Configure devices for security scanning and remediation

Use Distribution and Patch settings in the agent settings to determine what gets scanned, what the end user sees for a scan, device reboot behavior, and the level of interaction the end user is allowed when the security scanner runs on devices. For example, depending on the purpose or scheduled time of a scan, you may want to show the end user scanner progress and give them the opportunity to cancel or defer a scan or patch application.

A device's default scan and repair settings are deployed as part of the initial agent configuration. When a task has different scan and repair settings associated or assigned to it, the default settings are overridden. You can also choose to use the device's default settings by selecting them when you create a task.

Linux devices use Ivanti's contentless patching method, which is different from the content-based patching that macOS and Windows devices require. For more information, see the brief video below describing the differences.

Ivanti Patch - contentless and content-based patching compared (2:43)

ClosedConfigure Windows devices for security scanning

The standard Ivanti agent for Windows devices includes the vulnerability scanner, which can perform patch and compliance scanning and remediation. Configure settings for how scanning and remediation are performed in the agent settings.

To create scan and repair settings

1.Click Tools > Configuration > Agent Settings.

2.In the Agent settings window, select Distribution and Patch in the tree and click the Create new settings toolbar button. Or you can click Edit or Configure on any of the task dialog boxes that let you apply scan and repair settings.

3.Enter a name for the distribution and patch settings.

4.Specify the various settings on each page as desired for the particular task. For information about the Distribution and Patch settings, see Agent settings: Distribution and patch.

5.Once configured, you can use the settings for security scan tasks, repair tasks, uninstall tasks, reboot tasks, and change settings tasks.

To change a device's default scan and repair settings

1.In the Patch and Compliance tool window, click the Create a task toolbar button, and then click Change settings.

2.Provide a name for the task, specify whether it is a scheduled task or policy, and either select an existing scan and repair setting as the default or use the Edit button to create a new scan and repair setting as the default for target devices.

3.Select the targets for the task and either schedule it or start the task now.

When creating or editing an agent configuration, you can specify some of the security scanner options, such as when and how often the scanner runs automatically on managed devices, whether the scanner displays progress and prompts on the end user device, as well as global settings for remediation operations such as device reboot and autofix. For more information on customizing the behavior of the security scanner agent as part of creating and deploying agent configurations to managed Windows devices, see Agent settings: Distribution and patch.

NOTE: WinSock2 is required on Windows 9x devices in order for the security scanner to run.

After the agent is configured, a program icon for the security scanner is added to the Ivanti Management program group in the Start menu on the managed device. This program can be used to run the scanner directly from the device (as opposed to any runkey launch, recurring local scheduler launch, or scheduled task via the console).

Additional security settings in agent configurations

When defining a device agent configuration (for Windows devices), you can also enable and configure complementary security features, such as:

  • Frequent security scanning for critical security risks
  • Spyware monitoring
  • Application file lists
  • Windows Firewall
  • Endpoint Security which includes the security components: Endpoint security, Ivanti Firewall, and Device Control

ClosedConfigure Linux devices for security scanning

IMPORTANT: Version 2022 removed agent support for AIX, HP-UX, and Solaris.

Patch and Compliance supports vulnerability scanning on supported Linux platforms. Content downloads, scheduling scans, and scan results are all available using the Ivanti management console. You can perform remediation for vulnerabilities on Linux platforms, but Linux does not currently support the Autofix feature.

Version 2022 adds Oracle Linux and Red Hat Enterprise Linux 9 support for patching. The Endpoint Manager agent queries the local package manager for software vulnerabilities and sends that information to the core. The core uses that information to generate the list of vulnerabilities that can be patched. The local package manager does the actual patching. For more information, see this Ivanti Community page.

For additional Linux and UNIX information, see this Ivanti Community page.

ClosedConfigure Mac OS X devices for security scanning

Patch and Compliance supports vulnerability scanning on Mac OS X platforms.

Additionally, you can create and configure agent configuration for your Macintosh devices with the Agent configuration tool. Configuring the agent for patch management, content downloads, scheduling scans, and scan results are available using the Ivanti management console. However, remediation is a manual process.

For more information about creating and deploying a Macintosh agent configuration with security scanner support, see Macintosh device management overview.

To launch the security scanner manually on Mac devices
  1. Open the Mac OS X System Preferences and select the Ivanti Client page.
  2. On the Overview tab, click Check Now in the Security section.