Tutorial: Agent deployment

Here's a brief video showing you how to deploy agents to unmanaged devices.

Agent deployment tutorial (3:48)

If the screen looks blurry, click the video's Settings gear and click Quality > 1080p.

Video transcript

Agent deployment

You need to install an Endpoint Manager agent on devices you want to manage. Version 2024 makes the engine based agent that was introduced in version 2022 the default.

Click Configuration > Agent Configuration > Public Configurations. Here you will see agent configurations for the various operating systems that are supported. For this example we will configure and deploy an agent to a Windows 10 device. If we open the configuration, we can see that there are many settings that can be configured. But for this example, we are just going to keep the default settings.

If you've upgraded Endpoint Manager versions or if you've applied an Endpoint Manager service pack, make sure you first select the Rebuild all button. This upgrades all agent components to the latest version. It can take a minute or so to run.

Create Windows agent installation files by right-clicking Default Windows configuration. You have three choices here:

  • The Create engine based agent install files option copies these files to a folder you select: EPMAgentInstaller.exe, the core's public certificate (.0 file), a manifest file containing configuration details for the selected agent configuration, and a .txt file with the agent configuration name.
  • The Create engine based agent install MSI (unsigned) option creates a single MSI file that includes the files from the first option. This option is mainly for Windows Group Policy Object deployments, since it can be difficult to deploy multiple files with a GPO.
  • The Create self contained engine based agent install MSI option creates a single MSI containing full versions of all engine MSIs. This MSI is much larger because it includes all engine MSI files as well. This also is the only agent installation option that works on devices that don't have access to the core server during installation.

You can run these packages manually on a device or deploy them as part of a Group Policy.

Unmanaged device discovery

If you want to deploy your agents remotely to devices that don't have an agent installed, the unmanaged device discovery feature can help. To use this, you'll first need to provide credentials that give EPM access to those devices so it can install the agent remotely.

Click Configure > Services and open the Scheduler tab. Click the Change login button.

The credentials you provide should have administrator rights to the devices you will be deploying to, such as a domain administrator.

Click Restart to restart the Scheduler service.

Device discovery

Now it's time to discover unmanaged devices.

Click Configuration > Unmanaged device discovery.

Click the Scan network toolbar button.

Enter the Starting IP and Ending IP address range, a subnet mask, then click the Add button. Using a narrow IP range can shorten scan times significantly. In this case I know the IP address of the device I want.

When you're done adding ranges, click the Scan now button.

As the scan progresses you'll see the Devices found status increase.

We can view this discovered Windows device in the Computers category. Use the Find filter to quickly limit the device list to strings matching data in the selected column. For example here we're searching in the Device name column.

Push deployment

We can now remotely deploy the agent to detected devices.

Select and right-click the devices you want. Select Deploy agent. Click Next, and make sure the agent configuration you want to deploy is selected.

Schedule a time for the installation to begin. In this case we'll leave it at Start now. On the Summary page, finalize the task by selecting Deploy agent.

Monitor the deployment status in Distribution > Scheduled tasks.

Agent management

You can see your managed devices in the Network View under Devices > All Devices. Devices using an agent version that is older than what is on the core also appear under Devices > Devices with older agents. This view works like a filter and is a quick way to see which devices need an agent upgrade. A device with an older engine based agent won't allow agent configuration changes until it has been upgraded. An older agent will still work normally otherwise.

If devices using an engine based agent need an upgrade, you can select them, right-click, and select Mark for agent upgrade. The next time the agent checks in it will apply the upgrade. Agents check in once a day by default. If the device is contactable, you can make it check in immediately by selecting Force agent check in. Again, these options are only available for devices with engine based agents.

When you select an agent configuration, you can see all devices using that configuration on the right. If you want a device to use a different agent configuration, drag it on to the configuration you want. For example, if I wanted this device to instead use the Default Windows Server Configuration, I can drag it from here and drop it. The configuration change will be applied the next time the agent checks in, unless you do a Force agent check in. These agent configuration changes apply quickly and don't require an agent uninstall/reinstall.

