Chat now with support
Chat with Support

KACE Systems Management Appliance 9.1 Common Documents - Administrator Guide

About the KACE Systems Management Appliance (SMA) Getting started
Configuring the appliance
Requirements and specifications Power-on the appliance and log in to the Administrator Console Access the Command Line Console Tracking configuration changes Configuring System-level and Admin-level General Settings Configure appliance date and time settings Enable Two-Factor Authentication for all users Verifying port settings, NTP service, and website access Configuring network and security settings Configuring Agent settings Configuring session timeout and auto-refresh settings Configuring locale settings Configuring the default theme Configure data sharing preferences About DIACAP compliance requirements Configuring Mobile Device Access Enable fast switching for organizations and linked appliances Linking Quest KACE appliances Configuring history settings
Setting up and using labels to manage groups of items Configuring user accounts, LDAP authentication, and SSO Using Replication Shares Managing credentials Configuring assets
About the Asset Management component Using the Asset Management Dashboard About managing assets Adding and customizing Asset Types and maintaining asset information Managing Software assets Managing physical and logical assets Maintaining and using manual asset information Managing locations Managing contracts Managing licenses Managing purchase records
Setting up License Compliance Managing License Compliance Setting up Service Desk Configure the Cache Lifetime for Service Desk widgets Creating and managing organizations Importing and exporting appliance resources
Managing inventory
Using the Inventory Dashboard Using Device Discovery Managing device inventory
About managing devices Features available for each device management method About inventory information Tracking changes to inventory settings Managing inventory information Finding and managing devices Provisioning the KACE SMA Agent Manually deploying the KACE SMA Agent Using Agentless management Adding devices manually in the Administrator Console or by using the API Forcing inventory updates Managing MIA devices Obtaining Dell warranty information
Managing applications on the Software page Managing Software Catalog inventory
About the Software Catalog Viewing Software Catalog information Adding applications to the Software Catalog Managing License assets for Software Catalog applications Associate Managed Installations with Cataloged Software Using software metering Using Application Control Update or reinstall the Software Catalog
Managing process, startup program, and service inventory Writing custom inventory rules
Deploying packages to managed devices
Distributing software and using Wake-on-LAN Broadcasting alerts to managed devices Running scripts on managed devices Managing Mac profiles Using Task Chains
Patching devices and maintaining security
About patch management Subscribing to and downloading patches Creating and managing patch schedules Managing patch inventory Managing Dell devices and updates Maintaining device and appliance security
Using reports and scheduling notifications Monitoring servers
Getting started with server monitoring Working with monitoring profiles Managing monitoring for devices Working with alerts
Using the Service Desk
Configuring Service Desk Using the Service Desk Dashboard Managing Service Desk tickets, processes, and reports
Overview of Service Desk ticket lifecycle Creating tickets from the Administrator Console and User Console Creating and managing tickets by email Viewing tickets and managing comments, work, and attachments Merging tickets Using the ticket escalation process Using Service Desk processes Using Ticket Rules Run Service Desk reports Archiving, restoring, and deleting tickets Managing ticket deletion
Managing Service Desk ticket queues About User Downloads and Knowledge Base articles Customizing Service Desk ticket settings Configuring SMTP email servers
Maintenance and troubleshooting
Maintaining the appliance Troubleshooting the KACE SMA
Appendixes Glossary About us Legal notices

View SCAP scan results

Editing SCAP scan schedules

You can view or edit a benchmark schedule on the Script Detail page. This page allows you to manage and customize scripts for configuring, scheduling, and specifying which devices the SCAP scan runs on. The scripts for SCAP are standard KScripts.

NOTE: This section does not provide information about every feature available on the Script Detail page; it only contains information pertinent to using and understanding a SCAP scan.

You can access the Script Detail page from the Benchmark wizard, as described in Access SCAP Scan information and from the SCAP Scan Schedules page, as described in View SCAP scan results.

