Agent settings: Agent health
Tools > Configuration > Agent settings > Agent health
Use the Agent health agent setting to manage agent health on devices. With agent health, the vulnerability scanner will make sure agents components stay installed, are current, and have the proper agent settings. Even if users disable agent services or delete files, agent health will restore the agent status and files to a working state.
Agent health uses a vulnerability definition for each agent component that comes from the Ivanti Software update server. When the vulnerability scanner runs on managed devices that use agent health, the scanner uses these definitions to verify the agent status, in addition to its other tasks. By default, the vulnerability scanner runs once a day.
Any changes to component settings that are part of an agent health setting are applied automatically during agent health checks. If a setting is part of an active agent health setting, you won't need to schedule a task separately if that component setting changes.
Agent health also runs LANDESKAgentBootstrap.exe once a day on devices using agent health. This program checks to see if the vulnerability scanner is present and working. If it has been tampered with or isn't available, this program installs it again and uses the vulnerability scanner to restore agent health.
Agent health has three main parts:
- Agent components and their install state
- Agent settings to apply for each component
To configure agent health
- Click Tools > Configuration > Agent settings.
- In the Agent settings tree, right-click Agent health and click New, or double-click an existing agent health setting.
- Configure agent health as described in the following sections.
Downloading agent health vulnerability definitions
Before using agent health, you need to download the agent health vulnerability definitions.
To download agent health vulnerability definitions
- Click Tools > Configuration > Agent settings.
- In the toolbar, click the Download updates button.
- In the Updates tab's Definition types tree, navigate to Windows > Software updates > Ivanti 2021.1 Agent Health. Click it.
- Click Download now or schedule it to download later.
About Agent health: General
Use the General page to set the Autofix and Reboot global behavior overrides.
- Autofix: If a component uses the security scan autofix option, you can globally keep the existing autofix setting, allow it, or disable it.
- Reboot: Globally leave reboot behavior as configured, allow Ivanti reboot, or disable Ivanti reboot. When reboot is disabled, Ivanti agents won't reboot devices even if an action was taken that requires a reboot. Devices will have to be rebooted manually in this case.
Use the Components page to configure install state actions for each agent component. Most components can have these install states:
- Do nothing: Leaves the component as is, whether it is installed or not.
- Install: Makes sure the component is installed and stays installed.
- Remove: Removes the component if it is installed. This doesn't remove files associated with the component, but it does deactivate the component on the managed device. This option isn't available for the Base agent component.
Use the Enforcement page to specify the vulnerability definitions to use when managing agent health.
Periodically scan for agent health issues using the following group: Enable this if you want agent health to be actively managed, either with an event-driven schedule or a time-based schedule. When it is enabled, you must select a vulnerability group. To use the Ivanti default agent health vulnerability definitions, click the browse button and select Predefined groups > Agent health. You won't be able to select this group unless you've first downloaded the Ivanti agent health vulnerability definitions.
If you've enabled this option, you can configure when agent health scans occur.
Use the Settings page to assign a specific settings configuration to agent components. You can only assign settings to components that you've set to the "Install" state on the Components page.
Apply settings listed below
- Only if associated settings aren't specified: When selected, component settings you configure below this option are only assigned if the component is installed but doesn't have a setting assigned to it. If a component already has a setting, it won't be overwritten.
- Always: The component setting you configure below will always be applied, even if the component already has a different setting.
Specify settings list
Components that you set to the "Install" state on the Components page appear in this list, along with the default setting associated with that component.
Click a setting name to keep the current component setting or to select a different existing component setting.
Click Edit to edit the selected setting, or Configure to manage the list of available settings for that component.