In Administration > Agent Health, you can check for agent issues on devices, such as installation, upgrade, and individual engine failures.



Here we will select the Create engine based agent install files option. Select where you want to save the files, and click Save. It may take a minute or so for the agent to be built. Then copy the resulting files to your targeted devices and run EPMAgentInstaller.exe.

After the installation completes, your device will appear in the Network view and can be fully managed.

This method could be used for manually installing the agent to a few machines, or EPMAgentInstaller.exe could be executed and the agent can be installed as part of a login script.

Push deployment

We can now remotely deploy the agent to detected devices.

Click Configuration > Agent configuration.

Right-click the Default Windows configuration, and click Schedule agent deployment. If you're deploying to macOS or Linux devices, you'll want to select one of those configurations instead. This creates a scheduled task.

Back in the Unmanaged Device Discovery tool, select the devices you want to target, and then drag them onto the Scheduled tasks tab and into your created task.

Right-click the scheduled task and click Start now > All.

Monitor the status in Scheduled tasks.

The installation time depends on what agent options you're installing. If you include endpoint security and antivirus options, the installation time will take longer.


Tutorial: Patch management

Here's a brief video showing you how to deploy agents to unmanaged devices.

Patch management tutorial (4:52)

If the video looks blurry, click the video's Settings gear and click Quality > 1080p.

Video transcript

Detecting and patching vulnerabilities requires three main steps:

First, download vulnerability definitions that allow the scanner to detect those vulnerabilities.

Second, scan devices for vulnerabilities.

Third, download and apply patches for the detected vulnerabilities.


Download vulnerability definitions

Click Security and Compliance > Patch and compliance.

Click the Download button.

Select an update source site closest to you, either US West Coast, US East Coast, or Europe.

You can see that Endpoint Manager supports patching vulnerabilities on Linux, Unix, Mac and Windows operating systems. For this demo we will focus on Windows.

In the tree, click Windows and then under that, Vulnerabilities, and Microsoft Windows Vulnerabilities.

By default, the downloaded vulnerabilities will be in the Scan (global) folder. You should change this to Unassigned so you can manage the ones you want to scan for more selectively later. If you scan for all vulnerabilities it will take a while, since there are thousands.

On the Patch location tab, select where the patches are stored. This is where devices will download the patches from. By default they download from the core server, but you can specify a different UNC path or a Web URL. In a production environment, you'll probably want to move these to another server.

The download process will take a while if this is your first time downloading, perhaps a half hour or more. Downloads after this will be much quicker. You can schedule regular content downloads by clicking the Schedule download button.

Click Apply to apply your changes, then click Download now.

Once the download finishes, go to the Unassigned folder. Select vulnerabilities you want to scan for and drag them into the Scan folder. In the Find box, type an application name, for example, to show just those vulnerabilities.


Scan devices for vulnerabilities

Selecting devices in the Network view works for quick scans of a few devices, but in a production environment you'll want to create a Compliance scan task that dynamically targets groups of devices based on queries or device scopes.

In the Network view, select the devices you want to scan. Right-click your selection and click Security and patch > Patch and compliance scan now.

A dialog box opens where you can select the security and patch scan settings. These settings cover things like network bandwidth-friendly deployment options, CPU utilization on the client, maintenance windows, and end-user interaction including reboot options. The default is to use the device's current agent settings. You can override the device's agent settings temporarily by selecting a different scan setting.

The Status of requested actions window appears and you can monitor scan status. How long the scan takes depends on things like the speed of the device, how much software is on it, and how many vulnerabilities you're scanning for.


Download and apply patches for detected vulnerabilities

When the Results column shows the scan is complete, you can right-click the device and click Security and Patch > Security and Patch information to see what vulnerabilities have been detected. These vulnerabilities haven't been patched yet. You need to download the necessary patches first.