View the resolved XCCDF files

You can view the input files generated by the SCAP scan resolution process.

A benchmark is loaded into the server and the XCCDF file undergoes a process called resolution, which generates the input files necessary to run a particular profile.

1.
Go to the Script Detail page:
a.
Log in to the KACE SMA Administrator Console, http://KACE_SMA_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
2.
(Optional) To add any supporting executable files necessary to run the script, scroll down to the Dependencies section, then click Add a new dependency, then click Browse or Choose File.
3.
Optional: To view the details of these files, click and download the selected ZIP file.
View the OVAL timestamp

You can view the OVAL timestamp (the time the OVAL document was compiled).

1.
Go to the Script Detail page:
a.
Log in to the KACE SMA Administrator Console, http://KACE_SMA_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
2.
Scroll down to the Dependencies section, then click benchmark.zip and extract the OVAL XML file.
For example, fdcc-winxp-oval.xml.
3.
In the OVAL file, look for <oval:timestamp>.
View script tasks

You can view tasks associated with a particular script.

1.
Go to the Script Detail page:
a.
Log in to the KACE SMA Administrator Console, http://KACE_SMA_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
2.
Scroll down to the Task sections.

The Task sections are displayed on the Script Detail page.

View SCAP scan results

The Scan Results page shows the results of SCAP scans per device. From this page you can access detailed information about each scan.

1.
Go to SCAP Scan page:
a.
Log in to the KACE SMA Administrator Console, http://KACE_SMA_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
b.
On the left navigation bar, click Security, then click SCAP Scan.
c.
On the SCAP Scan panel, click Reporting.
2.
Optional: To display the results for a specific benchmark, select the desired benchmark in the View By drop-down list, which appears above the table on the right.

Section

Description

Device Name

The device on which the scan was run.

Benchmark - Profile

The particular profile in a benchmark that was used.

Scanned

The date and time that the scan was run.

Passed

The number of rules that the device passed.

Failed

The number of rules that the device failed.

Other

The number of rules having other values such as error, unknown, not checked, not applicable, and informational.

The XCCDF specification also defines “not selected”, which is excluded from the results.

Total

The total number of rules that were executed.

Compliance

The percentage of rules that were passed.

Score

The default score defined by the benchmark.

Result

The Pass or Fail results of the scan.

A page containing the details of the scan result for the selected device appears. The following table describes each section in more detail:

Section

Description

Summary

General information about the benchmark.

Test Results

Test results in a tree structure that represents the grouping of the rules. Symbols display the pass-fail status of a rule. You can click a rule to open a dialog box containing the rule’s details.

Scores

Compliance scores for each scoring model as defined for the benchmark.

Results by CCE

Pass-fail results by CCE. The FDCC requires that compliance is reported by CCE.

Result XML files

Links to the XML files:

XCCDF Benchmark: The file processed by the XCCDF file and formatted into a single results file (xccdf-results.xml) from each run of the OVAL scanning engine.
CPE Inventory: The file output by the first run of the OVAL scanning engine to test whether the benchmark applies to the device being scanned.
Oval Compliance: The file output by the second run of the OVAL scanning engine to test the device against the rules defined in the benchmark.
OVAL Patches: The file output by the third run of the OVAL scanning engine to ensure that the security patches are up-to-date.

See How a SCAP scan works.

The Viewing Details for that rule appears. This page shows a description of the rule from the XCCDF definition, whether the device passed or failed the rule, and the XML for the rule.
Download benchmarks from the archive

On a daily basis, the KACE SMA gathers the SCAP scan results from devices and creates an archive for each benchmark. The benchmark archive consists of a ZIP file that can be sent to the appropriate agency, such as the US OMB (United States Office of Management and Budget).

1.
Go to SCAP Catalog list:
a.
Log in to the KACE SMA Administrator Console, http://KACE_SMA_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
b.
On the left navigation bar, click Security, then click SCAP Scan.
c.
On the SCAP Scan panel, click Catalog.
3.
In the Download Results Archive field, click the ZIP file to download the archive.

