The Mandatory Baseline View

This view lets you add content to the selected group's Mandatory Baseline. It also lists each content item included in the group's Mandatory Baseline. The list also shows whether or not each endpoint within the group has that content item installed.

Use this view to define the selected group's Mandatory Baseline.

About Mandatory Baselines

A Mandatory Baseline is a minimum set of content that must be installed on a group's endpoints. Composed of user-defined content items deemed essential to the group, this baseline continually verifies that the applicable items are installed on group endpoints. If a group endpoint is found in a non-compliant state (does not have an item defined in the baseline installed), Ivanti Endpoint Security automatically deploys the applicable content until the endpoint is once again compliant. Mandatory Baselines ensure group endpoints are never without essential security content.

For example, you can set a Mandatory Baseline for all endpoints within a group that must have Microsoft Windows Messenger installed. If Messenger is deleted on a group member’s endpoint, Ivanti Endpoint Security re-installs Messenger.

Remember the following rules when working with Mandatory Baselines:

  • Mandatory Baseline inheritance indicates that a group’s endpoints (both inherited and assigned) are included by the parent group when evaluating its own baseline items and inheritance.
  • If endpoints receive a Mandatory Baseline item via inheritance, the Mandatory Baseline item will also be displayed on the child group’s Mandatory Baseline view. However, the inherited baseline items will be unavailable, indicating the Mandatory Baseline originates from a parent group.
  • Disabling Mandatory Baseline deployments only applies to the Mandatory Baseline items that are directly assigned to the group, and will prevent those directly assigned items from being inherited by the group’s child hierarchy.
  • Disabling Mandatory Baseline deployments does not disable the deployments created through Mandatory Baseline inheritance. Additionally, disabling the baseline deployments will not remove the baseline items from the group’s Mandatory Baseline view.

Unless stringent hours of operation agent policies are in effect, do not apply Mandatory Baselines to groups of mission-critical servers or other endpoints where unscheduled reboots would disrupt daily operations.

About Mandatory Baseline Import/Export

Within Ivanti Endpoint Security, you can import or export Mandatory Baselines. Importing and Exporting Mandatory Baselines simplifies application of Baselines to different groups.

After establishing a Mandatory Baseline, you can export the baseline from Ivanti Endpoint Security. After exporting a baseline, you can then import the baseline to a different group or Ivanti Endpoint Security installation.

Ivanti recommends using the Mandatory Baseline import/export feature in the following situations:

  • When reinstalling Ivanti Endpoint Security. Export Mandatory Baselines before beginning re-installation, and then import Mandatory Baselines to groups after installation. This use of import/ export eliminates the manual reestablishment of baselines, easing administrative burden.
  • When establishing similar or identical Mandatory Baselines for multiple groups. Rather than manually creating baselines for each group, export a Mandatory Baseline and then import it to other groups. Use this method to quickly establish baselines for multiple groups. After importing a baseline, you can then edit it to suit a group's particular requirements.

The Mandatory Baseline Process

After content items are added to a group's Mandatory Baseline, Ivanti Endpoint Security schedules a series of scans and deployments until the group complies with the baseline.

The Mandatory Baseline process following the addition of a content item to a baseline is:

  1. DAU Scheduled
    Ivanti Endpoint Security automatically schedules a Discover Applicable Updates (DAU) task for all endpoints within the applicable group.
  2. Non-compliant endpoints determined
    Following the DAU, Ivanti Endpoint Security determines which endpoints are not compliant with the Mandatory Baseline.
  3. Content deploys to non-compliant endpoints
    Necessary content is deployed to non-compliant endpoints as soon as possible.

Some content requires both reboots and an administrator-level log in to complete. If these or similar content items are added to a baseline, the deployment will stop until the log in occurs.

Viewing a Group Mandatory Baseline

Navigate to a group's Mandatory Baseline to see the content items that all its members must have installed.

See the Mandatory Baseline for a selected group from the Mandatory Baseline view.

