To access the Policy Group Detail page click on a group listed on the Policy Groups page. All of the devices and device details that belong to the policy group are listed.
- Edit Actions and Agent Settings: Select to open the Policy Group Details panel, from here you can update the name, description, peer download controls, bandwidth utilization, capabilities, reboot settings, and device credentials. Once edited, click Deploy Changes.
- Add Devices: Select to display check boxes in the device list. Select the devices on which you want to install the agent policy. If credentials for the devices are required, the Policy Group Details panel displays for you to enter the credentials. Select Add Devices to start the deployment.
This option is not available for a deployment representative or for a connector server device.Linux and macOS Devices
You can apply SSH fingerprint security to the device. SHA256 hashed fingerprints are supported. When you select a check box you will notice an open padlock icon appear , click the icon to display the SSH Fingerprint options dialog. You have the following options:
- Deploy without using SSH Fingerprint: Select to continue deployments with no SSH fingerprint verification.
- Retrieve SSH Fingerprint: Select to send a request to retrieve the SSH fingerprint from the device.
- If this option is selected, once the fingerprint of the device has been received, the SSH Fingerprint retrieved icon displays in the Deployment Status column on the Policy Group Detail page.
- Click the icon to display the SSH Fingerprint options dialog - this time the dialog will have a Use Retrieved option.
- Select the Use Retrieved option to display the fingerprint in the Fingerprint text box. The Deploy after verifying the SSH Fingerprint option also becomes selected.
- Select OK to close the dialog.
- Now that you have the correct fingerprint and have selected to Deploy after verifying the SSH Fingerprint, you can attempt deployment. To do this, on the Policy Group Detail page, select Retry Failed Deployments.
- On the Retry Failed Deployments dialog, select the credentials and deployment representative as necessary.
- Select OK to start deployment.
- Deploy after verifying the SSH Fingerprint: Select to continue deployments with the specified SSH fingerprint. Enter the fingerprint in the Fingerprint text box. If you do not know the fingerprint or want to check it is the correct one, you should select the Retrieve SSH Fingerprint option first, you will then have the option to populate the Fingerprint text box by the Use Retrieved option. See above for details.
Tip: To manually obtain the SHA256 SSH Fingerprints on a device, open a terminal and enter:
sudo ssh-keyscan localhost | ssh-keygen -l -E sha256 -f -
Troubleshooting: If you experience an error when deploying using SSH Fingerprint and the Deployment Representative DeploymentEngine.log file reports the following error:
sudo: sorry, you must have a tty to run sudo
Check out the Shell Tips to resolve the issue. After the changes have been made, you need to retry deployment.
A device using SSH Fingerprint security displays the closed padlock icon .
- Remove Devices: Select to show a check box column in the devices list, select the check box for each device you want to uninstall the agent policy. Once selected, click Remove and Uninstall Agents. The agent will be uninstalled from all selected devices and the Deployment Status will change from Current to Uninstalled. Once the page is refreshed the device will not appear in the list.
The agent must check-in for this action to be successful. If there is no agent on the device and the Deployment Status doesn't proceed from Uninstalling, select Remove Devices for a second time to remove the device from the list.
You cannot remove a Deployment Representative device. To learn more go to Deployment Representatives.
- Retry Failed Deployments: Select to retry failed installations of the Ivanti Neurons agent which is being deployed via a Policy Group. Possible causes for failure are, device is switched off, network to device is offline, or invalid deployment credentials. See How to troubleshoot Deployment Issues for further help.
The Policy Group Details panel displays when you select to Create New Policy Group or Edit Actions and Agent Settings for an existing policy group.
Policy Group Name: The name for the policy group.
Description: The description of the policy group.
This allows devices on a network to share agent, engine and configuration installations between one another. One device can connect directly with another without going through an intermediary server. A peer-to-peer network performs more efficiently than a client-server network with the more devices you have, due to the file transfer load being distributed between them. It is also more reliable than a client-server network because it will remain functional if there is a server connection issue.
Peer-to-peer supports digitally signed and sideloaded patches. Patches automatically downloaded from the vendor that are not digitally signed, are not supported by peer-to-peer, for example, 7-Zip and Core FTP. The server peer will share only OS applicable patches to the peer client, for example a Server 2019 will only share 2019 patches, no later, with a Windows 11 client.
