Working with Agent Policy Sets

There are many tasks that you can perform from the Agent Policy Sets page related to agent policy sets. Some tasks are performed by clicking toolbar buttons, while others are performed by interacting with list items.

Creating an Agent Policy Set

You can create an unlimited number of Agent Policy Sets to define how endpoints behave. Following creation, associate an Agent Policy Set with a group or endpoint to apply policy settings. After installing new modules, additional options are available when creating an Agent Policy Set.

Create an Agent Policy Sets from the Create Agent Policy Set dialog.

  1. Select Manage > Agent Policy Sets.
  2. Click Create.
    The Create Agent Policy Set dialog opens.
  3. Type the applicable information in the Policy Set Details fields.

    4. Field Name

    Type

    Policy Set Name

    The name of the Agent Policy Set.

    Policy Set Description

    A description of the Agent Policy Set (optional).
  4. Define the Agent Hardening option.
    These options define the steps required to delete an agent. For additional information, refer to About Agent Hardening.

    5. Option

    Description

    Agent uninstall protection (list)

    Select from the list to define whether the agent requires a password to be uninstalled. The default value is On.
  5. Define the Agent Logging options.
    The following table describes each option.

    6. Option

    Step

    Logging level (button)

    Click to open the Logging Level dialog. Use this dialog to select the agent logging level. For additional information, refer to Defining Agent Policy Logging Levels.

    Maximum log file size (field)

    Type the amount of disk space that triggers the agent to delete its log (1-500 MB). A value of 10 is the default setting.
  6. Define the Ivanti Endpoint Security Agent Communication options. The following table describes each option.

    7. Options

    Step

    Use HTTP for file download (list)

    Select whether packages are downloaded using HTTP, regardless of whether HTTPS is used for communication between the agent and Ivanti Endpoint Security (True or False). The default value is True.

    Send interval (list)

    Select the amount of time that the agent should wait before sending an event to the Ivanti Endpoint Security server (0-5 seconds). A value of 2 seconds is the default setting.

    Receive interval (field and list)

    Type and select the amount of time that the agent should delay before reattaching events from the Ivanti Endpoint Security Server. This value cannot exceed seven days. A value of 0 seconds is the default setting.

    Timeout interval (field and list)

    Type and select the amount of time the agent should stay attached to the Ivanti Endpoint Security server before disconnecting (1 minute-7 days). A value of 12 hours is the default setting.

    Heartbeat interval (field and list)

    Type and select the amount of time between agent check-ins with the Ivanti Endpoint Security server (1 minute-1 day). A value of 15 minutes is the default setting.

  7. Define the Ivanti Endpoint Security Agent Notification Defaults options. The following table describes each option.

    8. Option

    Description

    Hide Agent Control Panel

    This option controls whether the Agent Control Panel (and all associated dialogs and notifications) are hidden or accessible to an endpoint user after logging on (True or False).

    Note:

    • This policy will not take effect until the agent is restarted.
    • This policy can hide only the Ivanti Endpoint Security Agent for Windows. Agents installed on Linux, Unix, or Mac endpoints cannot be hidden.
    • When set to True, endpoint users can still open the Agent Control Panel using Windows Control Panel.
    • This policy cannot hide the Patch Agent or the Agent.

    Show Alerts on Endpoint

    This option control whether the associated dialogs and notifications for the Agent Control Panel are hidden or accessible to an endpoint user after logging on (True or False).
  8. Define the Reboot Behavior Defaults option.
    An endpoint module installation or feature may require an endpoint to restart (such as the Device Control module). This option defines how the reboot is performed.
    1. From the Reboot behavior list, select a behavior.

      Notify user, user response required before reboot: All logged-on endpoint users must agree unanimously to a restart. After the final user agrees to the reboot it will start immediately.

      Notify user, automatically reboot within 5 minute timer: All users logged on to the endpoint are notified by a dialog that a restart will take place in five minutes.

      Don't notify user, wait for next user-initiated reboot: No dialog notifies users that a reboot is required, and the policy does not take effect until the next time the endpoint is rebooted.

  9. Click Save.
    Your Agent Policy Set is saved. You can now assign the Agent Policy Set to endpoint groups or edit the set.

After Completing This Task:

To assign an Agent Policy Set to a group, complete Assigning an Agent Policy Set to a Group.

Editing an Agent Policy Set

Following the creation of an Agent Policy Set, you can modify it to accommodate network environment changes.

The Edit A Policy Set dialog allows you to modify an agent policy set.

  1. From the Navigation Menu, select Manage > Agent Policy Sets.
  2. Click the Edit icon associated with the policy set you want to edit.
    The Edit a Policy Set dialog opens.
  3. [Optional] Edit the Policy Set Details fields.

    Field Name

    Type

    Policy Set Name

    The name of the Agent Policy Set.

    Policy Set Description

    A description of the Agent Policy Set (optional).

  4. [Optional] Edit the Agent Hardening options.
    These options define the steps required to delete an agent. For additional information, refer to About Agent Hardening.

    5. Option

    Step

    Agent uninstall protection (list)

    Select from the list to define whether the agent requires a password to be uninstalled. The default value is On.