  1. From the Navigation Menu, select Manage > Groups.
  2. Select the desired group from the directory tree.
  3. From the View list, select Mandatory Baseline.
    The Mandatory Baseline associated with the group is displayed.

The Mandatory Baseline View Toolbar

This toolbar contains buttons related to the management of Mandatory Baselines. It also contains a button that lets you cache content items after adding them to the baseline. This caching process ensures swift content installations if an endpoint falls out of compliance.

The following table lists the available toolbar buttons and their functions.

Button

Function

Manage

Adds or removes content to or from the group’s Mandatory Baseline. For additional information, refer to either Adding Content to Mandatory Baselines or Removing Content from Mandatory Baselines.

Update Cache

Caches (downloads) the package associated with the selected Mandatory Baseline item(s) (or the scripts associated with downloading the package). For additional information, refer to Updating the Mandatory Baseline Cache.

Import

Imports an Mandatory Baseline template into the group, defining Mandatory Baseline item. For additional information, refer to Importing Mandatory Baseline Templates.

Export

(menu)

Opens the Export menu.

CSV file

(Export menu item)

Exports the page data to a comma separated value (.csv ) file. For additional information, refer to Exporting Data.

Template (*.XML)

(Export menu item)

Exports the group Mandatory Baseline as a template in .xml format. For additional information, refer to Exporting Mandatory Baselines Templates.

Options

(menu)

Opens the Options menu. For additional information, refer to The Options Menu.

The Mandatory Baseline View List

This list displays the content items included in the selected group's Mandatory Baseline. You can also filter this list to display different types of content.

The following table describes the Mandatory Baseline view list.

Column

Icon

Description

Item Type

An icon that indicates the Mandatory Baseline item status and type. For a description of each Mandatory Baseline item icon, refer to Content Status and Type.

Mandatory Baseline Compliance

An icon that indicates compliance status for the item.

For a description of each compliance icon, refer to Mandatory Baseline Item Compliance Icons.

If the Mandatory Baseline fails to deploy more than twice, it will be recorded as an error in the Status column. However, this notification will only show in the Mandatory Baseline view.

Mandatory Baseline Item

N/A

The Mandatory Baseline item name. The name doubles as a link the item's Review page.

Content Type

N/A

The content type of the Mandatory Baseline item. For a description of each impact, refer to one of the following pages based on the applicable type of Mandatory Baseline item:

Vendor

N/A

The name of the vendor that created the software in the Mandatory Baseline item.

State

N/A

The state of the Mandatory Baseline item (Enabled or Disabled).

OS List

N/A

The operating systems that the Mandatory Baseline item applies to.

The Mandatory Baseline Item, Content Type, Vendor, State, and OS List are identical to the content items that the Mandatory Baseline items represent.

Each item on the Mandatory Baseline view list can be expanded to display additional details about the item. This information lists each endpoint in the group, and whether or not these endpoints comply with the expanded Mandatory Baseline item. Click the arrow (>) next to a Mandatory Baseline item to view these details.

The following table describes each column within the details of a Mandatory Baseline item.

Column

Icon

Description

Endpoint Status Icon

Displays an icon that indicates the current status of the applicable endpoint. For additional information, refer to Agent Module Status Icons

Mandatory Baseline Icon

Displays an icon that indicates the status of the endpoint in relation to the expanded Mandatory Baseline item. For additional information, refer to Mandatory Baseline Item Compliance Icons

Name

N/A

Indicates the name of the endpoint within the selected group.

OS

N/A

Indicates the operating system that runs on the endpoint.

Compliance

N/A

Indicates whether the endpoint complies with the expanded Mandatory Baseline item. If the item is marked Do Not Patch for the endpoint, the endpoint is considered compliant.
Mandatory Baseline Item Compliance Icons

Each item on the Mandatory Baseline view list contains an icon that indicates if all applicable endpoints within the group have the associated content installed. Familiarizing yourself with these icons will help you understand if the selected group currently complies with its Mandatory Baseline. Additionally, after expanding a Mandatory Baseline items, compliance icons also appear for each endpoint.

The following table describes the compliance icons for Mandatory Baseline items.

Icon

Status

Indicates one or more group members are either detecting, obtaining the package, awaiting detection, or is in a deployment-not-started state.

Indicates one or more group members are deploying the package.

Indicates all group members are disabled.

Indicates all group members are either not applicable or in compliance with this package (some can also be disabled).

Indicates one or more group members are not compliant and had an error during deployment. Error information displays in the mouse-over text.

Indicates that the patch is marked Do Not Patch for the group.

Note:

  • If a group marked Do Not Patch for a content item is later marked OK to Patch, the Mandatory Baseline automatically installs the content on that group.
  • If a group has content added to its Mandatory Baseline that is later marked Do Not Patch, that content is not automatically uninstalled.

The following table describes the compliance icons for endpoints (which appear when a Mandatory Baseline item is expanded).

Icon

Status

Indicates the group member is either detecting, obtaining the package, awaiting detection, or is in a deployment-not-started state.

Indicates the group member is receiving the package.

Indicates the Mandatory Baseline item does not apply to the group member.

Indicates the group member complies with the Mandatory Baseline item.

Indicates the group member does not comply with the Mandatory Baseline item.

Indicates that group member is marked Do Not Patch for the Mandatory Baseline item.

Note:

  • If an endpoint marked Do Not Patch for a content item is later marked OK to Patch, the Mandatory Baseline automatically installs the content on that endpoint.
  • If an group endpoint has content added to its Mandatory Baseline that is later marked Do Not Patch, that content is not automatically uninstalled.

Adding Content to Mandatory Baselines

Add content to a group Mandatory Baseline to monitor the endpoints for installation of the content. If an endpoint does not have it installed, Ivanti Endpoint Security installs it following the next Discover Applicable Updates task.

Add content to a Mandatory Baseline from the Mandatory Baseline view.

  1. From the Navigation Menu, select Manage > Groups.
  2. From the View list, select Mandatory Baseline.
  3. From the Group Browser, select the desired group.
  4. Click Manage.
  5. [Optional] Filter the Vulnerabilities table. There are two ways to filter:
    • Click the Show/Hide Filters link to toggle the built-in table filters.
    • Click the Filter button at the bottom of the table to open the Needed Detection Vulnerabilities dialog, which only shows content applicable to the group that hasn't been installed (content that's not applicable or marked Do Not Patch for the group aren't displayed).
  6. Select the content you want to add to the baseline and click the Assign button.

    7. Note:

    • Don't use the Assign All button until you've filtered the Vulnerabilities table. Adding all the available content creates excessive network traffic.
    • Don't add locally created packages to the baseline. They don't contain the fingerprint files that the baseline requires to monitor for packages.

    Your content is added to the Selected Vulnerabilities table.

  7. Click OK.
  8. If vendor license agreements are displayed, select the I ACCEPT the terms and conditions of this end user license agreement option and click OK.
  9. [Recommended] Click the Update Cache button to download the content.

    Skipping the cache update may result in endpoint reboots that interrupt employee work. Cache the content now to optimize package installation order. While caching, click Refresh to check for progress.

  10. [Optional] Setting Mandatory Baseline Deployment Options.
    You can do this for each content item added to the baseline.

  11. Click OK.

    12. To deploy Mandatory Baseline items, the group Mandatory Baselines enabled setting must be set to True. For additional information, refer to Editing Group Settings.

The content is added to the group Mandatory Baseline.

Filtering the Vulnerabilities Table for Applicable Content

When adding content to a Mandatory Baseline, click the filter button to open the Needed Detection Vulnerabilities dialog. This dialog filters the default the Vulnerabilities table to show only content that applies to the group that hasn't been installed yet.

Prerequisites:

Start Adding Content to Mandatory Baselines and complete up to step 5.

