The Agent Policy Sets Page

You can control agent behavior by creating and assigning Agent Policy Sets. Use the Agent Policy Sets page to define agent rules of behavior.

You can access this page at any time from the navigation menu.

About Agent Policies and Agent Policy Sets

Agent Policies are rules that govern agent behavior. Agent Policy Sets are a collections of agent policy values.

Assign agent policies to groups using the Agent Policy Sets view. Based on group membership, agents operate according to the values in assigned Agent Policy Sets. Assignment of Agent Policy Sets is optional.

Groups without assigned Agent Policy Sets have their behavior defined by the Global System Policy. The Global System Policy does the following:

Defines behavior for groups with no assigned policy set.
Defines policy values for incomplete agent policy sets.

When agents holding multiple group memberships are assigned conflicting agent policy values, they are resolved with conflict resolution rules. These rules are a set of protocols that determine which policy value an agent uses when conflicts occur. For additional information, refer to Defining Agent Policy Conflict Resolution.

About Agent Hardening

Agent Policy Sets include Agent Hardening policies, which are policies used to prevent unauthorized Ivanti Endpoint Security Agent removal.

Agent Hardening (when set to On):

It prevents the Ivanti Endpoint Security Agent installation location (C:\Program Files\HEAT\EMSSAgent by default) from being renamed, edited, or deleted.
The Agent is hardened , meaning the agent cannot be intentionally or unintentionally modified.
When hardening is in place, you can still upgrade or uninstall the agent after entering the agent uninstall password or the global uninstall password , which is only necessary when modifying the agent locally from the endpoint.
For additional information about defining Agent Hardening policies, refer to the following topics:
- Creating an Agent Policy Set
- Editing an Agent Policy Set

Global uninstall password:

Important: The Global uninstall password option is available only when editing the Global System Policy agent policy set.
Refer to Changing the Global Uninstall Password for additional information.

The Global uninstall password is a universal password that temporarily disables agent uninstall protection. This password works on all network endpoints. You are prompted for this password when manually upgrading or uninstalling hardened agents.

Note:

Ivanti does not recommend providing end users with the global uninstall password in uninstall scenarios. The Global uninstall password should be used by the Ivanti Endpoint Security Administrator only.
In the event an end user needs to uninstall the Ivanti Endpoint Security Agent, provide them with the Agent uninstall password, a password that works only for their endpoint. For additional information, refer to Viewing the Agent Uninstall Password.

Viewing the Agent Policy Sets Page

Navigate to this page to view Agent Policy Sets and their policy settings. Expand policy sets to view the individual policy settings.

You can access this page any time using the navigation menu.

From the Navigation Menu, select Manage > Agent Policy Sets.
[Optional] Complete a task listed in Working with Agent Policy Sets.

Defining Agent Policy Inheritance Rules

You can configure a group to inherit policies from its parent hierarchy using the Policy inheritance setting.

Because a group can inherit policies and have them directly assigned, policy conflicts may arise. The following rules apply when a group has Policy Inheritance set to True:

Any conflicting policies are assigned to the parent, but not the child. Conflicting policies are resolved at the parent level using the conflict policy resolution rules.
Agent Policy Set values directly assigned to a group supersede inherited Agent Policy Set values.
Any conflicting policies that are assigned directly to the child group are resolved by conflict resolution rules.
Any Agent Policy Set values that are undefined by the group’s directly assigned policy are defined by the parent’s group policy.
Policy values still undefined are defined by the Global System Policy set.

For more information on how to enable a group's Policy Inheritance setting, refer to Editing Group Settings.

For more information on Conflict Policy Resolution rules, refer to Defining Agent Policy Conflict Resolution.

Defining Agent Policy Conflict Resolution

On occasion, a group or endpoint may be assigned two different Agent Policy Sets that have conflicting policies. When this occurs, the system determines which policy to use based on the Agent Policy Conflict Resolution rules.

Conflicting policies are resolved in the following order.

Group Policies - Conflicting policy sets assigned to a group are resolved before conflicting policy sets assigned to an agent are resolved.
The following rules apply if a group has Policy Inheritance set to False:
1. The group does not inherit its parent policy set. Therefore, only policy sets assigned directly to the group require resolution.
2. Conflicting policies are resolved according to the agent policy conflict resolution rules.
The following rules apply if a group has Policy Inheritance set to True:
1. The group inherits its parent policy set. Any conflicting policy sets that are resolved at the parent level prior to assignment to the child level.
2. Conflicting policies are assigned directly to the group are resolved using the agent policy conflict resolution rules. Any policy set values assigned directly to a group supersede inherited policy set values.
3. Finally, any policies that are undefined by direct assignment are defined by inheritance.

Agent Policies - After resolving the group policies, the conflicting policies assigned to an endpoint (using its group membership) are resolved. The following rules apply:
1. The resultant policies of all groups the endpoint is a member are resolved according to the agent policy conflict resolution rules.
2. Any policy values that have not been defined using the agent group membership are populated based on the policy settings defined in the Global System Policy.