Select from the following options:
- Disabled: Files will not be shared with or downloaded from peers.
- Client Only: Files will not be shared with peers. Files will be downloaded from peers.
- Server Only: Files will be shared with peers. Files will not be downloaded from peers.
- Client & Server: Files will be shared with and downloaded from peers.
Peer clients retain files for 2 days and peer servers retain files for 2 weeks. However, if Client & Server is selected, then this will also have the effect of caching for 2 weeks.
When using peer download, ensure your firewall allows UDP and TCP traffic on ports 33121 and 33122.
Select the bandwidth utilization percentages. These limits will restrict how much of the network bandwidth can be used for Ivanti Neurons agent downloads. This can be used to prevent the agent consuming all of the bandwidth when used over limited or metered bandwidth connections, allowing other resources to utilize the network at the same time.
- LAN Utilization (%): Set the maximum allowed percentage between 10 -100. This throttles the network bandwidth allocated for downloading Ivanti Neurons agent and capabilities to the set percentage for the local area network (LAN). For multicast peers this is the local subnet only.
LAN ranges are determined as:
- 10.0.0.0 - 10.255.255.255 (10/8 prefix)
- 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
- 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
Internet/WAN Utilization (%): Set the maximum allowed percentage between 10 -100. This throttles the network bandwidth allocated for downloading Ivanti Neurons agent and capabilities to the set percentage for the wide area network.
The available capabilities are License dependent, please refer to your Ivanti Neurons package for included product capabilities. To learn more about the above options refer to the relevant Help topic.
Select which agent capabilities to enable for the policy group:
- Remote Control: Allows IT analysts to securely remote control endpoints so they can troubleshoot problems.
- Edge Intelligence: Provides real-time insights, as well as remediation and alerting capabilities for your environment. Data is retrieved from devices in real-time, at the moment you request it.
If Edge Intelligence is disabled, troubleshooting data will not be present in Devices. Certain functionality in People will also be impacted; latest location, Active Directory Status. Edge Intelligence and Neurons will not return data against those devices targeted by the policy.
- Automation: Enables Neurons Platform to communicate with a wide array of systems outside of Neurons Platform. It can be used to retrieve information or to perform tasks. The user experience revolves around three concepts: What, Who, When.
If Automation is disabled, you will not be able to run actions on those devices targeted by the policy from Ivanti Neurons Platform > Devices/Edge Intelligence/Neurons, including the creating and viewing of support tickets in ISM and ServiceNow.
- Patch Management: Provides zero trust security capabilities and brings a continuous vulnerability management experience to help organizations manage and prioritize vulnerabilities, from detection through to remediation.
- Patch Configuration: Select the patch configuration to apply to the policy group. A patch configuration controls the patch deployments; the type of patches included, the schedule of deployment, and also the reboot behavior for the endpoints. The drop-down list displays all available patch configurations. Configurations are set up in Ivanti Neurons > Patch Management > Patch Settings.
To successfully deploy patches with the Ivanti Neurons Agent to Windows devices, do not disable the Windows Update service, but set it to either Manual or Automatic. In addition, set the Windows Update setting on each target machine (Control Panel > System and Security > Windows Update > Change settings) to Never check for updates. For more information, see this article on the Ivanti Community.
- App Distribution: Deploys third-party enterprise applications that are installed through .exe or .msi files.
- (SYSTEM) Default: automatically selected and non configurable.
- Application Control: Provides application control and privilege and policy management. Learn more in the Application Control Help.
- Configuration: Select the Application Control configuration to apply to the policy group. The configuration controls which Application Control settings are deployed to the endpoint. Learn more about Ivanti Neurons and Application Control integration.
- Environment Manager: Delivers on-demand personalization and context-aware policy controls. Learn more in the Environment Manager Help.
- Configuration: Select the Environment Manager configuration to apply to the policy group. The configuration controls which Environment Manager settings are deployed to the endpoint. Learn more about Ivanti Neurons and Environment Manager integration.
- Performance Manager: Helps your IT teams maximize user density and deliver and optimal user experience. Learn more in the Performance Manager Help.
