Management and Security
Endpoint Security for Endpoint Manager tools and features
The underlying tool of Ivanti® Endpoint Security for Endpoint Manager is called Patch and Compliance. For information about security content and supported device platforms, and how to use the Patch and Compliance tool to perform security and compliance scanning and remediation, view scan results, generate security reports, and configure ongoing system security, see Patch and Compliance.
This help topic includes brief overviews of the following security management tools provided by the Ivanti® Endpoint Security for Endpoint Manager, with links to the tool's overview topic:
- Patch and Compliance
- CVE naming standard compliance
- Federal Desktop Core Configuration (FDCC) standards compliance
- Security Activity
- Agent Settings
- Endpoint Security
- Ivanti Antivirus
- Common Ivanti tools included with Endpoint Security for Endpoint Manager
- Other Ivanti® Endpoint Manager features included with Endpoint Security for Endpoint Manager
- Where to go for more information
Use Patch and Compliance to download the latest known vulnerability definitions (and other security content type definitions) and their associated patches. Scan managed devices, as well as core servers and consoles, for Ivanti software updates. Configure and run customized security assessment scans for known platform-specific vulnerabilities, spyware, system configuration security threats, antivirus scanners, and blocked or unauthorized applications.
With the Patch and Compliance tool, you can also:
- Create your own custom security definitions to scan devices for specific, potentially threatening conditions.
- Research, prioritize, download, and deploy and install patches.
- Create and run scheduled tasks and policies that remediate detected security risks.
- Configure whether the security scanner displays on end user devices during scan and repair processes, device reboot options, and the level of user interaction.
- View comprehensive security and patch information for scanned devices.
- Enable security alerting.
- Generate security reports.
For more information, see Patch and Compliance.
NOTE: Patch and Compliance scans in a Ivanti® Endpoint Manager implementation
The Patch and Compliance tool is included by default in a Ivanti® Endpoint Manager installation (core server activation). However, initially you can scan only for Ivanti software updates and your own custom security definitions. To scan for and remediate additional security types, you must have the corresponding Endpoint Security for Endpoint Manager content subscription.
Ivanti® Endpoint Security for Endpoint Manager products support the CVE (Common Vulnerabilities and Exposures) naming standard. With Patch and Compliance you can search for vulnerabilities by their CVE names, and view CVE information for downloaded vulnerability definitions.
For more information about the CVE naming convention, Ivanti compatibility with the CVE standard, and how to use CVE identification to find individual vulnerabilities in Patch and Compliance, see Search for vulnerabilities by CVE name.
Ivanti® Endpoint Security for Endpoint Manager now provides extended support for the Federal Desktop Core Configuration (FDCC) Initiative. Ivanti software products have been certified by the National Institute of Standards and Technology (NIST) as conforming to the Security Content Automation Protocol (SCAP) standards, and are listed as validated products at the National Vulnerability Database website.
In order to perform FDCC security scanning and remediation tasks, you must have a Ivanti® Endpoint Security for Endpoint Manager content subscription that allows you to download the FDCC-specific content, which includes: FDCC scanner detection and installation; FDCC compliance scanning and status reporting; and FDCC-certified vulnerability scanning and remediation by component.
With the FDCC-certified scanner and security content, you can scan your managed devices to ensure they comply with the Federal Desktop Core Configuration standards and requirements.
For more information about how to use the FDCC scanner and security content, see Secure Content Automation Protocol (SCAP).
The Security Activity tool lets you view critical activity and status information for several security components and services. Security Activity provides a single tool window where you can easily see Ivanti Antivirus scan results, HIPS preventions, Ivanti Firewall preventions, Device Control blocked devices, and more.
For more information, see Security Activity overview.
The Agent Settings tool let you create and manage settings files for several security components and services. Configurations (i.e., settings files) control how security services operate on managed devices.
With the Agent Settings tool, you can deploy security agent/services and their associated settings to your managed devices as part of the initial agent configuration, separate install or update tasks, and change settings tasks.
For more information, see Agent Settings overview.
The Endpoint Security tool protects your managed devices from zero-day attacks, firewall intrusions, prohibited application and process actions and behaviors, and unauthorized network and device connections.
Endpoint Security is comprised of customized settings files (saved feature and option configurations) that can be deployed to target devices for the following security components:
- Location awareness (network connection control via trusted locations)
- Host Intrusion Prevention System (HIPS)
- Ivanti Firewall
- Device Control
- Trusted File Lists
Ivanti Application Control provides an additional layer of protection that proactively secures systems and applications from zero-day attacks (i.e., malicious unauthorized behavior). Using customized rules and file certifications, HIPS continuously monitors specified processes, files, applications, and registry keys, and blocks prohibited actions and behaviors. With Application Control, you can control which applications run on devices and how they are allowed to execute. Application Control lets you protect the file system, registry, system startup, and even detect stealth rootkits.
Because Application Control is a rule-based system, instead of a definition-based (i.e., signature-based) system such as known vulnerability, spyware, and antivirus scanning, it doesn't require ongoing file updates. You configure and deploy your own customized level of system security.
For more information, see Application control overview.
Ivanti Firewall lets you create and configure proprietary firewall settings to prevent unauthorized application behavior on your managed devices.
IMPORTANT: Ivanti Firewall and Windows Firewall compatibility
The Ivanti Firewall complements the Windows Firewall, and both can be enabled and running at the same time on managed devices.
For more information, see Agent settings: Ivanti Firewall.