Conflict resolution rules do not apply to the Global System Policy.

The following table defines the rules used when resolving conflicting policy settings:

Policy Setting	Resolution
Hide Agent Control Panel	The agent uses true (Y).
Core: Download file via HTTP	The agent uses true (Y).
Maximum Log File Size	The agent uses the largest log file size value.
Logging Level	The agent uses the most comprehensive logging level value (Trace [4] > Diagnostic [3] > Normal [2] > Error [1] > Critical [0]).
Agent uninstall protection	The agent uses On.
Show alerts on endpoints	The agent uses false (N).
Reboot behavior	The agent uses a combination of the most secure value, while still giving the user the best chance to save their work. The items are listed in the following order: Notify user, user response required before reboot = 0 Don't notify user, wait for next user-initiated reboot = 2 Notify user, automatically reboot with 5 minute timer = 1
Core: Heartbeat Interval	The agent uses the largest heartbeat interval frequency value.
Core: Receive Interval	The agent uses the largest receive interval frequency value.
Core: Timeout Interval	The agent uses the largest timeout interval frequency value.
Core: Send Interval	The agent uses the largest send interval frequency value.

The Agent Policy Sets Page Toolbar

This toolbar contains buttons that allow you to create and edit Agent Policy Sets. The following table describes each toolbar button.

Button	Function
Delete	Deletes the selected Agent Policy Set(s). For additional information, refer to Deleting an Agent Policy Set.
Create...	Creates a new Agent Policy Set. For additional information, refer to Creating an Agent Policy Set.
Export	Exports the page data to a comma-separated value (.csv) file. For additional information, refer to Exporting Data. Important: The Enhanced Security Configuration feature for Internet Explorer suppresses export functionality and must be disabled to export data successfully. Pop-up blockers in Internet Explorer or other supported browsers may also suppress export functionality and should be disabled.
Options (menu)	Opens the Options menu. For additional information, refer to The Options Menu.

The Agent Policy Sets Page List

For each agent policy set that you create, an item for that set appears in the Agent Policy Sets page list. This list names each existing agent policy set and provides access to editing functionality.

Column	Description
Action	Contains Edit and Delete icons. Use these icons to edit and delete the associated agent policy set. For additional information, refer to the following topics: Editing an Agent Policy Set Deleting an Agent Policy Set The Global System Policy cannot be deleted.
Name	The name of the agent policy set.

Column

Description

Action

Contains Edit and Delete icons. Use these icons to edit and delete the associated agent policy set. For additional information, refer to the following topics:

The Global System Policy cannot be deleted.

Name

The name of the agent policy set.

Each item listed on the Agent Policy Sets page can be expanded to list its individual policy settings. To view agent policy set details from the page list, click the Rotating Chevron (>) for the agent policy set, which opens a table containing additional details.

Name	Description
Policy Name	Indicates the unique name of the agent policy set.
Type	Indicates the type of agent policy set (System or User Defined).
Description	Indicates the description of the agent policy set.
Created By	Indicates the name of the user that created the agent policy set.
Created Date	Indicates the date and time that the agent policy set was created.
Modified By	Indicates the name of the user that last modified the agent policy set.
Modified Date	Indicates the date and time that the agent policy set was last modified.
Agent uninstall protection	Indicates whether agent uninstall protection is on.
Hide agent control panel	Indicates whether the Agent Control Panel is hidden from an endpoint user when they log on to their system. Any dialog or notification launched by the Ivanti Endpoint Security agent will also be hidden until the Agent Control Panel is started manually using Windows Control Panel .
Reboot behavior	Indicates the reboot behavior. The following values indicate each reboot behavior setting: Notify user, user response required before reboot = 0 Notify user, automatically reboot with 5 minute timer = 1 Don't notify user, wait for next user-initiated reboot = 2
Download files via HTTP	Indicates whether the Ivanti Endpoint Security Agent downloads files via HTTP rather than HTTPS. All other communication occurs over HTTPS.
Maximum Log File Size	Specifies the maximum size of the Ivanti Endpoint Security agent log before it is deleted.
Logging Level	Indicates the level of detail recorded in the Ivanti Endpoint Security Agent. The following values indicate each logging level: Critical = 0, Error = 1, Normal = 2, Diagnostic = 3, Trace = 4.
Show alerts on endpoints	Indicates whether alerts and notifications are shown to endpoint users.
Core: Heartbeat Interval	Indicates the interval at which the Endpoint Service sends a heartbeat to the server (in minutes).
Core: Receive Interval	Indicates the interval at which the Endpoint Service communication receive delay intervals (in seconds).
Core: Timeout Interval	Indicates the interval at which the Endpoint Service communication receive time intervals (in seconds)
Core: Send Interval	Indicates the interval at which the Endpoint Service communication send delay intervals.

This reference table does not list the Value contained in the agent policy set details. This column (which appears in the user interface) contains values that agent policies are set to.