Download benchmarks from the archive

Editing SCAP scan schedules

You can view or edit a benchmark schedule on the Script Detail page. This page allows you to manage and customize scripts for configuring, scheduling, and specifying which devices the SCAP scan runs on. The scripts for SCAP are standard KScripts.

NOTE: This section does not provide information about every feature available on the Script Detail page; it only contains information pertinent to using and understanding a SCAP scan.

You can access the Script Detail page from the Benchmark wizard, as described in Access SCAP Scan information and from the SCAP Scan Schedules page, as described in View SCAP scan results.

View the resolved XCCDF files

You can view the input files generated by the SCAP scan resolution process.

A benchmark is loaded into the server and the XCCDF file undergoes a process called resolution, which generates the input files necessary to run a particular profile.

1.
Go to the Script Detail page:
a.
Log in to the KACE SMA Administrator Console, http://KACE_SMA_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
2.
(Optional) To add any supporting executable files necessary to run the script, scroll down to the Dependencies section, then click Add a new dependency, then click Browse or Choose File.
3.
Optional: To view the details of these files, click and download the selected ZIP file.
View the OVAL timestamp

You can view the OVAL timestamp (the time the OVAL document was compiled).

1.
Go to the Script Detail page:
a.
Log in to the KACE SMA Administrator Console, http://KACE_SMA_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
2.
Scroll down to the Dependencies section, then click benchmark.zip and extract the OVAL XML file.
For example, fdcc-winxp-oval.xml.
3.
In the OVAL file, look for <oval:timestamp>.
View script tasks

You can view tasks associated with a particular script.

1.
Go to the Script Detail page:
a.
Log in to the KACE SMA Administrator Console, http://KACE_SMA_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
2.
Scroll down to the Task sections.

The Task sections are displayed on the Script Detail page.

View SCAP scan results

The Scan Results page shows the results of SCAP scans per device. From this page you can access detailed information about each scan.

1.
Go to SCAP Scan page:
a.
Log in to the KACE SMA Administrator Console, http://KACE_SMA_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
b.
On the left navigation bar, click Security, then click SCAP Scan.
c.
On the SCAP Scan panel, click Reporting.
2.
Optional: To display the results for a specific benchmark, select the desired benchmark in the View By drop-down list, which appears above the table on the right.

Section

Description

Device Name

The device on which the scan was run.

Benchmark - Profile

The particular profile in a benchmark that was used.

Scanned

The date and time that the scan was run.

Passed

The number of rules that the device passed.

Failed

The number of rules that the device failed.

Other

The number of rules having other values such as error, unknown, not checked, not applicable, and informational.

The XCCDF specification also defines “not selected”, which is excluded from the results.

Total

The total number of rules that were executed.

Compliance

The percentage of rules that were passed.

Score

The default score defined by the benchmark.

Result

The Pass or Fail results of the scan.

A page containing the details of the scan result for the selected device appears. The following table describes each section in more detail:

Section

Description

Summary

General information about the benchmark.

Test Results

Test results in a tree structure that represents the grouping of the rules. Symbols display the pass-fail status of a rule. You can click a rule to open a dialog box containing the rule’s details.

Scores

Compliance scores for each scoring model as defined for the benchmark.

Results by CCE

Pass-fail results by CCE. The FDCC requires that compliance is reported by CCE.

Result XML files

Links to the XML files:

XCCDF Benchmark: The file processed by the XCCDF file and formatted into a single results file (xccdf-results.xml) from each run of the OVAL scanning engine.
CPE Inventory: The file output by the first run of the OVAL scanning engine to test whether the benchmark applies to the device being scanned.
Oval Compliance: The file output by the second run of the OVAL scanning engine to test the device against the rules defined in the benchmark.
OVAL Patches: The file output by the third run of the OVAL scanning engine to ensure that the security patches are up-to-date.