  1. Click the Filter button.
    The Needed Detection Vulnerabilities dialog opens.
  2. [Optional] Use the column filters to narrow down content.
    Only applicable content is listed. Content that is not applicable or marked Do Not Patch for the group isn't displayed.
  3. Select the content items you want to add to the Mandatory Baseline and then click OK.
    The Needed Detection Vulnerabilities dialog closes and the selected content items are added to the Selected Vulnerabilities table.

Removing Content from Mandatory Baselines

When a group of endpoints no longer requires the constant presence of specific content, remove the applicable content items from that group's Mandatory Baseline. Removing content from a Mandatory Baseline does not remove it from the group's endpoints.

Remove content from Mandatory Baselines from the Mandatory Baseline view.

  1. From the Navigation Menu, select Manage > Groups.
  2. From the View list, select Mandatory Baseline.
  3. From the directory tree, select the desired group.
  4. Click Manage.
  5. Remove content from the Mandatory Baseline. Use one of the following methods.

    6. Method

    Steps

    To remove individual content items:

    1. From the Selected Vulnerabilities table, select the check boxes associated with the content items you want to remove from the Mandatory Baseline.
    2. Click Remove.

    To remove all content items:

    Click Remove All.

    Content items are removed from the Selected Vulnerabilities table according to your input.

  6. Click OK.
    The selected content is removed from the selected group's Mandatory Baseline. The Groups page reflects your changes.

Setting Mandatory Baseline Deployment Options

Like other deployments, automated Mandatory Baseline deployments also have customizable options. After adding content items to a group's Mandatory Baseline, you can set deployment options for each item. Configuring these options defines the manner in which Mandatory Baseline packages are deployed.

Prerequisites:

  • A content item must be added to a group Mandatory Baseline

Configure Mandatory Baseline package deployment options from the Mandatory Baseline view.

  1. From the Navigation Menu, select Manage > Groups.
  2. Select the desired group from the directory tree.
  3. From the View list, select Mandatory Baseline.
  4. Click Manage.
  5. Click the Options button associated with the Mandatory Baseline item for which you want to define deployment options.
    The Package Deployment Options dialog opens.
  6. From the Package Name list, ensure the desired package is selected.
  7. Define Distribution Options. Choose from the following options.

    8. Option

    Steps

    To deploy concurrently:

    1. Select the Concurrent option.
    2. In the field, type the desired number of endpoints to receive simultaneous deployments.

    To deploy consecutively:

    Select the Consecutive option.
  8. If available, select the desired Deployment Flags.
    For additional information, refer to Behavior Icon Definitions.

  9. If needed, type additional deployment flags in the Optional Flags field. For additional information, refer to Package Flag Descriptions.

  10. Select a Deployment Option.
    • Do not notify users of this reboot.
    • Notify users of this reboot.
  11. If you selected Notify users of this deployment option, complete the following sub-steps.
    1. [Optional] Type a notification in the Message field.
    2. Define the Deploy within option.
      • To manually define this option, type a value in the field and select a value from the list (minutes, hours, days).
      • To use the default notification option setting defined in the agent policy set associated with the target endpoints, select the Use Agent Policy check box.
  12. Select a Reboot Option.
    • Do not notify users of this reboot.
    • Notify users of this reboot.
  13. If you selected Notify users of this reboot option, complete the following sub-steps.
    1. [Optional] Type a notification in the Message field.
    2. Define the Reboot within option.
      • To manually define this option, define the field and list (minutes, hours, days).
      • To use the default notification option setting defined in the agent policy set associated with the target endpoints, select the Use Agent Policy check box.

The Package Deployment Options dialog closes. Repeat these instructions for additional Mandatory Baseline items if necessary.

Removing Deployments Created by Mandatory Baselines

Occasionally, deployments associated with a Mandatory Baseline may need to be stopped. However, how you stop the deployment will change based on context; in some instances, you may want to stop the deployment for all endpoints within the group; in others, you may only want to stop the deployment for specific endpoints within the group.

