Management and Security powered by Landesk

Agent configuration for Macintosh devices

Ivanti® Endpoint Manager powered by Landesk uses agent configurations to gain control of devices and manage them. Macintosh agent configurations are pushed to unmanaged Macintosh devices using the same process used to push agents to Windows devices.

The Default Mac Configuration package contains the required agent for controlling Macintosh devices. In order to manage your Macintosh devices, you need to:

  1. Create a Mac configuration with the Agent Configuration tool
  2. Deploy the Mac agent to your Mac devices

After the agents have been installed, your Macintosh devices become managed devices. Then you can create custom configurations to have greater control of these devices. Custom agents are easily implemented once your devices are managed.

NOTE: All devices must support TCP/IP.

Deploying agents to Macintosh devices that use Secure Shell (SSH)

To place agents on Macintosh devices that have Secure Shell (SSH) turned on, you must specify the SSH login credentials for the unmanaged Mac devices by selecting Configure > Services > Scheduler > Change Login from the Windows console. You can then use the same push-based agent deployment you would use for Windows devices.

Deploying and installing agents on Macintosh devices that do not use Secure Shell (SSH)

To place agents on Macintosh devices that do not have Secure Shell (SSH) turned on, you will need to decide on an alternate deployment method, such as:

  • Accessing the agent from LDLogon/Mac using a Web browser and e-mailing the configuration package to users.
  • Putting the configuration package on a CD or other removable media and taking it to each Macintosh device.

Deploying agent configurations for Macintosh devices

Use the Agent configuration tool to create and update (replace) custom configurations for your Macintosh devices. You can create different configurations for your specific needs, such as changing inventory scanner settings, remote control permissions, or what network protocols the agents use.

In order to push a configuration to devices, you need to create or update an agent configuration and then schedule the task.

Create or update the agent configuration

Set up specific configurations for your devices. Don't use parentheses in your Macintosh agent configuration names. Parentheses in the name will cause the deployment task to fail.

To create an agent configuration for Macintosh devices
  1. Click Tools > Configuration > Agent configuration.
  2. Select a configuration group (My configurations or Public configurations). On the toolbar, click the New agent configuration button > New Mac agent configuration.
  3. Complete the options in the Agent configuration dialog box. For more information, see Using the Macintosh agent configuration dialog.
  4. Click Save.
To update an agent configuration
  1. Click Tools > Configuration > Agent configuration.
  2. Right-click the agent configuration to be updated and select Properties.
  3. Make the updates to the agent configuration.
  4. Click Save.

Schedule the agent configuration

You can push agent configurations to devices that have the standard Ivanti agent installed. Use the Scheduled tasks tool to deploy your new or updated agent configuration.

To schedule an agent configuration for Macintosh devices
  1. Click Tools > Configuration > Agent configuration.
  2. Right-click the agent configuration to be scheduled and select Schedule agent deployment.
  3. From the network view, drag devices, groups, or queries onto the task to target devices for the task.
  4. Select the task, click the Properties button on the toolbar, and schedule a time to start the task.
Manually running agent configurations for Macintosh devices

You can manually run agent configurations for Macintosh devices once they have been created or updated. When you create an agent configuration, the following file is created in the LDLogon/Mac folder on your core server:

  • <agent configuration name>.mpkg.zip

The LDLogon/Mac folder is a Web share and should be accessible from any browser. Follow the instructions for installing the agent (see Manually running agent configurations for Macintosh devices), but insert your agent configuration file name instead of the default file name.

Uninstalling Macintosh agents

To uninstall Macintosh agents, run uninstallmacagent.sh from \\<core>\ldmain.

Using the Macintosh agent configuration dialog

This section describes the agent configuration dialog for Macintosh devices. The dialog includes the following pages:

  • Start
  • Application policy management
  • Inventory
  • Remote control
  • Standard Ivanti agent
  • Patch and compliance scan
  • Antivirus
  • Tenant
  • OSX profiles

About the Start page

  • Configuration name: Type a unique name for the agent configuration.
  • Default configuration: Select this check box to make this the default Macintosh agent configuration
  • Agent components to install: Standard Ivanti agent is selected by default. You can also select Ivanti Antivirus.
  • Do not run client status menu: Select this check box if you don't want end users to see the status bar menu that lets them run installs and scans.

About the Application policy management page

Use this page to configure settings for the policy-based distribution agent. 

  • TCP port number: Specifies the port the policy-based distribution agent will use to communicate with the core server. The default port is 12176. You'll need to make sure this port is open on any firewalls between devices and the core server. If you change this port, you'll also need to change it on the core server. You can change the port the QIP server service uses by editing the following registry key: HKLM\Software\Intel\LANDesk\LDWM\QIPSrvr
  • Run when IP address changes: If selected, a scan is triggered when the IP address changes.
  • Change settings: Changes settings and configures a custom schedule based on time, day of week or month, and whether a user is logged. The default schedule is to run a scan every day with a random delay of up to one hour.

About the Inventory page

Use this page to configure the inventory scanner.