See How a SCAP scan works.

The Viewing Details for that rule appears. This page shows a description of the rule from the XCCDF definition, whether the device passed or failed the rule, and the XML for the rule.
Download benchmarks from the archive

On a daily basis, the KACE SMA gathers the SCAP scan results from devices and creates an archive for each benchmark. The benchmark archive consists of a ZIP file that can be sent to the appropriate agency, such as the US OMB (United States Office of Management and Budget).

1.
Go to SCAP Catalog list:
a.
Log in to the KACE SMA Administrator Console, http://KACE_SMA_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
b.
On the left navigation bar, click Security, then click SCAP Scan.
c.
On the SCAP Scan panel, click Catalog.
3.
In the Download Results Archive field, click the ZIP file to download the archive.

About security policy templates

About security policy templates

Security policy templates enable you to create security policies or scripts. These scripts can be deployed to the devices on your network to manage their security settings.

Windows templates include:

Mac templates include:

Using Windows security policy templates

Using Windows security policy templates

You can use security policy templates to create scripts that configure security settings on Windows devices.

NOTE: If you edit a template-based policy, keep Run As set to local system. Using local system ensures that the script has full access to the Windows system, including the registry. Running the script as a different user might not provide adequate access to the Windows system.
Add Internet Explorer scripts

Use this template to create a script that controls Internet Explorer preferences. You can control specific preferences while keeping others as user-defined.

Policy settings overwrite the corresponding user’s Internet Explorer preferences. Because this script modifies user settings, schedule it to run when users are logged in.

1.
Go to the Security Policies list:
a.
Log in to the KACE SMA Administrator Console, http://KACE_SMA_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
b.
On the left navigation bar, click Scripting, then click Security Policies.
2.
Click Internet Explorer to display the Windows Internet Explorer page.

Option

Description

Name

A name that identifies the script. This name appears on the Scripts page.

User Home Page

Enforce User home page policy: Force the user’s home page to the specified page. Select the check box, then specify the URL to use as the home page.

Security

Enforce Internet Zone settings policy: Specify the security level for each zone. Select the check box, then choose the security level from the Security level drop-down list.
Enforce Local Internet Zone settings policy: Specify the security level for intranet zones. Select the check box, then choose the security level from the Security level drop-down list and choose the sites to include.
Enforce Trusted Zone settings policy: Specify the security level of trusted zones. Select the check box, then choose the security level from the Security level drop-down list.
Enforce Zone Map: Select the check box, then specify the IP addresses or ranges.

Privacy

Control the cookies and pop-ups that are accepted by Internet Explorer from the Internet Zone. Select from these options:

Enforce Privacy settings policy: Select the check box, then set the Cookie policy.
Enforce Pop-up settings policy: Select the check box, then set the Pop-up filter level.
4.
Click Save to display the Script Detail page.
6.
To edit the raw XML used in the script, click Edit XML below the Schedule section.
7.
Click Save.
Add XP SP3 Firewall scripts

Use this template to create scripts that enforce firewall settings on Windows XP Service Pack 3 devices.

If target devices authenticate with a domain controller, they use the Domain Policy. Otherwise, they use the Standard Policy, and tighter restrictions might be advised.

Script settings override existing settings on devices. Further, if a script disables the firewall on a device, the device user cannot enable the firewall. If the firewall is set to no policy, the user's configuration for the firewall is used.

1.
Go to the Security Policies list:
a.
Log in to the KACE SMA Administrator Console, http://KACE_SMA_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
b.
On the left navigation bar, click Scripting, then click Security Policies.
2.
Click XP SP3 Firewall to display the Windows XP SP3 Firewall page.

Option

Description

Name

A name that identifies the script. This name appears on the Scripts page.

Domain Policy

The policy used when the device has authenticated with a domain controller. If you do not have a domain controller, use the Standard Policy configuration.