Right-click the patch and click Download patch. The Downloading patch dialog box appears showing the download status. Patches download from the Ivanti source you selected in the Download updates dialog box. Click Close when the download is done. By default, patches download to the core server's LDLogon\Patch folder.

Once the patch is downloaded, you can right-click the vulnerability and click Repair.

This starts a Patch and Compliance repair task. Under Targets, select the devices you want patched. Select a target type and click the Add button. Select the targets you want, then click OK.

Back in the Targeted items tree, you can see the targets you selected. Click the box next to the ones you want this task to target and click Save.

The Schedule tasks tool opens with the new Patch and Compliance repair task selected. Right-click that task, and click Start now > All.

Monitor task progress in the Schedule tasks view. Depending on the patch, users may be prompted to reboot if the patch requires it.


Creating a task to scan for vulnerabilities on multiple devices (coming soon)

You can also easily target preconfigured groups of devices. To create a group in the Network view, right-click in the My devices or Public devices groups and click New group. In this example, I created a Marketing group and added some devices to it. Now we can use that group name as a target.

From the Patch and Compliance window, select the Scan folder.

View the items in the list view to ensure you have the vulnerability definitions listed that you want to scan for. If not you can drag and drop definitions from Unassigned folder to the Scan folder.

From the toolbar, click the Create a task icon and click Compliance scan.

There are several options here. Select Task settings to see the task options. We will keep the default task type of Policy-supported push, which means it will immediately scan devices that are turned on and on the network, and for those that aren’t currently turned on, it will run as a policy when they turn on or connect to the network.

Select Targets. There are several methods for targeting devices. In our case we will select Targeted device groups, click Add, and select the Marketing device group that I created earlier.

Click Save.

We see the compliance scan task in the Scheduled Task tool. Right-click the task, choose Start now and All. You can monitor the progress of this compliance scan task.


Creating a task to install multiple missing patches on multiple devices (coming soon)

Now we can create a task to install multiple missing patches on multiple devices.

From the Patch and Compliance Window, select the Detected folder. If nothing appears in the list view on the right, you will need to run a Patch and compliance scan, but we've already done that.

From the list view, select the vulnerabilities you would like to repair or patch. You can sort by any of the columns to find the desired set of vulnerabilities. You may also select all by pressing Alt-A.

Right-click the list of selected vulnerabilities and click Download associated patches

From the list, select the patches that haven’t been downloaded and then click Download. When this completes, close the window.

Return to the Patch and Compliance tool. Be sure the vulnerabilities are still selected. From the toolbar, click the Create a task icon and click Repair.

Here you'll choose the appropriate task settings. From Repair settings, under Add targets, choose Add all affected computers.

To see which vulnerabilities will be patched, click Patch list.

We will leave the remaining options at their default settings.

Click Save.

We see the compliance scan task in the Scheduled Task tool. Right-click the task, click Start now and All. You can monitor the progress of this repair task.


Tutorial: Software distribution

Here's a brief video showing you how to distribute software to endpoints.

Software distribution tutorial (3:33)

If the video looks blurry, click the video's Settings gear and click Quality > 1080p.

Video transcript

Software distribution

Endpoint Manager allows you to distribute software to managed devices. In this example we'll distribute a Windows MSI version of VLC, the media player from VideoLAN software.

In the console, click Distribution > Distribution packages > My packages. Click the New toolbar button, and you'll see the supported distribution platforms and package types. For our package, we'll click Windows > MSI.

The MSI properties dialog box opens. There are many options you can configure here. The two you'll always have to configure are Package information and Install/Uninstall options.

On the Package information page, enter a package name and description. Next you need to browse for the package's Primary file. This is the main file that launches the package installer. In our case we only have a single MSI file, so we'll point to that. If the primary package file requires additional files to run, you can add them on the Additional files page.