Device Control adds another level of security to your Ivanti network by allowing you to monitor and restrict access to managed devices through I/O devices. With Device Control, you can restrict the use of devices that allow data access to the device, such as ports, modems, drives, USB devices, and wireless connections.
For more information, see Device Control overview.
Ivanti Antivirus lets you protect all of your managed devices from the latest known viruses as well as suspected infections. Antivirus scans can also check for riskware (via an extended database). Ivanti Antivirus is a configurable virus protection tool that is fully integrated with both Ivanti® Endpoint Security for Endpoint Manager and Ivanti® Endpoint Manager.
Ivanti Antivirus provides a wide range of antivirus features, including: scheduled antivirus scans, on-demand scans, red-button scans, real-time file and email protection, automated downloading of virus definition file updates (the Ivanti virus signature database contains the very latest known virus definitions and is renewed several times a day), configuration of antivirus scan behavior and end user options, scan exclusions, as well as antivirus alerts and reports.
Additionally, you can view real-time antivirus information for scanned devices in both the main console and the web console's executive dashboard to quickly identify virus outbreaks and see virus control over a specified period of time.
For more information, see Ivanti Antivirus overview.
Common Ivanti tools provide the underlying device configuration and management capabilities in both Endpoint Manager and Endpoint Security for Endpoint Manager. The following tools are available in a Ivanti® Endpoint Security for Endpoint Manager implementation, appearing in the Tools menu in the console.
IMPORTANT: Be aware that some of these common tools have certain restrictions in a Ivanti® Endpoint Security for Endpoint Manager license activation.
Use Agent Configuration to create custom agent configurations to deploy and install the necessary Ivanti agents required to manage and protect your network devices. These agents are the standard Ivanti agent (that includes the inventory scanner, local scheduler, bandwidth detection, and security scanner), the software distribution agent, and the software license monitoring agent (used for application blocking).
NOTE: Agents not applicable to Ivanti® Endpoint Security for Endpoint Manager
The following Ivanti agents (components) are NOT applicable in a Endpoint Security for Endpoint Manager installation:
- Custom data forms
- Remote control
- OS provisioning
Use the Reports tool to generate and publish a wide variety of specialized reports that provide useful information about your managed devices, including several predefined Patch and Compliance, Antivirus, and Compliance reports.
NOTE: Reports not applicable to Ivanti® Endpoint Security for Endpoint Manager
The following report categories are NOT applicable to the Endpoint Security for Endpoint Manager: All Asset Reports, All SLM Reports, and All Remote Control Reports.
Use Scheduled Tasks to create recurring tasks specifically related to security and patch management, remediation, compliance security enforcement, antivirus scans, and more. You can configure the task's targeted devices and scheduling options.
NOTE: Scheduled tasks not applicable to Ivanti® Endpoint Security for Endpoint Manager
The following scheduled task (script) types are NOT applicable to the Endpoint Security for Endpoint Manager: Custom data forms, Custom scripts, Handheld tasks, and OSD scripts. Also, the distribution package and delivery method task options aren't configurable with Endpoint Security for Endpoint Manager.
Unmanaged Device Discovery
Use Unmanaged Device Discover (UDD) to locate devices on your network that haven't submitted an inventory scan to the core database.
Extended device discovery (XDD) works outside the normal scan-based discovery methods used by UDD. Managed devices with the extended device discovery agent on them listen for ARP (Address Resolution Protocol) broadcasts and maintain a cache (both in memory and in a file on the local drive) of devices that make them. Extended device discovery can also detect WAP (wireless access point) devices.
The User Management tool let you add users to Endpoint Security for Endpoint Manager management roles, and configure their access to specific tools and managed devices based on their administrative role.
With role-based administration, you assign roles (with their associated rights) to determine the tasks users can perform, and scopes (based on device groups, queries, LDAP directories, or custom directories) to determine the devices a user can view and manage. Roles that are available with Endpoint Security for Endpoint Manager include: Patch and Compliance, Network Access Control, Agent Settings, Software Distribution, Public Query Management, and Unmanaged Device Discovery.
NOTE: Roles and rights not applicable to Ivanti® Endpoint Security for Endpoint Manager
The following role-based administration rights are NOT applicable to the Endpoint Security for Endpoint Manager: OS provisioning, Remote Control, Asset Configuration, Asset Data Entry, and Software License Monitoring.
Local accounts is an administrative tool used to manage the users and groups on local machines on your network. From the console, you can add and delete users and groups, add and remove users from groups, set and change passwords, edit user and group settings, and create tasks to reset passwords for multiple devices.
In addition to the tools listed above that appear in the console Tools menu, Endpoint Security for Endpoint Manager provides the following common Ivanti features:
- Windows console, additional consoles, web console
- Custom console layouts
- Network view for managed devices and queries
- Shortcut menus for managed devices and queries
- Service configuration
- Database queries
- Software distribution
- Software license monitoring
- Content replication and preferred servers
IMPORTANT: Custom data forms are not supported in Ivanti® Endpoint Security for Endpoint Manager
The Custom data forms tool is not available with a Ivanti® Endpoint Security for Endpoint Manager only license. You must have a full Ivanti® Endpoint Manager license in order to use custom data forms.
Following the security tool help topics, the remainder of the linked help topics are found in the Ivanti® Endpoint Manager help sections that cover the common Ivanti tools mentioned above (including information about understanding and using the console and network view).
NOTE: The Ivanti User Community
The Ivanti User Community has user forums and best known methods for all Ivanti products and technologies. To access this valuable resource, go to: Ivanti User Community Home Page
Was this article useful?