provision the Agent.

Verify that organization file shares are enabled. For instructions, see Enable file sharing at the System level.

1.
Go to the Admin-level General Settings page:
a.
Log in to the appliance Administrator Console, https://appliance_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
b.
On the left navigation bar, click Settings, then click Control Panel.
c.
On the Control Panel, click General Settings.
2.
Select Enable File Sharing in the Samba Share Settings section.
3.
Optional: Enter a password for the File Share User.
4.
Click Save Samba Settings.
Enable file sharing without the Organization component enabled

If the Organization component is not enabled on your appliance, you must enable file sharing in the appliance security settings to provision the Agent.

1.
Go to the Security Settings page:
a.
Log in to the appliance Administrator Console, https://appliance_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
b.
On the left navigation bar, click Settings, then click Control Panel.
c.
On the Control Panel, click Security Settings.
2.
In the Samba section, select Enable File Sharing.
3.
Optional: Select authentication options:

Option

Description

Require NTLMv2 to authenticate appliance file shares

Enable NTLMv2 authentication for the appliance files shares. When this setting is enabled, managed devices connecting to the appliance File Shares require support for NTLMv2 and authenticate to the appliance using NTLMv2. Even though NTLMv2 is more secure than NTLM and LANMAN, non-NTLMv2 configurations are more common and this option is usually turned off. Enabling this option disables lanman auth and ntlm auth on the Samba server. NTLMv2 Levels 1-4 are supported. If you need NTLM v2 Level 5, consider manually provisioning the KACE Agent. See Manually deploying the KACE Agent.

Require NTLMv2 authentication to off-board file shares

Force certain appliance functions that are supported through the Samba client, such as Agent Provisioning, to authenticate to offboard network file shares using NTLMv2. Even though NTLMv2 is more secure than NTLM and LANMAN, non-NTLMv2 configurations are more common and this option is usually disabled. Enabling this option enables the client ntlmv2 auth option for Samba client functions.

4.
Click Save.

Provisioning the KACE Agent using the GPO Provisioning Tool for Windows devices

Provisioning the KACE Agent using the GPO Provisioning Tool for Windows devices

Of the methods for provisioning the Agent on Windows devices, Quest recommends the GPO Provisioning Tool because using the tool minimizes the pre-configuration that must happen on the target devices.

The GPO Provisioning Tool uses Active Directory® and Group Policy to distribute the installation settings and to perform the installation of the Agent. The tool creates a GPO, or modifies a pre-existing GPO to install the KACE Agent when a device authenticates with Active Directory.

The first time a target device refreshes Group Policy after the tool has completed the creation or modification process, a new Group Policy client-side extension dll is registered on the devices applying this GPO. Then the next time that the device refreshes Group Policy, Windows triggers the newly registered client-side extension to install the KACE Windows Agent.

For the Quest Knowledge Base article that contains the link to download the GPO Provisioning Tool, go to https://support.quest.com/kb/133776.

Prepare to use the GPO Provisioning Tool for Agent deployment

Before you can use the GPO Provisioning Tool to deploy Agents to Windows devices, you must ensure that your system is configured to use the tool.

The following system requirements are necessary for using the GPO Provisioning Tool:

Windows 7 and higher: Remote Server Administration Tools (RSAT) enables IT administrators to remotely manage roles and features in Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012, from a computer that is running Windows 8.1, Windows 8, or Windows 7.

Go to http://social.technet.microsoft.com/wiki/contents/articles/2202.remote-server-administration-tools-rsat-for-windows-client-and-windows-server-dsforum2wiki.aspx.

Distribution Share: Make sure to use a share that everyone can access. For example, do not place the .msi file on the NETLOGON share, because not every user can reach that share and the lack of access will cause your upgrade to fail in the future. This location should be a permanently accessible share. The installer is an MSI (Microsoft Installer) file. To uninstall or upgrade software, MSI needs access to the .msi file. If it is not accessible, msiexec will not uninstall.
Provision KACE Agents using the appliance GPO Provisioning Tool

You can install the KACE Agent on a single device, or on multiple devices by using the appliance GPO Provisioning Tool, starting within the Agent Provisioning Assistant. You can use this method to provision Windows devices.

