Managing Agent Policy Sets

In this section:

Use Agent Policy Sets to control agent behavior. Agent Policy Sets are basic rules which define how agents behave.

Apply the Agent Policy Sets to groups to implement your policies to groups. There is a policy for every agent function.

The Agent Policy Sets Page

You can control agent behavior by creating and assigning Agent Policy Sets. Use the Agent Policy Sets page to define agent rules of behavior.

You can access this page at any time from the navigation menu.

About Agent Policies and Agent Policy Sets

Agent Policies are rules that govern agent behavior. Agent Policy Sets are a collections of agent policy values.

Assign agent policies to groups using the Agent Policy Sets view. Based on group membership, agents operate according to the values in assigned Agent Policy Sets. Assignment of Agent Policy Sets is optional.

Groups without assigned Agent Policy Sets have their behavior defined by the Global System Policy. The Global System Policy does the following:

Defines behavior for groups with no assigned policy set.
Defines policy values for incomplete agent policy sets.

When agents holding multiple group memberships are assigned conflicting agent policy values, they are resolved with conflict resolution rules. These rules are a set of protocols that determine which policy value an agent uses when conflicts occur. For additional information, refer to Defining Agent Policy Conflict Resolution.

About Agent Hardening

Agent Policy Sets include Agent Hardening policies, which are policies used to prevent unauthorized Ivanti Endpoint Security Agent removal.

Agent Hardening (when set to On):

It prevents the Ivanti Endpoint Security Agent installation location (C:\Program Files\HEAT\EMSSAgent by default) from being renamed, edited, or deleted.
The Agent is hardened, meaning the agent cannot be intentionally or unintentionally modified.
When hardening is in place, you can still upgrade or uninstall the agent after entering the agent uninstall password or the global uninstall password, which is only necessary when modifying the agent locally from the endpoint.
For additional information about defining Agent Hardening policies, refer to the following topics:
- Creating an Agent Policy Set
- Editing an Agent Policy Set

Global uninstall password:

Important: The Global uninstall password option is only available when editing the Global System Policy agent policy set. Refer to Changing the Global Uninstall Password for additional information.

The Global uninstall password is a universal password that temporarily disables agent uninstall protection. This password works on all network endpoints. You are prompted for this password when manually upgrading or uninstalling hardened agents.

Note:

Ivanti does not recommend providing end users with the global uninstall password in uninstall scenarios. The Global uninstall password should be used by the Ivanti Endpoint Security Administrator only.
In the event an end user needs to uninstall the Ivanti Endpoint Security Agent, provide them with the Agent uninstall password, a password that works only for their endpoint. For additional information, refer to Viewing the Agent Uninstall Password.

Viewing the Agent Policy Sets Page

Navigate to this page to view Agent Policy Sets and their policy settings. Expand policy sets to view the individual policy settings.

You can access this page any time using the navigation menu.

From the Navigation Menu, select Manage > Agent Policy Sets.
[Optional] Complete a task listed in Working with Agent Policy Sets.

Defining Agent Policy Inheritance Rules

You can configure a group to inherit policies from its parent hierarchy using the Policy inheritance setting.

Because a group can inherit policies and have them directly assigned, policy conflicts may arise. The following rules apply when a group has Policy Inheritance set to True:

Any conflicting policies are assigned to the parent, but not the child. Conflicting policies are resolved at the parent level using the conflict policy resolution rules.
Agent Policy Set values directly assigned to a group supersede inherited Agent Policy Set values.
Any conflicting policies that are assigned directly to the child group are resolved by conflict resolution rules.
Any Agent Policy Set values that are undefined by the group’s directly assigned policy are defined by the parent’s group policy.
Policy values still undefined are defined by the Global System Policy set.
For more information on how to enable a group's Policy Inheritance setting, refer to Editing Group Settings.
For more information on Conflict Policy Resolution rules, refer to Defining Agent Policy Conflict Resolution.

Defining Agent Policy Conflict Resolution

On occasion, a group or endpoint may be assigned two different Agent Policy Sets that have conflicting policies. When this occurs, the system determines which policy to use based on the Agent Policy Conflict Resolution rules.

Conflicting policies are resolved in the following order.

