The Deployment Agent is a software agent that must be deployed to all clients managed by the Management Center. The Deployment Agent runs as a Windows Service and performs tasks on the client when instructed by the Management Server. These tasks include the installation, upgrade and uninstall of User Workspace Manager agents and configurations and the collection and uploading of auditing information from any User Workspace Manager product agent.
The Deployment Agent polls the Management Servers periodically as determined by the poll period of the deployment group of which it is a member. Membership of a deployment group is determined by the set of membership rules as defined within the Management Console. During each poll, the Deployment Agent asks the Management Server which agents, configurations and prerequisites should be installed on the client, and which auditing events should be collected. The Deployment Agent uses this information to ensure only the correct set of agents and configurations are installed on the client and to filter the events collected by the User Workspace Manager product agents. The Deployment Agent periodically uploads all collected events to the Management Server.
Certificate Deployment via the Management Center will support both Azure Active Directory Conditions and RunAs actions, currently we do not support deployment of certificates for HTTPS. All certificates deployed via the Management Center must be in .PFX format, this includes any combined certificates (All certificates within a combined certificate must be .PFX).
The Access Credentials are used to specify a list of credentials used by the Management Server to install the Deployment Agent.
These credentials must be supplied before attempting to install the Deployment Agent on any endpoint via the Management Console.
Configuration of these credentials can be setup globally for the Management Server in Home > Global Settings > Access Credentials tab or per Deployment Group in Home > Deployment Groups > [Deployment Group] > Details section > Manage Credentials button.
Access Credentials configured through Global Settings apply to all Deployment Groups by default, unless specific credentials have been defined within a specific Deployment Group. In this case, the Deployment Group’s Access Credentials precede the default global credentials.
Caution: You will not be able to install the Deployment Agent on any endpoint using the integrated Install Deployment Agent functionality if the credentials have not been set up.
To add Access Credentials, enter a user name and password. These credentials are stored in the database. The Server Configuration Portal (SCP) creates an RSA public-private key pair that is stored in the Microsoft Cryptographic Provider of the server. This key is used to encrypt and decrypt the credentials stored in the database and therefore secures the information.
On attempting to install the Deployment Agent, the credentials supplied are tried in the order defined in the list. These credentials can be ordered by making use of the Move Up and Move Down options in the Actions panel.
When communicating with the Management Server, the Deployment Agent will make use of the designated Client Authentication model as specified in the Management Server Configuration Utility during installation of the Management Server. This makes use of either Anonymous or Windows Authentication.
When Anonymous authentication is selected, the Deployment Agent communicates with the Management Server using a specific account designated for anonymous access, IUSR_[server name].
All interactions with the Management Server then inherit the permissions assigned to this account.
When Windows authentication is used, the computer credentials are used to communicate with the Management Server. An issue may occur resulting with the following message being displayed:
Unable to access the Master Key on the server, error was Keyset does not exist.
This is caused by the service accounts being unable to access the decryption certificate stored on the Management Server. To resolve this issue, any identities that are used by the services of Management Centermust be granted sufficient permission to access the key store. This is achieved by using the following command line:
aspnet_regiis.exe -pa AppSenseMasterKey <DOMAIN>\<USERNAME>
Once the Deployment Agent has been installed successfully, the Deployment Agent service registers with the Management Server.
There are a number of ways in which the Deployment Agent can register with the Management Server:
- Deployment Agent is installed directly via the Install Deployment Agent option within the Management Console, it will automatically register with the Management Server.
- Deployment Agent is installed manually using the ClientCommunicationsAgent.msi file as downloaded from the Management Server website, a valid Management Server must be supplied to allow the Deployment Agent to communicate and register with the Management Server.
- Deployment Agent is installed manually from the command line including a valid Management Server URL and optionally, a specific Deployment Group with which to self-register.
The Deployment Agent can only self-register if Allow self-registration is selected in Home > Deployment Groups > [Deployment Group] > Settings > General tab > Deployment Agent Permissions.
If a Deployment Group is not specified during the installation process or the relevant group does not allow the Deployment Agents to self-register, then the Management Server searches the membership rules, if a match is found the computer is placed in the group. If no match is found then the computer is placed in the catch-all (Default) Deployment Group.
After the Deployment Agent registers with the server, the Deployment Agent service implements the policies to install software, generate events and poll the server for further changes and package updates.
All available agent, configuration and prerequisite packages are stored within the Management Server database, which is populated by the Management Server installation procedure.
A list of assigned packages, configured for the specific deployment group is downloaded by the Deployment Agent on the managed endpoint device from the Management Server. This list is then compared with what is installed on the endpoint.
If this list of assigned packages differs from what is installed on the endpoint, the required packages are downloaded from the Management Server. Computer restart is co-ordinated according to the installation schedule settings as specified on the relevant deployment group. Packages are then installed on either computer shutdown or restart depending on the deployment group installation settings. Configurations and deployed Deployment Agent upgrades can be installed mid-session without a reboot depending on the deployment group settings.