Mandatory Baseline deployments can be stopped one of two ways: either stop the deployment itself or disable the endpoints receiving the deployment.

The removal of Mandatory Baseline deployments does not take place within the Mandatory Baselines view. Rather, it takes place within the Deployments and Tasks view.

If the Mandatory Baseline still applies, the deployment will be recreated.

Removing a Mandatory Baseline Deployment from a Group

In the event that a Mandatory Baseline deployment needs to be removed for all endpoints within a group, delete the deployment itself. Using this method prevents packages associated with the baseline from being installed on all endpoints within the group.

Stop Mandatory Baseline deployments using this method from the Deployments and Tasks view.

  1. From the Navigation Menu, select Manage > Groups.
  2. From the View list, select Deployments and Tasks.
  3. Select the applicable group from the directory tree.
  4. Select the check box associated with the Mandatory Baseline deployment you want to delete.
  5. Click Delete.
    A dialog displays, asking you to acknowledge the deletion.
  6. Click OK to acknowledge the deletion.

    If the Mandatory Baseline(s) still applies, the deployment(s) is recreated.

    7. The Mandatory Baseline deployment is stopped. It no longer appears in the Deployments and Tasks view.

Stopping a Deployment for Specific Endpoints

In the event that a Mandatory Baseline deployment needs to be stopped for specific endpoints within a group, disable those endpoints. Using this method prevents packages associated with the baseline from being installed on specific endpoints within the group rather than all endpoints within the group.

Stop Mandatory Baseline deployments using this method from the Deployments and Tasks view.

  1. From the Navigation Menu, select Manage > Groups.
  2. From the View list, select Deployments and Tasks.
  3. Select a group from the directory tree.
  4. Click the desired deployment name link.
  5. Select the check box(es) associated with the desired endpoint(s).
  6. Click Disable to disable the deployment(s) for the selected endpoint(s).

    If the Mandatory Baseline still applies, the deployment is recreated.

    7. The selected endpoints are disabled, preventing them from receiving the Mandatory Baseline deployment. Remember to re-enable the endpoints to resume vulnerability management activities following management of the Mandatory Baseline.

Updating the Mandatory Baseline Cache

You can cache content that you have included in a group's Mandatory Baseline. Updating the cache for content items downloads the packages (or the scripts that will download the packages) associated with those items. Cached content items can be deployed immediately.

Cache content for Mandatory Baseline items from the Mandatory Baseline view.

  1. From the Navigation Menu, select Manage > Groups.
  2. From the View list, select Mandatory Baseline.
  3. From the directory tree, select the group with Mandatory Baseline items (content items) that you want to cache.
  4. If necessary, designate filter criteria for the desired Mandatory Baseline item and click Update View.
  5. Select the check boxes associated with the Mandatory Baseline item you want to cache.
  6. Click Update Cache.
    The selected content begins caching.

Importing Mandatory Baseline Templates

After a Mandatory Baseline template has been exported, import the template and apply it to a new group. Importing a Mandatory Baseline template is faster than creating a new, identical Mandatory Baseline.

Import Mandatory Baseline templates from the Mandatory Baseline view.

  1. From the Navigation Menu, select Manage > Groups.
  2. From the View list, select Mandatory Baseline.
  3. From the directory tree, expand to the group with which you want to import a Mandatory Baseline template.
  4. From the toolbar, click Import.
    The Import Mandatory Baseline Wizard opens to the Welcome to the Import Mandatory Baseline Wizard page.
  5. Click Next.
    The Import Mandatory Baseline page opens.
  6. Define the Mandatory Baseline template that you want to import.
    1. Click Browse.
      The Choose file dialog opens.
    2. Browse to the Mandatory Baseline template you want to import.
    3. Click Open.
      The Mandatory Baseline template name displays in the Mandatory Baseline template (*.XML) field.
  7. If you do not want to import the deployment options associated with the Mandatory Baseline and use the system defaults defined on your Ivanti Patch and Remediation server, select the Import without deployment options and use system default check box.
  8. Click Next.
  9. Based upon the page or dialog that opens, complete the applicable steps.