Group Policies - Conflicting policy sets assigned to a group are resolved before conflicting policy sets assigned to an agent are resolved.
The following rules apply if a group has Policy Inheritance set to False:
1. The group does not inherit its parent policy set. Therefore, only policy sets assigned directly to the group require resolution.
2. Conflicting policies are resolved according to the agent policy conflict resolution rules.

The following rules apply if a group has Policy Inheritance set to True:

The group inherits its parent policy set. Any conflicting policy sets that are resolved at the parent level prior to assignment to the child level.
Conflicting policies are assigned directly to the group are resolved using the agent policy conflict resolution rules. Any policy set values assigned directly to a group supersede inherited policy set values.
Finally, any policies that are undefined by direct assignment are defined by inheritance.

Agent Policies - After resolving the group policies, the conflicting policies assigned to an endpoint (using its group membership) are resolved. The following rules apply:
1. The resultant policies of all groups the endpoint is a member are resolved according to the agent policy conflict resolution rules.
2. Any policy values that have not been defined using the agent group membership are populated based on the policy settings defined in the Global System Policy.

Conflict resolution rules do not apply to the Global System Policy.

The following table defines the rules used when resolving conflicting policy settings:

Policy Setting	Resolution
Hide Agent Control Panel	The agent uses true (Y).
Core: Download file via HTTP	The agent uses true (Y).
Maximum Log File Size	The agent uses the largest log file size value.
Logging Level	The agent uses the most comprehensive logging level value (Trace [4] > Diagnostic [3] > Normal [2 ] > Error [1] > Critical [0]).
Agent uninstall protection	The agent uses On.
Show alerts on endpoints	The agent uses false (N).
Reboot behavior	The agent uses a combination of the most secure value, while still giving the user the best chance to save their work. The items are listed in the following order: Notify user, user response required before reboot = 0 Don't notify user, wait for next user-initiated reboot = 2 Notify user, automatically reboot with 5 minute timer = 1
Core: Heartbeat Interval	The agent uses the largest heartbeat interval frequency value.
Core: Receive Interval	The agent uses the largest receive interval frequency value.
Core: Timeout Interval	The agent uses the largest timeout interval frequency value.
Core: Send Interval	The agent uses the largest send interval frequency value.
Device Control
Install and Enable SKNDIS	The agent uses the install enabled value (1).
DC: Reporting Interval	The agent uses the largest report interval frequency value.
DC: Monitor Interval	The agent uses the largest monitor interval frequency value.
Power Management
PM: Enabled	The agent uses enabled.
PM: Detection Interval	The agent uses the smallest Power Management detection interval.
PM: Reporting Interval	The agent used the smallest Power Management report interval.
Patch and Remediation
Maximum Transfer Rate	The agent uses the smallest maximum transfer rate value.
Minimum File Size	The agent uses the smallest minimum file size value.
Agent Scan Mode	The agent uses the fastest agent scan mode value (Fast Scan [2] > Initial Scan [1] > Normal Scan [0]).
Scheduling Frequency	The agent uses the shortest scheduling frequency interval value.
PR Deployment: User May Cancel	The agent uses true (Y).
PR Deployment: Always On Top	The agent uses true (Y).
PR Deployment: Deploy within	The agent uses the smallest deploy within value.
PR Deployment: User May Snooze	The agent uses false (N).
Resume Interrupted Downloads	The agent uses false (N).
Patch: FastPath Interval	The agent uses the shortest FastPath interval.
Patch: FastPath Servers	The agent uses all of the defined FastPath servers.
Patch: Download packages via HTTP	The agent uses true (Y).
Agent Listener Port	The agent listens on the highest defined port.
PR Reboot: User May Cancel	The agent uses false (N).
PR Reboot: Always On Top	The agent uses true (Y).
PR Reboot: Reboot within	The agent uses the smallest reboot within value.
PR Reboot: User May Snooze	The agent uses false (N).
Patch: Agent to Server Communication	The agent uses true (https://).
Patch: Communication Interval	The agent uses the shortest communication interval value.
Hours of Operation: Monday	The agent uses Always On.
Hours of Operation: Tuesday	The agent uses Always On.
Hours of Operation: Wednesday	The agent uses Always On.
Hours of Operation: Thursday	The agent uses Always On.
Hours of Operation: Friday	The agent uses Always On.
Hours of Operation: Saturday	The agent uses Always On.
Hours of Operation: Sunday	The agent uses Always On.
InventoryCollectionOption: BIOS	The agent ON.
InventoryCollectionOption: CPU	The agent ON.
InventoryCollectionOption: CUSTOM	The agent ON.
InventoryCollectionOption: DISK_DRIVE	The agent ON.
InventoryCollectionOption: ENABLE_WMI	The agent ON.
InventoryCollectionOption: HW_DEV_OTHER	The agent ON.
InventoryCollectionOption: HW_IDE_CONTROL	The agent ON.
InventoryCollectionOption: HW_NETWORK_ADAPT	The agent ON.
InventoryCollectionOption: HW_NON_PNP	The agent ON.
InventoryCollectionOption: HW_SND_GAME	The agent ON.
InventoryCollectionOption: HW_SYS_DEV	The agent ON.
InventoryCollectionOption: HW_USB	The agent ON.
InventoryCollectionOption: HW_USB_CONTROL	The agent ON.
InventoryCollectionOption: HW_USB_STORAGE	The agent ON.
InventoryCollectionOption: LAST_REBOOT	The agent ON.
InventoryCollectionOption: LAST_USER	The agent ON.
InventoryCollectionOption: MANUF_MODEL	The agent ON.
InventoryCollectionOption: None	The agent ON.
InventoryCollectionOption: OS_SERIAL	The agent ON.
InventoryCollectionOption: PC_ASSET_TAG	The agent ON.
InventoryCollectionOption: PC_SERIAL	The agent ON.
InventoryCollectionOption: RAM	The agent ON.
InventoryCollectionOption: SERVICES	The agent ON.
InventoryCollectionOption: SOFTWARE	The agent ON.
InventoryCollectionOption: VIRTUAL	The agent ON.

The Agent Policy Sets Page Toolbar

This toolbar contains buttons that allow you to create and edit Agent Policy Sets. The following table describes each toolbar button.

Button	Function
Delete	Deletes the selected Agent Policy Set(s). For additional information, refer to Deleting an Agent Policy Set.
Create...	Creates a new Agent Policy Set. For additional information, refer to Creating an Agent Policy Set.
Export	Exports the page data to a comma-separated value (.csv) file. For additional information, refer to Exporting Data. Important: The Enhanced Security Configuration feature for Internet Explorer suppresses export functionality and must be disabled to export data successfully. Pop-up blockers in Internet Explorer or other supported browsers may also suppress export functionality and should be disabled.
Options (menu)	Opens the Options menu. For additional information, refer to The Options Menu.

The Agent Policy Sets Page List

For each agent policy set that you create, an item for that set appears in the Agent Policy Sets page list. This list names each existing agent policy set and provides access to editing functionality.

Column	Description
Action	Contains Edit and Delete icons. Use these icons to edit and delete the associated agent policy set. For additional information, refer to the following topics: Editing an Agent Policy Set Deleting an Agent Policy Set The Global System Policy cannot be deleted.
Name	The name of the agent policy set.

Column

Description

Action

Contains Edit and Delete icons. Use these icons to edit and delete the associated agent policy set. For additional information, refer to the following topics:

The Global System Policy cannot be deleted.

Name

The name of the agent policy set.

Each item listed on the Agent Policy Sets page can be expanded to list its individual policy settings. To view agent policy set details from the page list, click the Rotating Chevron (>) for the agent policy set, which opens a table containing additional details.

