Configuring General Settings for a Security Controls Agent Policy

There are a number of general settings to configure for a Security Controls Agent policy. You must configure these settings before installing the agents on the desired target machines.

Field

Description

Enabled

(Windows-based machines only) Specifies if the agent user interface will be installed. One reason you may not want the agent client program installed is if you do not allow Microsoft .NET on your agent machines; the agent client requires the use of Microsoft .NET. If the agent client is not installed, you can use the stagentctl command-line utility to control the agent on the target machine.

Perform manual operations

(Windows-based machines only) Enables a user on a target machine to manually initiate an operation such as a patch scan.

Cancel operations

(Windows-based machines only) Enables a user on a target machine to stop an operation that is in progress.

Logging level

Specify the amount of logging you want the agent to perform. The options are:

  • Basic: Records Error, Informational, and Warning message types in the log. This is the default value.
  • All: Records Error, Informational, Warning, and Verbose message types in the log. Logging all message types is typically only necessary when performing troubleshooting tasks.

The log files will reside on each agent machine in the following location: C:\ProgramData\LANDESK\Shavlik Protect\Logs

Maximum log size

Specify the maximum log size. Specifying a very large log size will enable you to record a longer log history but it will of course require more system resources. The default value is 5 MB.

If the log file becomes full a new log file is opened and logging will continue. If the second log file becomes full, the first log file is deleted and a new log file will be created. This means there will always be a maximum of two log files on the console.

Check-In interval

Specifies how often the agents will check in (synchronize) with the console. At each check-in the agent refreshes its license, it looks for any policy changes and it determines if a newer version of the agent is available. It also checks if it is assigned a distribution server. If it is assigned a distribution server it will use it to download the latest engine components and data definition files. If it is not assigned to a distribution server then the agent downloads the engines and data files from the Web. If an agent machine is offline when the next check-in interval occurs, the agent will immediately check in when network connectivity is restored.

Agent licenses must be refreshed at least once every 45 days or they will expire.

  • Minutes: Use this option if you want the agents to check in more than once a day, or if you don't care what time of day the agents will check in with the console and with the distribution server. Valid values are from 10 - 600 minutes.
  • Days: Use this option to specify the number of days between check-ins. You can also use this option to specify a specific time of day for the check-in (for example, late at night when there is more network bandwidth available).
  • Distribute check-ins over (minutes): Staggers the exact time the agents will check-in so as not to overtax the console (and the default website or the optional distribution server) with simultaneous requests. The valid range is from 1 - 999. As a general rule, the greater the number of agents, the longer the randomized check-in window should be. Values under 30 minutes are not recommended for large environments. The value should, however, be larger than the check-in interval.

Engine, data, and patch download location

Specifies if a distribution server will be used by the agents when downloading the latest engine components, data definition files, and patches. The agents will look for updated files every time they perform a scan. The available options are:

In Linux agent environments, distribution servers can be used to download core files but not patches. Linux agents use YUM to download any patches that must be deployed.

  • Vendor over Internet: Specifies that the agents will download the files from the default websites. A distribution server will not be used.
  • Distribution Server: Specifies that a distribution server will be used. You must specify which server(s) to use.
  • If the agents are being used to deploy custom patches then you must specify the use of a distribution server. This is because there is no download URL for custom patches, meaning the agents cannot pull the custom patches from a vendor and must therefore be able to pull them from one or more distribution servers.

  • Specific: You can select the name of an existing distribution server. You must have previously configured one or more distribution servers in order for the names to be pre-populated in this box. For more information see Configuring Distribution Servers.
  • By Agent IP range: If you have multiple distribution servers defined for your network, each distribution server is typically assigned to service a particular IP address range. The distribution server used when downloading files to a target machine will be determined by the target machine's IP address. See Assigning IP Addresses to Servers for more details.
  • Use vendor as backup source: If the designated distribution server is not available, the agent will download the latest engine components and data files from the default websites.

Network

  • Sync with the Security Controls Cloud: Specifies that the agent will have the option to use Security Controls Cloud to retrieve the latest agent policy information, enabling it to perform synchronization via the cloud. This check box is only available if your console is registered with Security Controls Cloud. When you click Save and deploy to agents, a copy of the agent policy and all necessary components will be written to the Security Controls Cloud service.
  • Agent listens for updates on port: Specifies that the agent will listen to the console for policy updates or commands. If an agent's policy is updated, or if it is assigned a different policy, the console will issue a "check in now" command to the agent. The agent will immediately download the new or updated policy from the console. Only agent machines that are online and able to communicate with the console will be able to receive the command.
  • Port: Specifies the port used by the agent on the target machine when communicating with the Security Controls console. The default value is 4155.
  • Internet proxy credentials: If the agent machines must authenticate themselves to a proxy server when accessing the Internet, you must provide the proper credentials to the agents. Select the credential (the domain\username and password pair) used to authenticate the agent to the proxy server. To define a new credential click New.
  • Only shared credentials are contained in this list. If the credential you are looking for is not listed it probably means it is not defined as a shared credential. See Defining Credentials for information on how to share a credential.

Save and deploy to agents

Saves all changes to the policy file and stores it on the console. Also updates any agent machines that are currently assigned this policy as follows:

  • If an agent machine is online and configured to listen for policy updates, the updated policy will be pushed out to that machine immediately.
  • If an agent machine is online but is not configured to listen for policy updates, the updated policy will be pushed out the next time the agent checks in with the console.
  • If an agent machine is not currently online, the updated policy will be pushed out the next time the agent checks in with the console.

The Agent Policy Editor will be closed.

Cancel

Indicates you want to exit the Agent Policy Editor without saving your most recent changes. A "Do you want to save your changes?" prompt will appear that gives you a second chance to save your changes. If you click Yes the policy will be saved and the associated agents updated (the same as Save and deploy to agents). If you click No the Agent Policy Editor will be closed without saving your changes.