Standard Policy

The policy used when the device has not authenticated with a domain controller, for example, when a device user is at home or using a Wi-Fi® hotspot. This configuration is more restrictive than the Domain Policy.

4.
If you select the Enabled option for the firewall, specify the following options:

Option

Description

Enable logging

Enable the firewall to log information about the unsolicited incoming messages that it receives. The firewall also records information about messages that it blocks and successful inbound and outbound messages. Specify a location and name for the log file. The default is: C:\Program Files\KACE\firewall.log

Allow WMI traffic

Enable inbound TCP traffic on ports 135 and 445 to traverse the firewall. These ports are necessary for using remote administration tools such as the Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI).

Allow Remote Desktop

Enable inbound TCP traffic on port 3389 to traverse the firewall. This port is required for the device to receive Remote Desktop requests.

Allow File and printer sharing

Enable inbound TCP traffic on ports 139 and 445, and inbound UDP traffic on ports 137 and 138. These ports are required for the device to act as a file or printer sharing server.

Allow Universal Plug-and-Play (UPnP)

Enable inbound TCP traffic on port 2869 and inbound UDP traffic on port 1900. These ports are required for the device to receive messages from plug-and-play network devices, such as routers with built-in firewalls.

5.
To specify Inbound Port Exceptions, click Add Port Exception.

Inbound port exceptions enable additional ports to be opened in the firewall. These ports might be required for the device to run other network services. An Inbound Port Exception is automatically added for port 52230 for the KACE Agent Listener, which is required to use the Run Now command.

6.
Specify a Name, Port, Protocol, and Source for the exception and click Save Changes.
7.
Click Save at the bottom of the page to display the Script Detail page.
9.
To edit the raw XML used in the script, click Edit XML below the Schedule section.
10.
Click Save.
Add McAfee AntiVirus scripts

Use this template to create scripts that install the selected McAfee VirusScan® features on devices.

Upload the McAfee Antivirus installation files to the appliance as a ZIP archive. When you upload the ZIP archive, the McAfee application is added to the appliance software inventory if it does not already exist.

This script verifies that the software is installed with the configuration you specify. The script also confirms that the On Access Scanner (McShield) is running.

1.
Go to the Security Policies list:
a.
Log in to the KACE SMA Administrator Console, http://KACE_SMA_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
b.
On the left navigation bar, click Scripting, then click Security Policies.
2.
Click McAfee AntiVirus to display the McAfee Antivirus for Windows page.

Option

Description

Name

A name that identifies the script. This name appears on the Scripts page.

McAfee 8.0 Setup Zip

The ZIP archive that contains the installation files to use for the script. click Browse or Choose File to select the ZIP archive. Click Software Inventory to go to the Software Detail page to select the ZIP archive.

User Interaction

How the installation appears to users. For a description of the available options, see the McAfee documentation.

McAfee Features

The features to be installed. Use Ctrl-click or Command-click to select multiple features. To install the Alert Manager, use the McAfee tools to include the Alert Manager installation files in the deployment package. See the McAfee documentation for information about available features.

Enable On-Access Scanner

Select this check box to start McAfee's automatic file scanner after the installation is complete. The On-Access scanner scans files whenever they are accessed, for example, when opening a file or running a program.

Preserve earlier version settings

Select this check box to preserve the present configuration settings for the On-Access Scanner before the update occurs.

Lockdown VirusScan Shortcuts

Select this check box to not display any VirusScan shortcuts in the Windows Start menu.

Remove other antivirus software

Select this check box to remove competing anti-virus software that could conflict with McAfee.

Installation Directory

The directory on the target device where the application is to be installed.

Source Paths

Provide the path to the source McAfee ZIP file uploaded to the appliance.

Logging

The information to record in the installation log. Use Ctrl-click or Command-click to select multiple items.

Log File Name

The name of the log file.