To complete this task, you leave the appliance to work in the Windows Group Policy Management Console or the Windows Administrative Tools using the appliance GPO Provisioning Tool before returning to the appliance.

a.
Log in to the appliance Administrator Console, https://appliance_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
b.
On the left navigation bar, click Settings, then click Provisioning.
c.
On the Provisioning panel, click Agent Provisioning Assistant.
The Agent Provisioning Assistant: Step 1 of 3 page appears.
2.
Select the check box for Provisioning Using Windows Group Policy (recommended), and click Next to display the Agent Provisioning Assistant: Step 2 of 3 page.

Installing and starting the tool requires leaving the appliance interface.

NOTE: Only GPOs for which you have permission to edit are displayed in the tool.
6.
Return to the Agent Provisioning: Step 2 of 3 page in the appliance when you have completed working in the tool, and click Next.
7.
Click Finish on the Agent Provisioning: Step 3 of 3 page.

Agents are installed on the client devices after the Group Policy is refreshed on those devices. Depending on the environment, this installation takes place either when the device reboots, or after a 90-minute refresh cycle occurs for the Group Policy.

Go to the Devices page to keep track of the progress of devices having the agents installed and checked in.

Prepare to use the GPO Provisioning Tool for Agent deployment

Provisioning the KACE Agent using the GPO Provisioning Tool for Windows devices

Of the methods for provisioning the Agent on Windows devices, Quest recommends the GPO Provisioning Tool because using the tool minimizes the pre-configuration that must happen on the target devices.

The GPO Provisioning Tool uses Active Directory® and Group Policy to distribute the installation settings and to perform the installation of the Agent. The tool creates a GPO, or modifies a pre-existing GPO to install the KACE Agent when a device authenticates with Active Directory.

The first time a target device refreshes Group Policy after the tool has completed the creation or modification process, a new Group Policy client-side extension dll is registered on the devices applying this GPO. Then the next time that the device refreshes Group Policy, Windows triggers the newly registered client-side extension to install the KACE Windows Agent.

For the Quest Knowledge Base article that contains the link to download the GPO Provisioning Tool, go to https://support.quest.com/kb/133776.

Prepare to use the GPO Provisioning Tool for Agent deployment

Before you can use the GPO Provisioning Tool to deploy Agents to Windows devices, you must ensure that your system is configured to use the tool.

The following system requirements are necessary for using the GPO Provisioning Tool:

Windows 7 and higher: Remote Server Administration Tools (RSAT) enables IT administrators to remotely manage roles and features in Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012, from a computer that is running Windows 8.1, Windows 8, or Windows 7.

Go to http://social.technet.microsoft.com/wiki/contents/articles/2202.remote-server-administration-tools-rsat-for-windows-client-and-windows-server-dsforum2wiki.aspx.

Distribution Share: Make sure to use a share that everyone can access. For example, do not place the .msi file on the NETLOGON share, because not every user can reach that share and the lack of access will cause your upgrade to fail in the future. This location should be a permanently accessible share. The installer is an MSI (Microsoft Installer) file. To uninstall or upgrade software, MSI needs access to the .msi file. If it is not accessible, msiexec will not uninstall.
Provision KACE Agents using the appliance GPO Provisioning Tool

You can install the KACE Agent on a single device, or on multiple devices by using the appliance GPO Provisioning Tool, starting within the Agent Provisioning Assistant. You can use this method to provision Windows devices.

To complete this task, you leave the appliance to work in the Windows Group Policy Management Console or the Windows Administrative Tools using the appliance GPO Provisioning Tool before returning to the appliance.

a.
Log in to the appliance Administrator Console, https://appliance_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
b.
On the left navigation bar, click Settings, then click Provisioning.
c.
On the Provisioning panel, click Agent Provisioning Assistant.
The Agent Provisioning Assistant: Step 1 of 3 page appears.
2.
Select the check box for Provisioning Using Windows Group Policy (recommended), and click Next to display the Agent Provisioning Assistant: Step 2 of 3 page.

Installing and starting the tool requires leaving the appliance interface.

NOTE: Only GPOs for which you have permission to edit are displayed in the tool.
6.
Return to the Agent Provisioning: Step 2 of 3 page in the appliance when you have completed working in the tool, and click Next.
7.
Click Finish on the Agent Provisioning: Step 3 of 3 page.

Agents are installed on the client devices after the Group Policy is refreshed on those devices. Depending on the environment, this installation takes place either when the device reboots, or after a 90-minute refresh cycle occurs for the Group Policy.

Go to the Devices page to keep track of the progress of devices having the agents installed and checked in.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating