Policy Group Detail

To access the Policy Group Detail page click on a group listed on the Policy Groups page. All of the devices and device details that belong to the policy group are listed.

Actions available:

  • Edit Actions and Agent Settings: Select to open the Policy Group Details panel, from here you can update the name, description, peer download controls, bandwidth utilization, capabilities, reboot settings, and device credentials. Once edited, click Deploy Changes.
  • Add Devices: Select to display check boxes in the device list. Select the devices on which you want to install the agent policy. If credentials for the devices are required, the Policy Group Details panel displays for you to enter the credentials. Select Add Devices to start the deployment.

    This option is not available for a deployment representative or for a connector server device.

    You can apply SSH fingerprint security to the device. SHA256 hashed fingerprints are supported. When you select a check box you will notice an open padlock icon appear unlocked icon, click the icon to display the SSH Fingerprint options dialog. You have the following options:

    • Deploy without using SSH Fingerprint: Select to continue deployments with no SSH fingerprint verification.
    • Retrieve SSH Fingerprint: Select to send a request to retrieve the SSH fingerprint from the device.
      1. If this option is selected, once the fingerprint of the device has been received, the SSH Fingerprint retrieved icon SSH fingerprint retrieved icon displays in the Deployment Status column on the Policy Group Detail page.
      2. Click the icon SSH fingerprint retrieved icon to display the SSH Fingerprint options dialog - this time the dialog will have a signed locked iconUse Retrieved option.
      3. Select the Use Retrieved option to display the fingerprint in the Fingerprint text box. The Deploy after verifying the SSH Fingerprint option also becomes selected.
      4. Select OK to close the dialog.
      5. Now that you have the correct fingerprint and have selected to Deploy after verifying the SSH Fingerprint, you can attempt deployment. To do this, on the Policy Group Detail page, select Retry Failed Deployments.
      6. On the Retry Failed Deployments dialog, select the credentials and deployment representative as necessary.
      7. Select OK to start deployment.
    • Deploy after verifying the SSH Fingerprint: Select to continue deployments with the specified SSH fingerprint. Enter the fingerprint in the Fingerprint text box. If you do not know the fingerprint or want to check it is the correct one, you should select the Retrieve SSH Fingerprint option first, you will then have the option to populate the Fingerprint text box by the Use Retrieved option. See above for details.
      Tip: To manually obtain the SHA256 SSH Fingerprints on a device, open a terminal and enter:
      sudo ssh-keyscan localhost | ssh-keygen -l -E sha256 -f -

    Troubleshooting: If you experience an error when deploying using SSH Fingerprint and the Deployment Representative DeploymentEngine.log file reports the following error:
    sudo: sorry, you must have a tty to run sudo
    Check out the Shell Tips to resolve the issue. After the changes have been made, you need to retry deployment.

    A device using SSH Fingerprint security displays the closed padlock icon closed padlock icon.

  • Remove Devices: Select to show a check box column in the devices list, select the check box for each device you want to uninstall the agent policy. Once selected, click Remove and Uninstall Agents. The agent will be uninstalled from all selected devices and the Deployment Status will change from Current to Uninstalled. Once the page is refreshed the device will not appear in the list.
    The agent must check-in for this action to be successful. If there is no agent on the device and the Deployment Status doesn't proceed from Uninstalling, select Remove Devices for a second time to remove the device from the list.
  • Retry Failed Deployments: Select to retry failed installations of the Ivanti Neurons agent which is being deployed via a Policy Group. Possible causes for failure are, device is switched off, network to device is offline, or invalid deployment credentials. See How to troubleshoot Deployment Issues for further help.

Policy Group Details

The Policy Group Details panel displays when you select to Create New Policy Group or Edit Actions and Agent Settings for an existing policy group.

Policy Group Name: The name for the policy group.

Description: The description of the policy group.

Peer Download Controls

Peer to peer download uses multicast (which is subnet bound) and allows devices on a network to share agent, engine, and configuration installations between one another. For further multicast configuration please refer to your network administrator.
One device can connect directly with another without going through an intermediary server. A peer-to-peer network performs more efficiently than a client-server network with the more devices you have, due to the file transfer load being distributed between them. It is also more reliable than a client-server network because it will remain functional if there is a server connection issue.
Peer-to-peer supports digitally signed and sideloaded patches. Patches automatically downloaded from the vendor that are not digitally signed, are not supported by peer-to-peer, for example, 7-Zip and Core FTP. The server will share only OS applicable patches to the client, for example a Server 2019 will only share 2019 patches.

Select from the following options:

  • Disabled: Content will not be shared with clients or downloaded from servers.
  • Client Only: Content will not be shared with clients. Content will be downloaded from servers.
  • Server Only: Content will be shared with clients.
  • Client & Server: Content will be shared with clients and downloaded from servers.

Peer clients retain content for 2 days and peer servers retain content for 2 weeks. However, if Client & Server is selected, then this will also have the effect of caching for 2 weeks.

When using peer download, ensure your firewall allows UDP and TCP traffic on ports 33121 and 33122.

Bandwidth Utilization

Select the bandwidth utilization percentages. These limits will restrict how much of the network bandwidth can be used for Ivanti Neurons agent downloads. This can be used to prevent the agent consuming all of the bandwidth when used over limited or metered bandwidth connections, allowing other resources to utilize the network at the same time.

  • LAN Utilization (%): Set the maximum allowed percentage between 10 -100. This throttles the network bandwidth allocated for downloading Ivanti Neurons agent and capabilities to the set percentage for the local area network (LAN).
    LAN ranges are determined as:
    • 10.0.0.0 - 10.255.255.255 (10/8 prefix)
    • 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
    • 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

  • Internet/WAN Utilization (%): Set the maximum allowed percentage between 10 -100. This throttles the network bandwidth allocated for downloading Ivanti Neurons agent and capabilities to the set percentage for the wide area network.

Capabilities

The available capabilities are License dependent, please refer to your Ivanti Neurons package for included product capabilities. To learn more about the above options refer to the relevant Help topic.

Select which agent capabilities to enable for the policy group:

  • Remote Control: Allows IT analysts to securely remote control endpoints so they can troubleshoot problems.
  • Edge Intelligence: Provides real-time insights, as well as remediation and alerting capabilities for your environment. Data is retrieved from devices in real-time, at the moment you request it.
    If Edge Intelligence is disabled, troubleshooting data will not be present in Devices. Certain functionality in People will also be impacted; latest location, Active Directory Status. Edge Intelligence and Neurons will not return data against those devices targeted by the policy.
  • Automation: Enables Neurons Platform to communicate with a wide array of systems outside of Neurons Platform. It can be used to retrieve information or to perform tasks. The user experience revolves around three concepts: What, Who, When.
    If Automation is disabled, you will not be able to run actions on those devices targeted by the policy from Ivanti Neurons Platform > Devices/Edge Intelligence/Neurons, including the creating and viewing of support tickets in ISM and ServiceNow.
  • Patch Management: Provides zero trust security capabilities and brings a continuous vulnerability management experience to help organizations manage and prioritize vulnerabilities, from detection through to remediation.
    • Patch Configuration: Select the patch configuration to apply to the policy group. A patch configuration controls the patch deployments; the type of patches included, the schedule of deployment, and also the reboot behavior for the endpoints. The drop-down list displays all available patch configurations. Configurations are set up in Ivanti Neurons > Patch Management > Patch Settings.

    To successfully deploy patches with the Ivanti Neurons Agent to Windows devices, do not disable the Windows Update service, but set it to either Manual or Automatic. In addition, set the Windows Update setting on each target machine (Control Panel > System and Security > Windows Update > Change settings) to Never check for updates. For more information, see this article on the Ivanti Community.

  • App Distribution: Deploys third-party enterprise applications that are installed through .exe or .msi files.
    • (SYSTEM) Default: automatically selected and non configurable.
  • Application Control: Provides application control and privilege and policy management. Learn more in the Application Control Help.
    • Configuration: Select the Application Control configuration to apply to the policy group. The configuration controls which Application Control settings are deployed to the endpoint. Learn more about Ivanti Neurons and Application Control integration.
  • Environment Manager: Delivers on-demand personalization and context-aware policy controls. Learn more in the Environment Manager Help.
    • Configuration: Select the Environment Manager configuration to apply to the policy group. The configuration controls which Environment Manager settings are deployed to the endpoint. Learn more about Ivanti Neurons and Environment Manager integration.
  • Performance Manager: Helps your IT teams maximize user density and deliver and optimal user experience. Learn more in the Performance Manager Help.
    • Configuration: Select the Performance Manager configuration to apply to the policy group. The configuration controls which Performance Manager settings are deployed to the endpoint. Learn more about Ivanti Neurons and Performance Manager integration.

Reboot Requests

Updates to the Ivanti Neurons Agent may require a reboot, you can configure whether reboots are requested, and when.

Additional Ivanti Neurons Agent Capabilities can be configured to request reboots, so be sure to review those settings to fully understand the expected behavior.
Patch Management Reboot Settings can be found in Patch Management > Patch Settings > Configuration > Configuration behavior.
App Distribution Reboot Settings can be found in App Distribution > App Catalog > App > Package tab > Reboot Action.

It is recommended to have server devices and end user devices in different policy groups, so that you can set the reboot settings accordingly for those devices that do not have active end users.

Action after a reboot request

Ivanti Neurons agent and capability reboot request settings. These apply to all requested reboots across the Ivanti Neurons Platform, for this policy group.

  • Reboot when user signs out: Select to reboot at the time the user next signs out.
  • Reboot after interval: Select to reboot after the following configured time:
    • Countdown timer: Enter the value and unit (minutes, hours, days). Maximum is 31 days. The Countdown timer value can be no higher than the Up to a maximum postponement value.
    • Duration to display shutdown message: Enter the value and unit (seconds, minutes) for the time duration for which to display the shutdown message. Maximum is 999 seconds, or 16 minutes.
  • User can postpone reboot: Select to provide the user with the option to postpone reboots.
    • By: Enter the value and unit (minutes, hours, days) for the period for which the user can choose to postpone reboots. Maximum is 14 days.
    • Up to a maximum: Enter the value and unit (minutes, hours, days) for the maximum period for which a user can choose to postpone reboots. Maximum is 31 days. This value must be greater than the Countdown timer value. Be aware when setting the number of days, that any pending updates will not take effect until a reboot has taken place.
  • User can defer reboot until sign out: Select to allow the user to postpone the reboot until they next sign out.
  • User can cancel reboot: Select to allow the user to cancel the reboot.

Agent Automatic Update

The Ivanti Neurons Agent automatically updates itself with bug fixes and enhancements. Sometimes updates require a reboot.

  • Requests reboots when needed: Select to request a reboot when they are required.
    If selected, the Action after a reboot request settings come into effect.
  • Do not request reboots: Select to have no reboots requested. If reboots are not requested, some of the agent components may not be fully functional. A manual reboot will be required.
    If selected, and you are using Patch Management or App Distribution, it is recommended to also review those reboot settings.

Agent Installation

Available when creating a new policy group.

  • Install Ivanti Neurons Agent to devices in this Policy Group: Select whether you want to install the Ivanti Neurons Agent to the devices within this policy group.
    Select Yes, to enable the Select Device Credentials option, and you must select the device access credentials.
    • Select Device Credentials: Select the access credentials needed for the devices in the policy group.
      • Manage credentials in Credential Store: Click to open the Credential store (Ivanti Neurons > Admin > Credentials). Add new credentials. The credentials will now be available in the Policy Group > Select Device Credentials drop-down list.
    • Deployment Representative: Select the deployment representative you want to use for deployment. This will be overridden if you select Prefer local deployment representative. Unless the one selected is on the local subnet.
      • Prefer local deployment representative: Select if you want to look for a deployment representative on the local subnet before using the specified deployment representative above. If one is found on the same subnet of the target device, this will be used and not the one specified. If one is not found, the specified deployment representative will be used.

    You have three subnets; 1, 2 and 3 and three deployment representatives A, B and C.

    • Deployment representative A and C are on subnet 1
    • Deployment representative B is on subnet 2
    • No deployment representative is on subnet 3

    Scenario 1: Leave Deployment Representative as the default Use local deployment representative:

    • Deployment representative A or C will attempt to deploy to subnet 1, depending on which is found first.
    • Deployment representative B will attempt to deploy to subnet 2.
    • Deployments will fail on subnet 3 because there is no deployment representative.

    Scenario 2: Select Deployment Representative A and leave the Prefer local deployment representative check box unselected:

    • Deployment representative A will attempt to deploy to subnets 1, 2 and 3.

    Scenario 3: Select Deployment Representative A and select the Prefer local deployment representative check box:

    •  Deployment representative A will attempt to deploy to subnet 1 and 3 .
    • Deployment representative B will attempt to deploy to subnet 2

Select No, to choose not to supply credentials, a message displays on group creation, warning that you have a device in the group that has no agent installed.

Next - Choose Devices: Only available when creating a new policy group. Displays the Device list. Select the devices to assign this group policy to and click Deploy Agent.

Deploy Changes: Only available when editing an existing policy group. Select to deploy the changes to all devices in the policy group.