    Global Uninstall Password (button)

    Click Modify to open the Global Uninstall Password dialog. Use this dialog to define a password for manually uninstalling the agent. For additional information, refer to Changing the Global Uninstall Password.

    This option only available when editing the Global System Policy agent policy set. Only users assigned to the built- in Administrator role may view or modify the global uninstall password.

  5. [Optional] Edit the Agent Logging options.

    6. Option

    Step

    Logging level (button)

    Click to open the Logging Level dialog. Use this dialog to select the agent logging level. For additional information, refer to Defining Agent Policy Logging Levels.

    Maximum log file size (field)

    Type the amount of disk space that triggers the agent to delete its log (1-500 MB). A value of 10 is the default setting.
  6. [Optional] Edit the Ivanti Endpoint Security Agent Communication options.

    7. Options

    Step

    Use HTTP for file download (list)

    Select whether packages are downloaded using HTTP, regardless of whether HTTPS is used for communication between the agent and Ivanti Endpoint Security (True or False). The default value is True.

    Send interval (list)

    Select the amount of time that the agent should wait before sending an event to the Ivanti Endpoint Security server (0-5 seconds). A value of 2 seconds is the default setting.

    Receive interval (field and list)

    Type and select the amount of time that the agent should delay before reattaching events from the Ivanti Endpoint Security Server. This value cannot exceed seven days. A value of 0 seconds is the default setting.

    Timeout interval (field and list)

    Type and select the amount of time the agent should stay attached to the Ivanti Endpoint Security server before disconnecting (1 minute-7 days). A value of 12 hours is the default setting.

    Heartbeat interval (field and list)

    Type and select the amount of time between agent check-ins with the Ivanti Endpoint Security server (1 minute-1 day). A value of 15 minutes is the default setting.
  7. [Optional] Define the Ivanti Endpoint Security Agent Notification Defaults options. The following table describes each option.

    8. Option

    Description

    Hide Agent Control Panel

    This option controls whether the Agent Control Panel (and all associated dialogs and notifications) are hidden or accessible to an endpoint user after logging on (True or False).

    Note:

    • This policy will not take effect until the agent is restarted.
    • This policy can hide only the Ivanti Endpoint Security Agent for Windows. Agents installed on Linux, Unix, or Mac endpoints cannot be hidden.
    • When set to True, endpoint users can still open the Agent Control Panel using Windows Control Panel.
    • This policy cannot hide the Patch Agent or the Agent.

    Show Alerts on Endpoint

    This option control whether the associated dialogs and notifications for the Agent Control Panel are hidden or accessible to an endpoint user after logging on (True or False).

  8. [Optional] Edit the Reboot Behavior Defaults.
    An endpoint module installation or feature may require an endpoint to restart (such as the Device Control module). This option defines how the reboot is performed.
    1. From the Reboot behavior list, select a behavior:

      Notify user, user response required before reboot: All logged-on endpoint users must agree unanimously to a restart. After the final user agrees to the reboot it will start immediately.

      Notify user, automatically reboot within 5 minute timer: All users logged on to the endpoint are notified by a dialog that a restart will take place in five minutes.

      Don't notify user, wait for next user-initiated reboot: No dialog notifies users that a reboot is required, and the policy does not take effect until the next time the endpoint is rebooted.

  9. Click Save.
    Your edits are saved. The new policy values take effect the next time the applicable agents communicate with the Ivanti Endpoint Security server.

Deleting an Agent Policy Set

As your network environment changes, Agent Policy Sets may no longer be applicable. When this event occurs, you may delete the unnecessary Agent Policy Set.

You can delete Agent Policy Sets at any time from the Agent Policy Sets page.

  1. From the Navigation Menu, select Manage > Agent Policy Sets.
  2. Delete one or more Agent Policy Sets.
    Use one of the following methods.

    Method

    Steps

    To delete one Agent Policy Set:

    Click the Delete icon associated with an Agent Policy Set.

    To delete multiple Agent Policy Sets:

    1. Select the check boxes associated with the Agent Policy Sets you want to delete.
    2. From the toolbar, click the Delete button.

    Assigned agent policy sets and the Global System Policy cannot be deleted.

    A dialog displays, asking you to acknowledge the deletion.

  3. Acknowledge the deletion by clicking OK.
    The Agent Policy Set(s) is deleted.

Changing the Global Uninstall Password

Change the Global Uninstall Password associated with the Global System Policy set. to uninstall any agent in your network.

To uninstall an agent from its host endpoint, you must enter one of two passwords: Endpoint Uninstall Password or the Global Uninstall Password. The Global Uninstall Password feature ensures that endpoint users cannot uninstall the agent without the knowledge and permission of the administrator.

Define the Global Uninstall Password when editing the Global System Policy.

  1. From the Navigation Menu, select Manage > Agent Policy Sets.
  2. Click the edit icon () for the Global System Policy set.
    The Edit a Policy Set dialog opens.
  3. Under the Agent Hardening section, click the Modify button adjacent to the Global uninstall password field.
    The Global Uninstall Password dialog opens.
  4. Type the desired password in the New password field.
    The password must be at least 8 characters in length.
  5. Retype the password in the Confirm new password field.
  6. Click Save.

