Creating Deployment Packages
When you create an Ivanti Device and Application Control client deployment package, the Client Deployment tool copies the local client setup .MSI file and creates an .MST transform file that is linked to the .MSI file.
Before you can successfully create an Ivanti Device and Application Control client deployment package, you must:
- Have access to the LESClient.msi or LESClient64.msi file on the computer where you will deploy the client packages.
- If there is a firewall between the Client Deployment tool installed on the client computer and the targeted computer(s), you must verify that firewall ports are open.
- Synchronize the Application Server's system clock with the Ivanti Device and Application Control database server's system clock using the Microsoft Windows time service. See Time Service for details about using the Microsoft Windows time service.
- Start the Windows Remote Registry service on the remote client computer.
- Have a valid digital certificate on the client computer that deploys the client and test the TLS connection between the Application Server.
Important: In Windows Server 2008 operating systems there is a security setting which blocks access to the admin$ share required for Client Deployment. When the following error message is received failed to start the remote registry service. Access is denied you must confirm the correct registry keys. Check the following registry keys:
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy? and change the DWORD entry to 1 to resolve the access to admin$ share problem.
• If the LocalAccountTokenFilterPolicy registry entry does not exist then it has to be created.
The .MSI file contains the information necessary deploy the Ivanti Device and Application Control client to targeted computers.
- From the Ivanti Device and Application Control Client Deployment dialog, click New Package.
The New Packages dialog opens.>
- To select deployment package, select the ellipses from the Source panel.
- In the Package panel, enter a name for the deployment package in the Name field.
- Click OK.
The Options -Ivanti Device and Application Control Installation Transform dialog opens.
- Click Import public key.
- Select the sx-public.key file.
If there is no sx-public.key file in your client setup folder, then the installation continues using the default public key.
The Client Deployment tool copies the selected public key to the appropriated folder for client deployment.
- In the Name or IP field(s), enter the fully qualified domain name(s) or IP address(es) for the Application Server(s) installed in your environment.
Tip: You may enter alternative port numbers, as necessary. When you do not specify fully qualified domain name(s) or IP address(es), the Ivanti Device and Application Control clients are deployed in a serverless mode.
- If Ivanti Device and Application Control is set up to use more than one Application Server, you may select the Automatic Load Balancing check box to allow clients to contact any available Application Server.
- To specify that the Ivanti Device and Application Control client uses the TLS communication protocol, select the TLS check box.
- To disable Device Control for NDIS devices, select the Disable NDIS protection for devices check box.
- To validate the fully qualified domain name(s) or IP address(es) for the Application Server(s), click Test Connection.
You will receive a confirmation message indicating whether the server connection is successful or not. If not, you follow the error resolution directions.
- From the “Add or Remove Programs” list options panel, select one of the following options:
- To suppress preventive actions associated with Application Control, select the Suppress preventive actions related to the Application Control feature check box.
- In the Specify the policy import time-out (in minutes) field, enter a numerical value.
- Click OK.
The client deployment package files are copied to the specified directory. The new deployment package is listed in the Packages panel of the Ivanti Device and Application Control Client Deployment dialog.
The shaded options are only valid when are installing versions client lower than 4.3. These options are:
• Do not validate name or IP before installing - Provides an Application Server address or name that is not currently available but is accessible after deployment.
• Enable wireless LAN protection - An option available in 2.8 clients lower that is now deprecated by permissions rules.
NDIS enables Device Control to control 802.1x wireless adapters. If you do not need this protection, you may disable it here.
List the program with a “Remove button”
Displays the Ivanti Device and Application Control product name in the Add or Remove Program list in the Windows Control Panel with the Remove option.
List the program but suppress the “Remove button”
Displays the Ivanti Device and Application Control product name in the Add or Removes Program list in the Windows Control Panel without the Remove option.
Do not list the program
Does not display the Ivanti Device and Application Control product name in the Add or Remove Program list in the Windows Control Panel.
After Completing This Task
Verify the location of the LESClient.mst file created in the deployment package folder you specified, by selecting Packages > Options from the Ivanti Device and Application Control Client Deployment dialog.