Package files need to be placed on a web or file share that is accessible from clients. The default is an HTTP share on your core server located here: C:\Program Files\LANDesk\ManagementSuite\LANDesk\files. I've already downloaded the MSI version of the VideoLAN VLC installer and placed it there. When I click the VLC MSI file, you can see the URL clients will use to access the file. You should test the resulting URL or share path from a client to make sure it works.

On the Install/Uninstall options page, we'll make sure Install is selected since we're installing this package. You can also configure display options for what users will see during installation along with reboot options if a post-installation reboot is necessary.

At the bottom of the page you can see the command line that will be used to install the package. You'll want to use a package command line that allows for a silent install with the options you want. MSI packages have standard options for a silent install and those will be specified here automatically. The command line for executable installers varies and depends on the program you're installing, so you'll have to find those from the program's creator.

We'll leave these at the default and click Save.

The new package appears in the list. Right-click it and click Create scheduled task(s). The Scheduled tasks tool opens with the task we created selected. The task isn't ready to run yet, since we haven't specified the devices we want the task to target. Right-click the task and click Properties.

On the Targets page, select the devices you want to receive the package. We're going to manually target a single device with the Targeted devices item, but you can easily target multiple devices with the other items. Select a target type and click the Add button. Select the targets you want, then click OK.

Back in the Targeted items tree, you can see the targets you selected. Click Save.

The task properties dialog box closes and we're back in the Scheduled tasks view. To begin the distribution to our targeted device, right-click the task and click Start now > All.

Monitor task progress in the Schedule tasks view. When the task is done it should move to the Successful row.


Tutorial: Remote control

Here's a brief video showing you how to remote control devices.

Remote control tutorial (2:44)

If the video looks blurry, click the video's Settings gear and click Quality > 1080p.

Video transcript

Remote control from the network view

You can remote control Microsoft Windows and Apple macOS devices that have an Ivanti Endpoint Manager agent. In the network view, devices you can remote control have a remote control overlay on them. It looks like a TV remote.

There are many remote control agent settings you can customize. Click Configuration > Agent settings. Under Remote control, double-click an existing agent setting or right-click and click New. Among many other things, you can modify settings such as what users see when they're being remote controlled and whether or not they must grant permission to be remote controlled.

To remote control a device, right-click it and click Remote control. The starting remote control overlay appears, and it may take several seconds for the session to start.

If permission is required at the endpoint, the user will be asked if they want to allow the remote control session. The user has 30 seconds to allow or deny the request.

Once the session starts, if the remote user is logged in you will see their screen. If nobody is logged in you will see the remote login screen and you will need to log in with your domain administrator credentials or something similar.

During remote control, a popup remote control notification displays in the bottom-right corner of the targeted device while the session is active. Move this notification if it's in the way.

Use the toolbar buttons at the bottom to transfer files, remotely run programs, toggle resolution scaling, or toggle full-screen mode.

To finish a remote control session, click Close on the toolbar.


Using the standalone remote control console

Remote control also has a standalone console that supports both Windows and macOS. This is useful for helpdesk analysts or other administrators who don't have an Endpoint Manager console installed. The standalone remote control console is a single executable file that is located here on the core server:

  • C:\Program Files\LANDesk\ManagementSuite\remotecontrol\RCViewer

You can copy this file to any computer that you want. When you run it you'll see the remote control WS viewer login page. The console has an interactive console mode or a direct connection mode. You must provide Endpoint Manager credentials and have remote control permissions to start a remote control session.

Once you're logged in, you can use the global search box or the individual column search boxes to filter results. Clicking a device shows its details. Click the Connect button to start a remote control session.

Tutorial: MDM

Here is a brief video that describes the three stages of modern device management (MDM).

MDM introduction video (3:16)

If the video looks blurry, click the video's Settings gear and click Quality > 1080p.

Video transcrpt

Endpoint Manager's Modern Device Management features help manage and secure desktops, laptops, phones, and tablets, whether they are in the office, traveling, or working from home.

There are three main stages of modern device management with Endpoint Manager: configure, enroll, and manage.

