Migrating to New Agent Management
We have listened to user feedback to improve and develop Ivanti Neurons Agent Management.
The latest release of new Agent Management will see significant changes providing a greater level of control and management in Agent Management, Agent Policy, and Deployment.
This content is only a projected preview of the new Agent Management release, and is subject to change to point of release, date to be confirmed.
Key Improvements
The new Agent Management release will see the following improvements:
You can now select which agent policy to apply to the agent before installation. At point of installation the agent will automatically register the enrollment key and policy.
You no longer create a policy group and assign devices to it. In Agents, you create an agent policy, select target devices, and deploy. Any existing policy groups (including Default Agents with/without RC) will be converted to an agent policy using the same name.
Policies can now easily be assigned to manually installed agents, without having to create dummy deployment credentials.
Discovery > Discovered devices has been removed. The devices in the Devices page are now used to select which devices or device groups to deploy the agent policy.
Custom device groups configured by the admin can be used as a source of devices to deploy agents to.
Passive discovery can still be restricted to only be performed by certain agents. To achieve this, enable or disable the Passive Discovery capability in the appropriate agent policies.
There are two new out-of-the-box policies available for selection:
- Infrastructure Agents: Agents using this policy are intended to support the administration of Ivanti Neurons in your network. The policy cannot be renamed or deleted. Additional capabilities can be added or removed.
The following initial capabilities are mandatory and cannot be removed:- Deployment
- Connectors
- Active Discovery
- Passive Discovery
- Inventory
- Automation
- Default Agents: This is a basic policy to help get you started. The policy can be edited freely and works like any policy you may create yourself. Any capability (including the ones that are initially enabled) can be added or removed. This policy can be renamed or deleted. The following are the initial capabilities:
- Automation
- Inventory
- Edge Intelligence
- Passive Discovery
Some capabilities are license dependent.
You can now combine any capability in the same policy. Previously it was not possible to have Deployment, Connector, or Default Agent capabilities all co-existing on the same device, because they were separate policy groups. Policies can now be created containing any available capabilities and assigned to an agent endpoint.
For example: A policy can now contain Connectors, Patch, Inventory, and Discovery.
Enrollment keys are used to register agents with a tenant and download the relevant agent policy. Enrollment keys have now been exposed in the user interface so you can track expired or depleted keys and create new ones to replace them.
Any existing active enrollment keys that are assigned to a default agent (with/without RC) will be migrated and displayed in Agents > Enrollment Keys.
The Download Deployment Representative Agent button in Agent Policy and Discovery has been replaced with Download Agent.
The concept of a Deployment Representative is no longer used. In new Agent Management, an agent policy has a Capabilities section, with a new Deployment capability. This capability must be selected in an agent policy and applied to a device that you want to use for deployment. The out-of-the-box Infrastructure Agent Policy has the Deployment capability enabled by default, or you can create a custom policy and enable it.
If you have an existing Deployment Representative policy group, this will be migrated to an agent policy with the name: <policy group name> - Deployment Representatives, and displayed in Agents > Agent Policies. Check the details to confirm it has the Deployment capability enabled.
In Admin > Connectors > Connector Servers, the Add Server > Download option, downloads the Neurons Agent and enrollment key for the Infrastructure Policy. The Infrastructure policy has the Connector capability enabled by default and is mandatory.
Currently, to make use of the on-premises connectors, you have to download and install a connector server. In new Agent Management you can simply apply the new out-of-the-box Infrastructure policy, which has the Connector capability enabled by default. Or you can create a custom policy and enable it.
Changes to the Neurons Platform User Interface
The new Agent Management release will bring some UI changes:
- The following options have been removed:
- Discovery landing page
- Policy Groups option
- Deployment Representatives option. In the new Agent Management, a deployment representative is a device that has an Agent Policy installed with the Deployment Capability enabled.
- Discovered Devices option. The list of devices in Main menu > Devices is used to select which devices to deploy to.
- The Admin > Discovery landing page is now the Discovery Scans page
- The Discovery Settings option has been split into the following two options because they are agent policy capabilities, that can be independently enabled:
- Active Discovery Settings option
- Passive Discovery Settings option
- The Download Deployment Representative Agent button has been replaced with Download Agent.
New Discovery Permissions:
- View Discovery Settings
- Modify Discovery Settings
New Agents Permissions:
- Agent Deployment:
- Perform Agent Deployment
- Agent Management:
- View Agent Endpoints
- Modify Agent Endpoints
- Agent Policies:
- View Agent Policies
- Modify Agent Policies
- Enrollment Keys:
- View Enrollment Keys
- Modify Enrollment Keys
FAQ
Some questions you may have:
Ivanti Neurons Agent Management, and Ivanti Neurons Discovery, now offer Role Based Access Control so that administrators can lock down the Agents, and Discovery areas of the UI to non-admin users. Modify, View, or No access can be granted. By default, the Admin role has Modify access, the Analyst role has View access and all other roles, including Custom Roles, have No access.
Yes. The default access control permission is No access. Update your Custom Roles settings to grant the level of access you want to permit for Agents and Discovery. Admin > Access Control > Custom Roles > Permissions.
Existing Policy Groups will be converted to Agent Policies. The Agent Policy will be created with the same name as the Policy Group.
If an existing Policy Group has a Deployment Representative Agent assigned to it, then an additional Agent Policy will be created with the name <policy group name> - Deployment Representatives. This can be renamed if required.
Existing active enrollment keys used for default agents (with/without RC), and connectors, will be migrated, including the number of activations and expiry date. On migration, the enrollment key will be assigned an enrollment key name, in the format Auto-Generated, Auto-Generated 1, Auto-Generated 2, etc. These keys can be revoked or used for future deployments.
Custom policy group enrollment keys are migrated, but will not be displayed in the Enrollment Key list, or made available for use with future deployments. This is because they were auto-generated at time of agent deployment and are single-use only.
Enrollment keys can be created and managed using the new menu item Agents > Enrollment Keys.
Existing Connectors will be migrated to an Agent Policy named Connectors. The existing connectors enrollment key will be migrated and the name automatically generated as 'Connectors'.
To use Ivanti Neurons for deployment, you must have an agent policy with the Deployment Capability enabled. Any device that has the policy can then be selected to deploy the agent to other devices on your network, using Agents > Agent Deployment > Deploy Agent via Neurons push installation.
The source devices to deploy an agent policy to are in the Main menu > Devices. This is where you set up any Device Groups that you want to use.