Name	Description
Policy Name	Indicates the unique name of the agent policy set.
Type	Indicates the type of agent policy set (System or User Defined).
Description	Indicates the description of the agent policy set.
Created By	Indicates the name of the user that created the agent policy set.
Created Date	Indicates the date and time that the agent policy set was created.
Modified By	Indicates the name of the user that last modified the agent policy set.
Modified Date	Indicates the date and time that the agent policy set was last modified.
Agent uninstall protection	Indicates whether agent uninstall protection is on.
Hide agent control panel	Indicates whether the Agent Control Panel is hidden from an endpoint user when they log on to their system. Any dialog or notification launched by the Ivanti Endpoint Security agent will also be hidden until the Agent Control Panel is started manually using Windows Control Panel.
Reboot behavior	Indicates the reboot behavior. The following values indicate each reboot behavior setting: Notify user, user response required before reboot = 0 Notify user, automatically reboot with 5 minute timer = 1 Don't notify user, wait for next user-initiated reboot = 2
Download files via HTTP	Indicates whether the Ivanti Endpoint Security Agent downloads files via HTTP rather than HTTPS. All other communication occurs over HTTPS.
Maximum Log File Size	Specifies the maximum size of the Ivanti Endpoint Security agent log before it is deleted.
Logging Level	Indicates the level of detail recorded in the Ivanti Endpoint Security Agent. The following values indicate each logging level: Critical = 0, Error = 1, Normal = 2, Diagnostic = 3, Trace = 4.
Show alerts on endpoints	Indicates whether alerts and notifications are shown to endpoint users.
Core: Heartbeat Interval	Indicates the interval at which the Endpoint Service sends a heartbeat to the server (in minutes).
Core: Receive Interval	Indicates the interval at which the Endpoint Service communication receive delay intervals (in seconds).
Core: Timeout Interval	Indicates the interval at which the Endpoint Service communication receive time intervals (in seconds)
Core: Send Interval	Indicates the interval at which the Endpoint Service communication send delay intervals.
Ivanti Device Control only
Reboot: Reboot Behavior	Device Control reboot behavior option.
Install and Enable SKNDIS	Device Control enabling of SKNDIS driver is installed.
Dvc Control: Monitor Interval	Device Control installation monitor interval.
Dvc Control: Reporting Interval	Device Control status reporting interval.
Power Management Only
Power Management: Enabled	Indicates power monitoring is enabled on endpoint.
Power Management: Detection Interval	Indicates the Power Management detection interval.
Power Management: Reporting Interval	Indicates the Power Management reporting interval.
Patch: Download packages via HTTP	Indicates if the agent downloads packages using HTTP, regardless of whether HTTPS is used for agent to server communication.
Patch: Maximum Transfer Rate	Indicates the maximum bandwidth used when an agent downloads packages. A setting of 0 disables bandwidth throttling.
Patch: Minimum File Size	Indicates the smallest file size that will be impacted by bandwidth throttling.
Patch: Agent Scan Mode	Indicates the agent detection scan mode (0= Slow, 1 = Fast the first time, 2= Fast).
Patch DAU: Scheduling Frequency	Indicates the number of hours between regularly scheduled detection scans.
Patch Deployment: User May Cancel	Indicates whether the user can cancel a deployment (Y, N).
Patch Deployment: Always on Top	Indicates whether the notification will be the topmost window (Y, N).
Patch Deployment: Deploy Within	Indicates the defined time frame (in minutes) during which the user may snooze or cancel a reboot.
Patch Deployment: User May Snooze	Indicates whether the user can snooze a deployment.
Patch: Resume Interrupted Downloads	Indicates whether resumable downloads are enabled (0 = No, 1 = Yes).
Patch: Fast Path Interval	Indicates the interval (configurable in minutes, hours, and days) between each check by FastPath to determine the fastest communication path back to the Ivanti Endpoint Security server.
Patch: Fast Path Servers	Indicates the available Fast Path routes.
Patch Agent Listener Port	Indicates the agent listener port. When the agent is contacted on this port, it responds with its version number and initiates communication with the Ivanti Endpoint Security server. A value of 0 turns the agent listener off.
Patch Reboot: User May Cancel	Indicates whether the user can cancel a reboot (Y, N).
Patch Reboot: Always on Top	Indicates whether the notification will be the topmost window (Y, N).
Patch Reboot: Reboot Within	Indicates the defined time window (in minutes) during which the user may snooze or cancel a reboot.
Patch Reboot: User May Snooze	Indicates whether the user can snooze a reboot (Y, N).