- Configuration: Select the Performance Manager configuration to apply to the policy group. The configuration controls which Performance Manager settings are deployed to the endpoint. Learn more about Ivanti Neurons and Performance Manager integration.
Updates to the Ivanti Neurons agent components may require a reboot, you can configure whether reboots are requested, and when. Additional Ivanti Neurons agent capabilities can be configured to request reboots. Go to the relevant feature to configure the settings.
It is recommended to have server devices and end user devices in different policy groups, so that you can set the reboot settings accordingly for those devices that do not have active end users.
Action after a reboot request
Ivanti Neurons agent and capability reboot request settings. These apply to all requested reboots across the Ivanti Neurons Platform, for this policy group.
- Reboot when user signs out: Select to reboot at the time the user next signs out.
- Reboot after interval: Select to reboot after the following configured time:
- Countdown timer: Enter the value and unit (minutes, hours, days). Maximum is 31 days. The Countdown timer value can be no higher than the Up to a maximum postponement value.
- Duration to display shutdown message: Enter the value and unit (seconds, minutes) for the time duration for which to display the shutdown message. Maximum is 999 seconds, or 16 minutes.
- User can postpone reboot: Select to provide the user with the option to postpone reboots.
- By: Enter the value and unit (minutes, hours, days) for the period for which the user can choose to postpone reboots. Maximum is 14 days.
- Up to a maximum: Enter the value and unit (minutes, hours, days) for the maximum period for which a user can choose to postpone reboots. Maximum is 31 days. This value must be greater than the Countdown timer value. Be aware when setting the number of days, that any pending updates will not take effect until a reboot has taken place.
- User can defer reboot until sign out: Select to allow the user to postpone the reboot until they next sign out.
- User can cancel reboot: Select to allow the user to cancel the reboot.
Agent Automatic Update
The Ivanti Neurons Agent automatically updates itself with bug fixes and enhancements. Sometimes updates require a reboot.
- Requests reboots when needed: Select to request a reboot when they are required.
- Do not request reboots: Select to not request a reboot. If reboots are not requested, some of the agent components may not be fully functional. A manual reboot will be required.
Available when creating a new policy group.
- Install Ivanti Neurons Agent to devices in this Policy Group: Select whether you want to install the Ivanti Neurons Agent to the devices within this policy group.
Select Yes, to enable the Select Device Credentials option, and you must select the device access credentials.
- Select Device Credentials: Select the access credentials needed for the devices in the policy group.
- Manage credentials in Credential Store: Click to open the Credential store (Ivanti Neurons > Admin > Credentials). Add new credentials. The credentials will now be available in the Policy Group > Select Device Credentials drop-down list.
- Deployment Representative: Select the deployment representative you want to use for deployment. This will be overridden if you select Prefer local deployment representative. Unless the one selected is on the local subnet.
- Prefer local deployment representative: Select if you want to look for a deployment representative on the local subnet before using the specified deployment representative above. If one is found on the same subnet of the target device, this will be used and not the one specified. If one is not found, the specified deployment representative will be used.
- Select Device Credentials: Select the access credentials needed for the devices in the policy group.
- Deployment representative A and C are on subnet 1
- Deployment representative B is on subnet 2
- No deployment representative is on subnet 3
- Deployment representative A or C will attempt to deploy to subnet 1, depending on which is found first.
- Deployment representative B will attempt to deploy to subnet 2.
- Deployments will fail on subnet 3 because there is no deployment representative.
- Deployment representative A will attempt to deploy to subnets 1, 2 and 3.
- Deployment representative A will attempt to deploy to subnet 1 and 3 .
- Deployment representative B will attempt to deploy to subnet 2
You have three subnets; 1, 2 and 3 and three deployment representatives A, B and C.
Scenario 1: Leave Deployment Representative as the default Use local deployment representative:
Scenario 2: Select Deployment Representative A and leave the Prefer local deployment representative check box unselected:
Scenario 3: Select Deployment Representative A and select the Prefer local deployment representative check box:
Select No, to choose not to supply credentials, a message displays on group creation, warning that you have a device in the group that has no agent installed.
Next - Choose Devices: Only available when creating a new policy group. Displays the Device list. Select the devices to assign this group policy to and click Deploy Agent.
Deploy Changes: Only available when editing an existing policy group. Select to deploy the changes to all devices in the policy group.