    10. Page/Dialog

    Steps

    If the This group already has Mandatory Baseline items assigned dialog opens:
    1. Select either the Append to the list of existing items and replace duplicates option or the Replace all existing items with new items
    2. Click OK.

    If the One or more of the Mandatory Baseline items are not available because they are not included in the server's content subscription dialog displays:

    Click OK to proceed with the import or Cancel to cancel the import.

    If the Review Mandatory Baseline Items page opens:

    Proceed to the next step.
  10. Review the Mandatory Baseline items and edit them as needed.
    The following table describes each page column.

    11. Column

    Description

    Mandatory Baseline Icon

    Displays an icon that indicates the cache status of the Mandatory Baseline item. For additional information, refer to Content Icons and Descriptions.

    Name

    Lists the name of the Mandatory Baseline item. The Mandatory Baseline item name is identical to the content item.

    Cache Status

    The cache status of the Mandatory Baseline item. The cache status indicates whether the content item has been downloaded to your Ivanti Patch and Remediation server (Cached or Not Cached).
  11. [Optional] Edit the list.
    Edit the list according to the following task steps.

    12. Task

    Steps

    To delete items:

    1. Select the check box(es) associated with the applicable Mandatory Baseline item(s).
    2. Click Delete.

    To update the cache for items:

    Important: Updating the cache for Mandatory Baseline items ensures they are deployed in the proper chain sequence. Failure to cache Mandatory Baseline items may result in multiple deployment recipient endpoint reboots.

    1. Select the check box(es) associated with the applicable Mandatory Baseline item(s).
    2. Click Update Cache.

    To configure deployment options for an item:

    1. Select the check box associated with the applicable Mandatory Baseline item.
    2. Click Deployment Options.
    3. Complete Setting Mandatory Baseline Deployment Options from step 6.

    To refresh item cache statuses:

    Click Refresh.

    If the Auto Refresh check box is selected, Mandatory Baseline item cache statuses will periodically refresh automatically.
  12. Click Next.
    The License Agreement page opens.
  13. Review the license agreement for each mandatory baseline item and select I ACCEPT the terms and condition of the end user license agreement option.
    Scrolling may be necessary to review and accept all license agreements.
  14. Click Finish.
    The import process begins. A bar indicates progress.
  15. Click Close.
    The Mandatory Baseline is imported to the selected group. List items for applicable Mandatory Baseline items appear within the Mandatory Baseline view. All endpoints within the group are now subject to the Mandatory Baseline.

Exporting Mandatory Baselines Templates

You can export Mandatory Baseline templates in an XML format. This feature is useful for setting up Mandatory Baselines across multiple groups and Ivanti Endpoint Securitys via importation.

Export Mandatory Baselines templates from the Mandatory Baseline view.

  1. From the Navigation Menu, select Manage > Groups.
  2. From the View list, select Mandatory Baseline.
    The Mandatory Baseline view displays.
  3. From the directory tree, select the group assigned the Mandatory Baseline you want to export. Expand the tree as necessary.
  4. From the toolbar, select Export > Template (*.XML).
    The File Download dialog opens.

    If using Mozilla Firefox, the procedure to export the Mandatory Baseline will differ slightly.

  5. Click Save.
    The Save As dialog opens.
  6. Define the file path where you want to save the Mandatory Baseline.
  7. [Optional] Edit the File name field.
  8. Click Save.
  9. If you want to export Mandatory Baselines for additional groups, repeat the Mandatory Baseline exportation process from step 4.
    Your Mandatory Baseline(s) are exported.

Exporting Mandatory Baseline View Data

To export information displayed in the Mandatory Baseline view list to a comma separated value (.csv) file, select Export > CSV File from the toolbar. Exporting data lets you work with that data in other programs for reporting and analytical purposes.

For additional information, refer to Exporting Data.