Patch: Agent to Server Communication Protocol	Defines how the agent will communicate with the server (http:// or https://).
Patch: Communication Interval	Indicates the time period between agent communication attempts.
Patch: Hours of Operation Monday	Defines the agent Hours of Operation (HOP) for Monday.
Patch: Hours of Operation Tuesday	Defines the agent HOP for Tuesday.
Patch: Hours of Operation Wednesday	Defines the agent HOP for Wednesday.
Patch: Hours of Operation Thursday	Defines the agent HOP for Thursday.
Patch: Hours of Operation Friday	Defines the agent HOP for Friday.
Patch: Hours of Operation Saturday	Defines the agent HOP for Saturday.
Patch: Hours of Operation Sunday	Defines the agent HOP for Sunday.
Patch: InventoryCollectionOptions: BIOS	Indicates whether BIOS data will be gathered during agent inventory collection (OFF or ON).
Patch: InventoryCollectionOptions: CPU	Indicates whether CPU data will be gathered during agent inventory collection (OFF or ON).
Patch: InventoryCollectionOptions: CUSTOM	Indicates whether custom inventory data will be gathered during agent inventory collection (OFF or ON).
Patch: InventoryCollectionOptions: DISK_DRIVES	Indicates whether data regarding the disk drives will be gathered during agent inventory collection (OFF or ON).
Patch: InventoryCollectionOptions: ENABLE_WMI	Indicates whether WMI data will be gathered during agent inventory collection (OFF or ON).
Patch: InventoryCollectionOptions: HW_DEV_OTHER	Indicates whether the Windows registry will be scanned for additional hardware information during agent inventory collection (OFF or ON).
Patch: InventoryCollectionOptions: HW_IDE_CONTROL	Indicates whether data regarding IDE ATA/ATAPI controllers will be gathered during agent inventory collection (OFF or ON).
Patch: InventoryCollectionOptions: HW_NETWORK_ADAPT	Indicates whether data regarding network adapters will be gathered during agent inventory collection (OFF or ON).
Patch: InventoryCollectionOptions: HW_NON_PNP	Indicates whether data regarding non-Plug and Play drivers will be gathered during agent inventory collection (OFF or ON).
Patch: InventoryCollectionOptions: HW_SND_GAME	Indicates whether data regarding sound, video, and game controllers will be gathered during agent inventory collection (OFF or ON).
Patch: InventoryCollectionOptions: HW_SYS_DEV	Indicates whether system device data will be gathered during agent inventory collection (OFF or ON).
Patch: InventoryCollectionOptions: HW_USB	Indicates whether data regarding USB endpoint's inventory (from \ENUM\USB) will be gathered during agent inventory collection (OFF or ON).
Patch: InventoryCollectionOptions: HW_USB_CONTROL	Indicates whether data regarding USB controllers will be gathered during agent inventory collection (OFF or ON).
Patch: InventoryCollectionOptions: HW_USB_STORAGE	Indicates whether data regarding USB device inventory (from \ENUM\USBSTOR) will be gathered during agent inventory collection (OFF or ON).
InventoryCollectionOptions: LAST_REBOOT	Requires ENABLE_WMI = ON: Indicates whether the last boot time will be gathered during agent inventory collection (OFF or ON).
Patch: InventoryCollectionOptions: LAST_USER	Indicates whether last logged in user and time will be gathered during agent inventory collection (OFF or ON).
Patch: InventoryCollectionOptions: MANUF_MODEL	Requires ENABLE_WMI = ON: Indicates whether the computer manufacturer and model will be gathered during agent inventory collection (OFF or ON).
Patch: InventoryCollectionOptions: OS_SERIAL	Requires ENABLE_WMI = ON: Indicates whether the OS serial number will be gathered during agent inventory collection (OFF or ON).
Patch: InventoryCollectionOptions: PC_ASSET_TAG	Requires ENABLE_WMI = ON: Indicates whether the endpoint's asset tag will be gathered during agent inventory collection (OFF or ON).
Patch: InventoryCollectionOptions: PC_SERIAL	Requires ENABLE_WMI = ON: Indicates whether the endpoint's serial number will be gathered during agent inventory collection (OFF or ON).
Patch: InventoryCollectionOptions: RAM	Indicates whether the endpoint's total physical RAM will be gathered during agent inventory collection (OFF or ON).
Patch: InventoryCollectionOptions: SERVICES	Indicates whether a listing of Windows services (not applicable for Windows 9x or ME) will be gathered during agent inventory collection (OFF or ON).
Patch: InventoryCollectionOptions: SOFTWARE	Indicates whether a listing of installed software will be gathered during agent inventory collection (OFF or ON).
Patch: InventoryCollectionOptions: VIRTUAL	Indicates whether the endpoint's virtualization status will be gathered during agent inventory collection (OFF or ON).
Security Configuration Management (Security Configuration Management only)	Indicates security configuration management compliance policies.
This reference table does not list the Value contained in the agent policy set details. This column (which appears in the user interface) contains values that agent policies are set to.