Managing Agent Policy Sets
In this section:
Use Agent Policy Sets to control agent behavior. Agent Policy Sets are basic rules which define how agents behave.
Apply the Agent Policy Sets to groups to implement your policies to groups. There is a policy for every agent function.
The Agent Policy Sets Page
You can control agent behavior by creating and assigning Agent Policy Sets. Use the Agent Policy Sets page to define agent rules of behavior.
You can access this page at any time from the navigation menu.
About Agent Policies and Agent Policy Sets
Agent Policies are rules that govern agent behavior. Agent Policy Sets are a collections of agent policy values.
Assign agent policies to groups using the Agent Policy Sets view. Based on group membership, agents operate according to the values in assigned Agent Policy Sets. Assignment of Agent Policy Sets is optional.
Groups without assigned Agent Policy Sets have their behavior defined by the Global System Policy. The Global System Policy does the following:
- Defines behavior for groups with no assigned policy set.
- Defines policy values for incomplete agent policy sets.
When agents holding multiple group memberships are assigned conflicting agent policy values, they are resolved with conflict resolution rules. These rules are a set of protocols that determine which policy value an agent uses when conflicts occur. For additional information, refer to Defining Agent Policy Conflict Resolution.
About Agent Hardening
Agent Policy Sets include Agent Hardening policies, which are policies used to prevent unauthorized Ivanti Endpoint Security Agent removal.
Agent Hardening (when set to On):
- It prevents the Ivanti Endpoint Security Agent installation location (C:\Program Files\HEAT\EMSSAgent by default) from being renamed, edited, or deleted.
- The Agent is hardened, meaning the agent cannot be intentionally or unintentionally modified.
- When hardening is in place, you can still upgrade or uninstall the agent after entering the agent uninstall password or the global uninstall password, which is only necessary when modifying the agent locally from the endpoint.
For additional information about defining Agent Hardening policies, refer to the following topics:
Global uninstall password:
Important: The Global uninstall password option is only available when editing the Global System Policy agent policy set. Refer to Changing the Global Uninstall Password for additional information.
The Global uninstall password is a universal password that temporarily disables agent uninstall protection. This password works on all network endpoints. You are prompted for this password when manually upgrading or uninstalling hardened agents.
Note:
- Ivanti does not recommend providing end users with the global uninstall password in uninstall scenarios. The Global uninstall password should be used by the Ivanti Endpoint Security Administrator only.
- In the event an end user needs to uninstall the Ivanti Endpoint Security Agent, provide them with the Agent uninstall password, a password that works only for their endpoint. For additional information, refer to Viewing the Agent Uninstall Password.
Viewing the Agent Policy Sets Page
Navigate to this page to view Agent Policy Sets and their policy settings. Expand policy sets to view the individual policy settings.
You can access this page any time using the navigation menu.
- From the Navigation Menu, select Manage > Agent Policy Sets.
- [Optional] Complete a task listed in Working with Agent Policy Sets.
Defining Agent Policy Inheritance Rules
You can configure a group to inherit policies from its parent hierarchy using the Policy inheritance setting.
Because a group can inherit policies and have them directly assigned, policy conflicts may arise. The following rules apply when a group has Policy Inheritance set to True:
- Any conflicting policies are assigned to the parent, but not the child. Conflicting policies are resolved at the parent level using the conflict policy resolution rules.
- Agent Policy Set values directly assigned to a group supersede inherited Agent Policy Set values.
- Any conflicting policies that are assigned directly to the child group are resolved by conflict resolution rules.
- Any Agent Policy Set values that are undefined by the group’s directly assigned policy are defined by the parent’s group policy.
- Policy values still undefined are defined by the Global System Policy set.
For more information on how to enable a group's Policy Inheritance setting, refer to Editing Group Settings.
For more information on Conflict Policy Resolution rules, refer to Defining Agent Policy Conflict Resolution.
Defining Agent Policy Conflict Resolution
On occasion, a group or endpoint may be assigned two different Agent Policy Sets that have conflicting policies. When this occurs, the system determines which policy to use based on the Agent Policy Conflict Resolution rules.
Conflicting policies are resolved in the following order.
- Group Policies - Conflicting policy sets assigned to a group are resolved before conflicting policy sets assigned to an agent are resolved.
The following rules apply if a group has Policy Inheritance set to False:
- The group does not inherit its parent policy set. Therefore, only policy sets assigned directly to the group require resolution.
- Conflicting policies are resolved according to the agent policy conflict resolution rules.
- The group inherits its parent policy set. Any conflicting policy sets that are resolved at the parent level prior to assignment to the child level.
- Conflicting policies are assigned directly to the group are resolved using the agent policy conflict resolution rules. Any policy set values assigned directly to a group supersede inherited policy set values.
- Finally, any policies that are undefined by direct assignment are defined by inheritance.
The following rules apply if a group has Policy Inheritance set to True:
- Agent Policies - After resolving the group policies, the conflicting policies assigned to an endpoint (using its group membership) are resolved. The following rules apply:
- The resultant policies of all groups the endpoint is a member are resolved according to the agent policy conflict resolution rules.
- Any policy values that have not been defined using the agent group membership are populated based on the policy settings defined in the Global System Policy.
Conflict resolution rules do not apply to the Global System Policy.
The following table defines the rules used when resolving conflicting policy settings:
|
Policy Setting |
Resolution |
|---|---|
|
Hide Agent Control Panel |
The agent uses true (Y). |
|
Core: Download file via HTTP |
The agent uses true (Y). |
|
Maximum Log File Size |
The agent uses the largest log file size value. |
|
Logging Level |
The agent uses the most comprehensive logging level value (Trace [4] > Diagnostic [3] > Normal [2 ] > Error [1] > Critical [0]). |
|
Agent uninstall protection |
The agent uses On. |
|
Show alerts on endpoints |
The agent uses false (N). |
|
Reboot behavior |
The agent uses a combination of the most secure value, while still giving the user the best chance to save their work. The items are listed in the following order:
|
|
Core: Heartbeat Interval |
The agent uses the largest heartbeat interval frequency value. |
|
Core: Receive Interval |
The agent uses the largest receive interval frequency value. |
|
Core: Timeout Interval |
The agent uses the largest timeout interval frequency value. |
|
Core: Send Interval |
The agent uses the largest send interval frequency value. |
|
Device Control |
|
|
Install and Enable SKNDIS |
The agent uses the install enabled value (1). |
|
DC: Reporting Interval |
The agent uses the largest report interval frequency value. |
|
DC: Monitor Interval |
The agent uses the largest monitor interval frequency value. |
|
Power Management |
|
|
PM: Enabled |
The agent uses enabled. |
|
PM: Detection Interval |
The agent uses the smallest Power Management detection interval. |
|
PM: Reporting Interval |
The agent used the smallest Power Management report interval. |
|
Patch and Remediation |
|
|
Maximum Transfer Rate |
The agent uses the smallest maximum transfer rate value. |
|
Minimum File Size |
The agent uses the smallest minimum file size value. |
|
Agent Scan Mode |
The agent uses the fastest agent scan mode value (Fast Scan [2] > Initial Scan [1] > Normal Scan [0]). |
|
Scheduling Frequency |
The agent uses the shortest scheduling frequency interval value. |
|
PR Deployment: User May Cancel |
The agent uses true (Y). |
|
PR Deployment: Always On Top |
The agent uses true (Y). |
|
PR Deployment: Deploy within |
The agent uses the smallest deploy within value. |
|
PR Deployment: User May Snooze |
The agent uses false (N). |
|
Resume Interrupted Downloads |
The agent uses false (N). |
|
Patch: FastPath Interval |
The agent uses the shortest FastPath interval. |
|
Patch: FastPath Servers |
The agent uses all of the defined FastPath servers. |
|
Patch: Download packages via HTTP |
The agent uses true (Y). |
|
Agent Listener Port |
The agent listens on the highest defined port. |
|
PR Reboot: User May Cancel |
The agent uses false (N). |
|
PR Reboot: Always On Top |
The agent uses true (Y). |
|
PR Reboot: Reboot within |
The agent uses the smallest reboot within value. |
|
PR Reboot: User May Snooze |
The agent uses false (N). |
|
Patch: Agent to Server Communication |
The agent uses true (https://). |
|
Patch: Communication Interval |
The agent uses the shortest communication interval value. |
|
Hours of Operation: Monday |
The agent uses Always On. |
|
Hours of Operation: Tuesday |
The agent uses Always On. |
|
Hours of Operation: Wednesday |
The agent uses Always On. |
|
Hours of Operation: Thursday |
The agent uses Always On. |
|
Hours of Operation: Friday |
The agent uses Always On. |
|
Hours of Operation: Saturday |
The agent uses Always On. |
|
Hours of Operation: Sunday |
The agent uses Always On. |
|
InventoryCollectionOption: BIOS |
The agent ON. |
|
InventoryCollectionOption: CPU |
The agent ON. |
|
InventoryCollectionOption: CUSTOM |
The agent ON. |
|
InventoryCollectionOption: DISK_DRIVE |
The agent ON. |
|
InventoryCollectionOption: ENABLE_WMI |
The agent ON. |
|
InventoryCollectionOption: HW_DEV_OTHER |
The agent ON. |
|
InventoryCollectionOption: HW_IDE_CONTROL |
The agent ON. |
|
InventoryCollectionOption: HW_NETWORK_ADAPT |
The agent ON. |
|
InventoryCollectionOption: HW_NON_PNP |
The agent ON. |
|
InventoryCollectionOption: HW_SND_GAME |
The agent ON. |
|
InventoryCollectionOption: HW_SYS_DEV |
The agent ON. |
|
InventoryCollectionOption: HW_USB |
The agent ON. |
|
InventoryCollectionOption: HW_USB_CONTROL |
The agent ON. |
|
InventoryCollectionOption: HW_USB_STORAGE |
The agent ON. |
|
InventoryCollectionOption: LAST_REBOOT |
The agent ON. |
|
InventoryCollectionOption: LAST_USER |
The agent ON. |
|
InventoryCollectionOption: MANUF_MODEL |
The agent ON. |
|
InventoryCollectionOption: None |
The agent ON. |
|
InventoryCollectionOption: OS_SERIAL |
The agent ON. |
|
InventoryCollectionOption: PC_ASSET_TAG |
The agent ON. |
|
InventoryCollectionOption: PC_SERIAL |
The agent ON. |
|
InventoryCollectionOption: RAM |
The agent ON. |
|
InventoryCollectionOption: SERVICES |
The agent ON. |
|
InventoryCollectionOption: SOFTWARE |
The agent ON. |
|
InventoryCollectionOption: VIRTUAL |
The agent ON. |
The Agent Policy Sets Page Toolbar
This toolbar contains buttons that allow you to create and edit Agent Policy Sets. The following table describes each toolbar button.
|
Button |
Function |
|---|---|
|
Delete |
Deletes the selected Agent Policy Set(s). For additional information, refer to Deleting an Agent Policy Set. |
|
Create... |
Creates a new Agent Policy Set. For additional information, refer to Creating an Agent Policy Set. |
|
Export |
Exports the page data to a comma-separated value (.csv) file. For additional information, refer to Exporting Data. Important: The Enhanced Security Configuration feature for Internet Explorer suppresses export functionality and must be disabled to export data successfully. Pop-up blockers in Internet Explorer or other supported browsers may also suppress export functionality and should be disabled. |
|
Options (menu) |
Opens the Options menu. For additional information, refer to The Options Menu. |
The Agent Policy Sets Page List
For each agent policy set that you create, an item for that set appears in the Agent Policy Sets page list. This list names each existing agent policy set and provides access to editing functionality.
|
Column |
Description |
|---|---|
|
Action |
Contains Edit and Delete icons. Use these icons to edit and delete the associated agent policy set. For additional information, refer to the following topics: The Global System Policy cannot be deleted. |
|
Name |
The name of the agent policy set. |
Each item listed on the Agent Policy Sets page can be expanded to list its individual policy settings. To view agent policy set details from the page list, click the Rotating Chevron (>) for the agent policy set, which opens a table containing additional details.
|
Name |
Description |
|---|---|
|
Policy Name |
Indicates the unique name of the agent policy set. |
|
Type |
Indicates the type of agent policy set (System or User Defined). |
|
Description |
Indicates the description of the agent policy set. |
|
Created By |
Indicates the name of the user that created the agent policy set. |
|
Created Date |
Indicates the date and time that the agent policy set was created. |
|
Modified By |
Indicates the name of the user that last modified the agent policy set. |
|
Modified Date |
Indicates the date and time that the agent policy set was last modified. |
|
Agent uninstall protection |
Indicates whether agent uninstall protection is on. |
|
Hide agent control panel |
Indicates whether the Agent Control Panel is hidden from an endpoint user when they log on to their system. Any dialog or notification launched by the Ivanti Endpoint Security agent will also be hidden until the Agent Control Panel is started manually using Windows Control Panel. |
|
Reboot behavior |
Indicates the reboot behavior. The following values indicate each reboot behavior setting:
|
|
Download files via HTTP |
Indicates whether the Ivanti Endpoint Security Agent downloads files via HTTP rather than HTTPS. All other communication occurs over HTTPS. |
|
Maximum Log File Size |
Specifies the maximum size of the Ivanti Endpoint Security agent log before it is deleted. |
|
Logging Level |
Indicates the level of detail recorded in the Ivanti Endpoint Security Agent. The following values indicate each logging level: Critical = 0, Error = 1, Normal = 2, Diagnostic = 3, Trace = 4. |
|
Show alerts on endpoints |
Indicates whether alerts and notifications are shown to endpoint users. |
|
Core: Heartbeat Interval |
Indicates the interval at which the Endpoint Service sends a heartbeat to the server (in minutes). |
|
Core: Receive Interval |
Indicates the interval at which the Endpoint Service communication receive delay intervals (in seconds). |
|
Core: Timeout Interval |
Indicates the interval at which the Endpoint Service communication receive time intervals (in seconds) |
|
Core: Send Interval |
Indicates the interval at which the Endpoint Service communication send delay intervals. |
|
Ivanti Device Control only |
|
|
Reboot: Reboot Behavior |
Device Control reboot behavior option. |
|
Install and Enable SKNDIS |
Device Control enabling of SKNDIS driver is installed. |
|
Dvc Control: Monitor Interval |
Device Control installation monitor interval. |
|
Dvc Control: Reporting Interval |
Device Control status reporting interval. |
|
Power Management Only |
|
|
Power Management: Enabled |
Indicates power monitoring is enabled on endpoint. |
|
Power Management: Detection Interval |
Indicates the Power Management detection interval. |
|
Power Management: Reporting Interval |
Indicates the Power Management reporting interval. |
|
Patch: Download packages via HTTP |
Indicates if the agent downloads packages using HTTP, regardless of whether HTTPS is used for agent to server communication. |
|
Patch: Maximum Transfer Rate |
Indicates the maximum bandwidth used when an agent downloads packages. A setting of 0 disables bandwidth throttling. |
|
Patch: Minimum File Size |
Indicates the smallest file size that will be impacted by bandwidth throttling. |
|
Patch: Agent Scan Mode |
Indicates the agent detection scan mode (0= Slow, 1 = Fast the first time, 2= Fast). |
|
Patch DAU: Scheduling Frequency |
Indicates the number of hours between regularly scheduled detection scans. |
|
Patch Deployment: User May Cancel |
Indicates whether the user can cancel a deployment (Y, N). |
|
Patch Deployment: Always on Top |
Indicates whether the notification will be the topmost window (Y, N). |
|
Patch Deployment: Deploy Within |
Indicates the defined time frame (in minutes) during which the user may snooze or cancel a reboot. |
|
Patch Deployment: User May Snooze |
Indicates whether the user can snooze a deployment. |
|
Patch: Resume Interrupted Downloads |
Indicates whether resumable downloads are enabled (0 = No, 1 = Yes). |
|
Patch: Fast Path Interval |
Indicates the interval (configurable in minutes, hours, and days) between each check by FastPath to determine the fastest communication path back to the Ivanti Endpoint Security server. |
|
Patch: Fast Path Servers |
Indicates the available Fast Path routes. |
|
Patch Agent Listener Port |
Indicates the agent listener port. When the agent is contacted on this port, it responds with its version number and initiates communication with the Ivanti Endpoint Security server. A value of 0 turns the agent listener off. |
|
Patch Reboot: User May Cancel |
Indicates whether the user can cancel a reboot (Y, N). |
|
Patch Reboot: Always on Top |
Indicates whether the notification will be the topmost window (Y, N). |
|
Patch Reboot: Reboot Within |
Indicates the defined time window (in minutes) during which the user may snooze or cancel a reboot. |
|
Patch Reboot: User May Snooze |
Indicates whether the user can snooze a reboot (Y, N). |
|
Patch: Agent to Server Communication Protocol |
Defines how the agent will communicate with the server (http:// or https://). |
|
Patch: Communication Interval |
Indicates the time period between agent communication attempts. |
|
Patch: Hours of Operation Monday |
Defines the agent Hours of Operation (HOP) for Monday. |
|
Patch: Hours of Operation Tuesday |
Defines the agent HOP for Tuesday. |
|
Patch: Hours of Operation Wednesday |
Defines the agent HOP for Wednesday. |
|
Patch: Hours of Operation Thursday |
Defines the agent HOP for Thursday. |
|
Patch: Hours of Operation Friday |
Defines the agent HOP for Friday. |
|
Patch: Hours of Operation Saturday |
Defines the agent HOP for Saturday. |
|
Patch: Hours of Operation Sunday |
Defines the agent HOP for Sunday. |
|
Patch: InventoryCollectionOptions: BIOS |
Indicates whether BIOS data will be gathered during agent inventory collection (OFF or ON). |
|
Patch: InventoryCollectionOptions: CPU |
Indicates whether CPU data will be gathered during agent inventory collection (OFF or ON). |
|
Patch: InventoryCollectionOptions: CUSTOM |
Indicates whether custom inventory data will be gathered during agent inventory collection (OFF or ON). |
|
Patch: InventoryCollectionOptions: DISK_DRIVES |
Indicates whether data regarding the disk drives will be gathered during agent inventory collection (OFF or ON). |
|
Patch: InventoryCollectionOptions: ENABLE_WMI |
Indicates whether WMI data will be gathered during agent inventory collection (OFF or ON). |
|
Patch: InventoryCollectionOptions: HW_DEV_OTHER |
Indicates whether the Windows registry will be scanned for additional hardware information during agent inventory collection (OFF or ON). |
|
Patch: InventoryCollectionOptions: HW_IDE_CONTROL |
Indicates whether data regarding IDE ATA/ATAPI controllers will be gathered during agent inventory collection (OFF or ON). |
|
Patch: InventoryCollectionOptions: HW_NETWORK_ADAPT |
Indicates whether data regarding network adapters will be gathered during agent inventory collection (OFF or ON). |
|
Patch: InventoryCollectionOptions: HW_NON_PNP |
Indicates whether data regarding non-Plug and Play drivers will be gathered during agent inventory collection (OFF or ON). |
|
Patch: InventoryCollectionOptions: HW_SND_GAME |
Indicates whether data regarding sound, video, and game controllers will be gathered during agent inventory collection (OFF or ON). |
|
Patch: InventoryCollectionOptions: HW_SYS_DEV |
Indicates whether system device data will be gathered during agent inventory collection (OFF or ON). |
|
Patch: InventoryCollectionOptions: HW_USB |
Indicates whether data regarding USB endpoint's inventory (from \ENUM\USB) will be gathered during agent inventory collection (OFF or ON). |
|
Patch: InventoryCollectionOptions: HW_USB_CONTROL |
Indicates whether data regarding USB controllers will be gathered during agent inventory collection (OFF or ON). |
|
Patch: InventoryCollectionOptions: HW_USB_STORAGE |
Indicates whether data regarding USB device inventory (from \ENUM\USBSTOR) will be gathered during agent inventory collection (OFF or ON). |
|
InventoryCollectionOptions: LAST_REBOOT |
Requires ENABLE_WMI = ON: Indicates whether the last boot time will be gathered during agent inventory collection (OFF or ON). |
|
Patch: InventoryCollectionOptions: LAST_USER |
Indicates whether last logged in user and time will be gathered during agent inventory collection (OFF or ON). |
|
Patch: InventoryCollectionOptions: MANUF_MODEL |
Requires ENABLE_WMI = ON: Indicates whether the computer manufacturer and model will be gathered during agent inventory collection (OFF or ON). |
|
Patch: InventoryCollectionOptions: OS_SERIAL |
Requires ENABLE_WMI = ON: Indicates whether the OS serial number will be gathered during agent inventory collection (OFF or ON). |
|
Patch: InventoryCollectionOptions: PC_ASSET_TAG |
Requires ENABLE_WMI = ON: Indicates whether the endpoint's asset tag will be gathered during agent inventory collection (OFF or ON). |
|
Patch: InventoryCollectionOptions: PC_SERIAL |
Requires ENABLE_WMI = ON: Indicates whether the endpoint's serial number will be gathered during agent inventory collection (OFF or ON). |
|
Patch: InventoryCollectionOptions: RAM |
Indicates whether the endpoint's total physical RAM will be gathered during agent inventory collection (OFF or ON). |
|
Patch: InventoryCollectionOptions: SERVICES |
Indicates whether a listing of Windows services (not applicable for Windows 9x or ME) will be gathered during agent inventory collection (OFF or ON). |
|
Patch: InventoryCollectionOptions: SOFTWARE |
Indicates whether a listing of installed software will be gathered during agent inventory collection (OFF or ON). |
|
Patch: InventoryCollectionOptions: VIRTUAL |
Indicates whether the endpoint's virtualization status will be gathered during agent inventory collection (OFF or ON). |
|
Security Configuration Management (Security Configuration Management only) |
Indicates security configuration management compliance policies. |
|
This reference table does not list the Value contained in the agent policy set details. This column (which appears in the user interface) contains values that agent policies are set to. |
|