Configuring Endpoint Manager

In stage one, you configure Endpoint Manager for MDM. This is when you configure your CSA, add certificates, and create accounts. The exact steps you need to complete depend on what kinds of devices you want to manage, as you can see here. These configurations can be found in the management console by going to Configure > MDM Configurations. Once set up, you won't revisit these configurations very often, except to renew certificates.

Enrolling Devices

In stage two, you enroll devices. Each OS has a different enrollment process.

Here (Configure > MDM Configurations > Google > Android Enterprise), you can enroll Android devices in either Android Enterprise work profile or fully managed mode by generating enrollment QR codes and URLs.

Here (Configure > MDM Configurations > Additional Device Discovery > Chromebook Discovery), you can enroll Chromebooks by associating your Google Apps for Work account and Endpoint Manager.

Here (Configure > MDM Configurations > Apple > Enrollment Codes), you can enroll iOS and iPadOS devices by generating enrollment QR codes and URLs.

There are two scenarios for enrolling macOS devices. If the device already has the Endpoint Manager agent, send a pre-made enrollment distribution package to enroll it in MDM. The package can be found at Tools > Distribution > Distribution packages > Public packages > Enroll macOS device in Ivanti MDM. If the device does not have the agent, install the MDM app, found on the core, and enter the user's credentials. The MDM app can be found on the core in the ldlogon\mac directory.

For Apple devices, you also have the option to use Apple Device Deployment Programs to purchase and enroll devices in bulk. In addition to macOS, iOS, and iPadOs devices, you can also enroll tvOS devices through DEP.

Windows 10 devices can be enrolled directly to the core using on-premise active directory or through Azure Active Directory. Both methods have the option to create deep links for an easy end-user experience.

You may come back to the enrollment stage fairly often as you expand and upgrade your device inventory.

Managing Devices

In stage three, you manage your devices. This stage is where you will spend most of your time.

Agent settings for mobile devices allow you to configure device settings and restrictions. The available agent settings can be found under Tools > Configuration> Agent Settings. These are the MDM based agent settings. Agent settings include things like security settings, restrictions, network information, and application settings.

Create packages to distribute software to managed mobile devices. Navigate to Tools > Distribution > Distribution packages to create packages for every type of MDM managed OS.

After a device is enrolled, it appears in the inventory. From the inventory, you can perform actions such as wiping, syncing, or locating the device. Most of these actions are performed by right-clicking on the device in the inventory.

Tutorial: Provisioning

Here's a brief video showing you how to configure and use OS provisioning.

OS provisioning tutorial (7:52)

If the video looks blurry, click the video's Settings gear and click Quality > 1080p.

Video transcript

Ivanti Endpoint Manager OS provisioning allows you to capture and deploy Windows and Linux installations. Provisioning can also deploy Apple macOS installations. In this tutorial, we'll show you how to capture and deploy a Windows 10 image.

Provisioning uses a custom boot environment to provision devices. You can load this environment through a USB or DVD drive or you can use PXE network boot. We recommend network boot for most provisioning scenarios. A PXE environment lets you network boot and provision devices interactively one at a time, or you can network boot and provision groups of devices remotely from the Endpoint Manager console.

Initial provisioning setup

Before you capture and deploy operating system images, you need to do some initial configuration. We'll show you how to do this next.

Before using provisioning

Enable PXE service support in client agent settings.

Enable PXE support in self-electing subnet services (SESS).

Enable UEFI PXE boot.

Enter preferred server credentials for the image share path.

First, let's enable PXE service support on clients so if self-electing subnet services elects them they can act as PXE servers. Click Configuration > Agent settings. Under All agent settings > Client connectivity, double-click your default client connectivity agent setting. Click Self-electing subnet services > PXE, and select Enable PXE service. Click Save.

We recommend you allow the PXE service on all devices. Self-electing subnet services will make sure it picks a good candidate for each subnet. You can schedule an agent setting update to deploy this change immediately, or you can wait a day or so for devices to automatically update their agent settings when they next run the vulnerability scanner.