Additional Arguments

Any additional arguments.

Reboot

Whether to restart the target device after installation.

After Installation

The action to be performed after installation.

Options include Run AutoUpdate or Run AutoUpdate silently. You can also select to Scan all local drives or Scan all local drives silently.

4.
Click Save to display the Script Detail page.
6.
To edit the raw XML used in the script, click Edit XML below the Schedule section.
7.
Click Save.
Add McAfeeSuperDAT scripts

Use this template to create scripts that apply McAfee SuperDAT or XDAT updates to managed devices.

Obtain the McAfee SDAT or XDAT file to use with this script.

1.
Go to the Security Policies list:
a.
Log in to the KACE SMA Administrator Console, http://KACE_SMA_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
b.
On the left navigation bar, click Scripting, then click Security Policies.
2.
Click McAfee SuperDAT to display the McAfee SuperDAT for Windows page.

Option

Description

Name

A name that identifies the script. This name appears on the Scripts page.

SDAT or XDAT file

The installation files to use for the script. click Browse or Choose File to select the ZIP archive. Click Software Inventory to go to the Software Detail page to select the ZIP archive.

Install Silently

The file is installed without displaying installation feedback or progress on the device.

Prompt For Reboot

If the installation requires the device to be rebooted, prompt the user before rebooting.

Reboot If Needed

The device is rebooted as needed. Without this option, a silent installation does not reboot the device.

Force Update

All file versions are updated, even if the device already appears to have the latest versions.

4.
Click Save to display the Script Detail page.
6.
To edit the raw XML used in the script, click Edit XML below the Schedule section.
7.
Click Save.
Add Symantec AntiVirus scripts

Use this template to create scripts that install and configure the Symantec AntiVirus application. The script is intended to run periodically to ensure that Symantec AntiVirus is configured and running properly.

Upload the Symantec AntiVirus.msi file to be distributed. When you upload the file, the application is added to the appliance inventory if it does not already exist.

2.
Go to the Security Policies list:
a.
Log in to the KACE SMA Administrator Console, http://KACE_SMA_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
b.
On the left navigation bar, click Scripting, then click Security Policies.
3.
Click Symantec AntiVirus to display the Symantec AntiVirus for Windows page.

Option

Description

Name

A name that identifies the script. This name appears on the Scripts page.

Action

The task to be performed. Tasks include Install, Uninstall, Repair missing files, and Reinstall all files.

Software

The application to use for the script. To search for an application, begin typing in the field.

MSI Filename

The MSI filename (required if the file is a ZIP archive).

User Interaction

How the installation appears to users. Options include: Default, Silent, Basic UI, Reduced UI, and Full UI.

Install Directory

The directory on the target device where the application is to be installed.

Additional Switches

Any additional installer switches. Additional switches are inserted between the msiexe.exe and the /i foo.msi arguments.

Additional Properties

Any additional properties. These are inserted at the end of the command line. For example:

msiexec.exe /s1 /switch2 /i patch123.msi TARGETDIR=C:\patcher PROP=A PROP2=B

After Install

What to do with the installation files when installation is complete.

Restart Options

Whether to restart the target device after installation.

Logging

The information to record in the installation log. Use Ctrl-click or Command-click to select multiple items.

Log File Name

The name of the log file.

Network Management

The network type.

Server Name

If you select Managed from the Network Management drop-down list, specify the server name.

Enable AutoProtect

The AutoProtect option.

Disable SymProtect

The Disable SymProtect option.

Run Live Update

The Live Update behavior.

Features to Install

The features you want to install from the Features to Install list. Use Ctrl-click or Command-click to select multiple features. See the Symantec documentation for specific information about the options available here. You must include the SAVMain feature for this script to work properly (although this template does not enforce this requirement).

5.
Click Save to display the Script Detail page.
7.
To edit the raw XML used in the script, click Edit XML below the Schedule section.
8.
Click Save.
Related Documents