    Password edits are not saved until the agent policy set itself is saved.

  7. Finish any desired edits to the Global System Policy set and click Save.

    Password edits are not saved until the Global System Policy set is saved.

    8. The Global Uninstall Password dialog closes. Your edits take effect the next time Ivanti Endpoint Security and the applicable agents communicate.

    Tip: The password required to uninstall the agent from the endpoint locally can be found.
    Refer to Viewing the Agent Uninstall Password for additional information.

Defining Agent Policy Logging Levels

All Ivanti Endpoint Security Agents record a log of events that transpire on the endpoint. An Agent Policy Set logging level setting controls how much memory an agent's host endpoint allocates for event logs.

A defined logging level can help troubleshoot agent policy behavior. Define logging levels carefully: a low logging level may not record enough information to be useful; however, a high logging level may record verbose information at the cost of higher disk space.

Define logging levels when creating or editing an Agent Policy Set.

  1. From the Navigation Menu, select Manage > Agent Policy Sets.
  2. Perform one of the following procedures based on your context.

    Context

    Procedure

    If you are creating an agent policy set:

    Click Create.

    If you are editing an agent policy set:

    Click the edit icon associated with the policy set containing the logging level setting you want to edit.

    Either the Create an Agent Policy Set or the Edit a Policy Set dialog opens.

  3. Under the Agent Logging section perform one of the following procedures based on your context.

    Context

    Procedure

    If you are defining the logging level for the first time:

    Click the Define button adjacent to the Logging level field.

    If you are modifying the logging level:

    Click the Modify button adjacent to the Logging level field.

    The Logging Level dialog opens.

  4. Move the slider to the desired logging level.
    The following table describes each logging level.

    Logging Level

    Description

    Trace

    Logs all errors and system actions.

    This highest level logging level should be used only when necessary, as it will consume a large amount of resources on the endpoint.

    Diagnostic

    Logs all errors and major system actions.

    Normal

    Logs all errors and basic system action and usage information.

    Error

    Logs only errors.

    Critical

    Logs only critical events.

  5. Click Save.
  6. Finish any additional edits to the Agent Policy Set and click Save.

    Logging level edits are not saved until the Agent Policy Set is saved.

    7. The Logging Level dialog closes. Your edits take effect the next time the Ivanti Endpoint Security server and the applicable agents communicate.

Exporting Data for Agent Policy Sets

Click the toolbar Export button to export the list of Agent Policy Sets listed on the Agent Policy Sets page to a comma-separated value (.csv) file. Exporting data lets you work with data in other programs for reporting and analytical purposes.

Data for policy values are also exported. For additional information, refer to Exporting Data.

Assigning an Agent Policy Set to a Group

Assigning an Agent Policy Set to a group defines functional rules for the group.

Prerequisites:

Assign Agent Policy Sets to groups from the Agent Policy Sets view.

Groups that do not have an associated Agent Policy Set assigned, use the Global System Policy.
Refer to About Agent Policies and Agent Policy Sets for additional information.

  1. From the Navigation Menu, select Manage > Groups.
  2. From the View list, select Agent Policy Sets.
  3. Select a group from the directory tree.

    You may select a group that is either in the Custom Groups or Systems Groups hierarchy.

  4. Click Assign.
    The Select a Policy Set list becomes active.
  5. Select an agent policy set from the Select a Policy Set list.
  6. Click the Save icon () to save your changes.
    The Select a Policy Set list closes and your policy is assigned.

    The Cancel icon () cancels your changes and any edits are not saved.

    7. The policy set is saved and associated with the group.

Unassigning an Agent Policy Set from a Group

When desired, you can unassign an Agent Policy Set from a group.

Prerequisites:

Unassign the Agent Policy Sets to groups from the Agent Policy Sets view.

Groups that do not have an associated Agent Policy Set assigned, use the Global System Policy.
Refer to About Agent Policies and Agent Policy Sets for additional information.

  1. From the Navigation Menu, select Manage > Groups.
  2. From the View list, select Agent Policy Sets.
  3. Select a group from the directory tree.

    You may select a group that is either in the Custom Groups or Systems Groups hierarchy.

  4. Remove the desired policy sets. Use one of the following methods.

    Method

    Steps

    To remove one Agent Policy Set:

    Click the Unassign icon () associated with the Agent Policy Set you want to remove.

    To remove multiple Agent Policy Sets:

    1. Select the check boxes associated with the Agent Policy Sets you want to remove.
    2. From the toolbar, click the Unassign button.

    An Unassign Disabled icon indicates you cannot remove an inherited Agent Policy Set. Instead, you must change the group policy inheritance setting or remove the inherited policy set from the parent group.
    Refer to Policy Inheritance in Editing Group Settings for additional information.

    A dialog appears, prompting you to acknowledge the removal.

  5. Click OK.
    The selected policy set(s) are removed and the dialog closes.

The Agent Policy Set(s) are no longer associated with the group.