  • Send scan to LDMS core server: Sends the scan information to the core server database.
  • Save scan in directory: The directory where the data from the scan is saved. If you select both the core server option and this option, the scan information will go to both locations.
  • Choose scan components: Select the components you want to scan. Not selecting all components may slightly increase scanning speed.
  • Force software scan: Forces the device to do a software scan with each inventory scan, regardless of whether the core server indicates one is due.
  • Run when IP address changes: The IP address trigger sends only a mini scan to the core server, which makes the inventory much faster in IP address changes.
  • Change settings: Changes settings and configures a custom schedule based on time, day of week or month, and whether a user is logged in. The default schedule is to run a scan every day with a random delay of up to one hour.

About the Remote control page

Use this page to configure the remote control agent.

  • Local template: This is the most basic security, using whatever remote control settings are specified on the device. This model doesn't require any other authentication or group membership.
  • Integrated security: This is the most secure option. Integrated security follows this communication flow:
    1. The remote control viewer connects to the managed device's remote control agent, but the agent replies that integrated security authentication is required.
    2. The viewer requests remote control rights from the core server.
    3. The core server calculates remote control rights based on the viewer's scope, role-based administration rights, and Active Directory rights. The core server then creates a secure signed document and passes it back to the viewer.
    4. The viewer sends this document to the remote control agent on the managed device, which verifies the signed document. If everything is correct, the agent allows remote control to begin.
  • Permission required: Prompts the user for permission to be remote-controlled whenever someone initiates a remote control session. If the user isn't at the keyboard or denies permission, the remote control session won't start.
  • Open applications and files: Permits a remote user to open files on this device.
  • Copy items: Permits a remote user to copy files to and from this device.
  • Delete and rename items: Permits a remote user to delete or rename files that reside on this device.
  • Lock keyboard and mouse: Permits a remote user to lock your keyboard and mouse during a remote control session. This option prevents you from interfering with remote actions.
  • Blank screen: Permits a remote user to make your screen go blank during a remote control session. This option is useful if your device contains sensitive documents that an administrator may need to open remotely without letting others read if they happen to walk by your device monitor.
  • Restart and shut down: Permits a remote user to restart or shut down your device.
  • Control and observe: Permits a remote user to remote control and observe your actions on this device. The administrator can't do anything except watch your actions.
  • Alert when observing: When a remote control session is active, displays a visual cue in the menu bar.

About the Standard Ivanti agent page

Use this page to configure agent security and management scope. For more information on agent security, see Agent security and trusted certificates. For more information on scope, see Role-based administration overview.

  • Trusted certificates: Lists the certificates on the core server. The client must have a certificate that matches the certificate on the core server for agent communication to be authorized. These certificates are used to authenticate agent communication. You can enter a domain name or IP address for the client to use when communicating with the core server. The remote control agent for Macintosh doesn't use a certificate.
  • Path: Defines the device's computer location inventory attribute. Scopes are used by role-based administration to control user access to devices, and can be based on this custom directory path. The path is optional.

About the Patch and compliance scan page

Use this page to configure scheduling for patch and compliance scans.

  • Change settings: Changes settings and configures a custom schedule based on time, day of week or month, and whether a user is logged in. The default schedule is to run a scan every day with a random delay of up to one hour.
  • Use alternate update server: Specify a different core server to use for patch and compliance updates if the main core server is not available.
  • Scan and repair settings: Select the settings that you want to use for patch and compliance scans.
  • Configure: View all available scan and repair settings. Edit or create new settings and select the settings that you want to use for patch and compliance scans.

About the Antivirus page

Use this page to specify which antivirus settings are included with the agent.

  • Ivanti Antivirus settings: Select the settings that you want to use for antivirus scans.
  • Configure: View all available antivirus settings. Edit or create new settings and select the settings that you want to use for antivirus scans.
  • Include Antivirus setup files: Antivirus setup files (which are 158 MB) are included when the Macintosh agent is scheduled and downloaded to the Macintosh device.
  • Exclude Antivirus setup files: When the Macintosh agent is deployed, the Antivirus setup files are downloaded from the core server. This makes the agent package smaller.

About the Tenant page

Use this page if you have the Tenant management add-on for Endpoint Manager. You can assign an agent configuration to a tenant within your organization.

  • Assign a tenant to this configuration: Select this check box if this Macintosh agent configuration is only used with a tenant in your organization.
  • Choose a tenant: Select a tenant from the list of available tenants that have been defined in the Ivanti Management Console.

About the OSX profiles page

Use this page if you want to use an OSX profile with the Macintosh agent.

  • Apply OSX profiles to this configuration: select this check box to use an OSX profile with this Macintosh agent.
  • Choose which OSX profiles to apply: Select the settings to use with this Macintosh agent.
  • Configure: View all available OSX profile settings. Edit or create new settings and select the settings that you want to use for this Macintosh agent.

 


Was this article useful?    

The topic was:

Inaccurate

Incomplete

Not what I expected

Other