Second, let's enable PXE support in self-electing subnet services so it can find electable PXE service devices. Click Configuration > Self-electing subnet services. On each subnet, right-click and click Enable. Once there's a name in the Elected device name column, PXE boot support is active for that subnet.

Third, if a device you're provisioning has a UEFI BIOS, which most devices released in the last several years have, you'll want to enable provisioning's Always PXE boot UEFI devices option. When network booting, the UEFI boot sequence doesn't show a PXE boot prompt that you can use to interactively start the PXE boot process. Click Provisioning > OS Provisioning. On the toolbar, click Preboot > PXE boot options. Select Always PXE boot UEFI devices, and click Save.

Fourth, enter preferred server read and write credentials for your provisioning image share. In our example, it's on the core server under ldlogon\Images. This lets devices read and write to that share during the provisioning process. Click Provisioning > Content replication/Preferred servers. On the toolbar, click New. On the Configuration page, enter your core Server name, Description, and read-only credentials. Click Test credentials to make sure they work.

We also need to provide write credentials so we can capture images. Click Write credentials and also provide credentials there. Test them and click Save.


Capturing and deploying a Windows 10 image

Now that we're done with the initial provisioning configuration, let's look at the steps for provisioning Windows 10:

  1. At the source image device, generically configure your source Windows installation and sysprep it.

  2. Create a capture image template to capture the image.

  3. Network boot the device you're capturing and in the provisioning boot environment select your capture template.

  4. Create a deploy image template that deploys the image.

  5. Have the client you're imaging boot from the network. Once the boot environment loads, select your deploy template.

Capture an image

We need to create the operating system image that we want to capture. This will be the base image that is deployed to other devices. On your image source device, generically configure it how you want it. If the device has an Endpoint Manager agent on it, make sure you uninstall it. This helps prevent duplicate devices appearing in the console if you deploy this image to multiple devices.

When you're done, run C:\Windows\System32\Sysprep\Sysprep.exe. This tells Windows to re-run Windows Setup the next time it boots. We recommend you select the Enter System Out-of_box Experience and Generalize options. Let sysprep shut down the device when it's done.

Now we'll create a provisioning capture template so provisioning has the information it needs to capture the operating system image from the source device.

Click Provisioning > OS Provisioning. On the toolbar, click New template > Capture template.

Enter a Template name and Template description. Make sure your description specifies that this is a capture template. Use the Image type option to select the tool that will capture the image. LANDESK ImageW V2 comes with Endpoint Manager and is the default.

Specify the UNC path where you will store the image. There's a default images path you can use under \ldlogon\Images. Click the Browse button to go there, and make sure your image name has a .TBI extension.

Click Create.

We're ready to initiate the capture. Go to your image source device and have it do a network boot so it loads the provisioning boot environment. You can enable network boot in the device's BIOS, or many devices can show a boot order override menu when you press F12 or something similar during boot.

Once the boot environment loads it will retrieve the list of templates from the core. Select your capture image template and click OK. This starts the automated image capture process.

Deploy an image

Back at the console in the OS Provisioning tool, click New template > Deploy template. Enter a Template name and Template description. Make sure your description specifies that this is a deploy template.

Under image type, select the same image type you used to capture the image, in our case the default.

Click Browse and browse for the .TBI image file you captured.

Under Agent configuration name, select the Endpoint Manager agent configuration you want to install during imaging.

The unattend script contains the settings Windows Setup will use when configuring the image. Select the LD_Default_Unattend.xml file.

Click Create.

Right-click the deployment template you just created and click Edit. Here you can extensively customize the image and how it's deployed. We'll use the defaults and so we'll click Cancel here.

Network boot the device you're deploying to. Once the provisioning boot environment loads, select your deploy image template. The captured image will be deployed and configured. If that device needs custom drivers that Windows doesn't automatically detect and install, see the hardware independent imaging topics that show you how to create a driver library that supports unique drivers.