Agent settings: Distribution and patch

Tools > Configuration > Agent Settings > Distribution and patch

The Distribution and Patch agent settings dialog allows you to control how Ivanti® Endpoint Manager installs packages, runs scans, and repairs files.

General settings

On the General settings page, enter a name that will be associated with the settings you specify on all of the pages in this dialog. This name will appear in the Agent settings list in the console.

Network settings

Use this page to customize how distribution packages will impact your network traffic. For more information, see About file downloading.

  • Attempt peer download: Allow packages to download if they are already on a peer in the same subnet. This will reduce network traffic. For example, if you have several satellite offices, you could select one device at each office to receive the package over the network. Then, the other devices at each office would get the package directly from the first device instead of downloading it from the network.
  • Attempt preferred server: Allow automatic redirection to the closest package shares. This will reduce the load on the core server.
  • Allow source: Download from the core server if the files aren't found on a peer or preferred server. If the files are not in one of those locations and this option is not selected, the download will fail.
  • Use multicast: Uses targeted multicast to send files to multiple devices simultaneously. Enter a value for the amount of time to wait on each subnet before the download begins.
  • Bandwidth used from core or preferred server: Specify the percentage of bandwidth to use so you don't overload the network. You can limit bandwidth by adjusting the maximum percentage of network bandwidth to use for the distribution. The slider adjusts the priority of this specific task over other network traffic. The higher the percentage slider is set, the greater the amount of bandwidth being used by this task over any other traffic. WAN connections are usually slower, so it is most often recommended to set this slider at a lower percentage. 
  • Bandwidth used peer-to-peer: Specify the percentage of bandwidth to use locally. This value is typically higher than the bandwidth used from core or preferred server because of physical proximity.
  • Send detailed task status: Click to send information about the task to the core server. This increases network traffic, so if you select this option to help troubleshoot a particular issue, you may want to clear it once you resolve the issue.

Policy sync schedule

Use the Policy sync schedule page to specify when the client will check the core to see if there are any packages available for download.

  • Policy sync schedule
    • Event-driven
      • When user logs in: Click to run policy sync once a user has logged in.
      • When IP address changes: Click to run policy sync when the IP address changes.
        • Max random delay: Specify an amount of time to delay the scan in order to avoid downloading the package on all of the devices at the same time, which could flood the network.
    • Schedule-driven
      • Use recurring schedule: Click to only download distribution packages during a specified time frame. The default is to check once a day.
      • Change settings...: Click to open the Local scheduler command dialog, where you can create a different schedule.
    • Additional settings
    • Choose the number of hours for PolicySync to wait before retrying required policies that have failed installation: Specifies when a failed policy will automatically retry. As long as the device remains targeted for that task the policy will continue to re-run every 24 hours or whatever this setting is set to if it fails.
    • Choose the upper threshold for restarting recurring tasks: Specifies how long Policysync.exe on devices should wait after it executes before allowing it to execute again. For example, if you set this for 15 minutes and a recurring policy tries to run 10 minutes after a prior execution, that execution will wait until the next scheduled time that is later than the number of minutes you specified.

Notification

Use the Notification page to specify what information to display to the user and what actions the user can take.

  • Notification options before installing/removing
    • Automatically begin downloading: Begins the download of the distribution package without notifying the user.
    • Notify user before downloading: Notifies the user before a managed device initiates download of the package. This option is particularly useful for mobile users if used with deferral options to prevent a user from being forced to download a large application over a slow connection.
    • Automatically begin installing/removing: Begins the installation of the distribution package without notifying the user.
    • Notify user before installing/removing: Displays the installation or removal dialog before a managed device initiates installation or removal of the package.
    • Only notify user if processes must be stopped: Only displays a dialog if a process must be stopped before the managed device initiates the installation or removal of the package.
    • Kill processes that need to be stopped before starting the update: Click to shut down any processes that must be stopped before installing the package.
    • Prevent those same processes from running during the update: Click to ensure the processes are not allowed to restart until after the package has finished installing.
    • If deferring until lock/logoff: Specify how long to wait before the package will install.
  • Progress options
    • Show progress: Select whether to never show the installation progress, to only show it when installing or removing files, or to show it when installing or removing and when scanning files.
      • Allow user to cancel scan: If you choose to always show the progress to the user, this option will be enabled. Click to give the user the ability to cancel the scan.
  • No response timeout options: These options are enabled if you allow the user to defer or cancel.
    • Wait for user response before repair, install or uninstall: If you allow the user to defer or cancel, this option will be enabled. Click to force the agent to wait for a user response before continuing. This may cause the task to timeout.
    • After timeout, automatically: Click to automatically start, defer, or cancel the task after the amount of time you specify.

User message

Use this page to create a custom message that the user will see if you select Notify user before downloading or Notify user before installing/removing on the Notification page.

When you schedule a task, there is an option to override this message.

Distribution-only settings

Use this page to specify what to show the user and how long to defer an installation. These options are dependent on the settings you select on the Notification page. You can also use the Distribution-only settings page to select the location for virtualized applications.

  • Feedback
    • Display full package interface: Click to show the user everything that the installation displays. This option is for power users only.
    • Show successful or failed status to end user: Click to only show the user the outcome of the installation.
  • Defer until next logon: Click to allow users to postpone the installation until the next time they log on to the device.
    • Defer for a specific amount of time: Specify the maximum amount of time the user can defer the installation.
      • Limit number of user deferrals: Click to enter a maximum number of times the user can defer the installation.
  • Select the location to store Ivanti virtualized applications
    • Client Destination: Click to install the package in a new environment instead of installing the package on the device.
  • Enable LDAP group targeting: Click to target your distribution to the groups that you have set up on your Microsoft domain instead of targeting devices and user names from Ivanti.
  • Allow LDAP resolution via CSA: Click to target your distribution to objects in your Microsoft Domain while going through the Cloud Service Appliance.

Offline

Use this page to specify what to do if a managed device can't contact the core server during a package installation.

  • Wait until the device can contact the managed core server: Click to stop the installation until the device is able to contact the core server.
  • Install the package(s) offline: Click to create a scheduled task that downloads the files onto the device but doesn't install them.

Logged off user options

Use this page to specify whether to install if the user is logged off a device.

  • Logged off user behavior
    • Continue installation: Click to install the distribution package if the user is logged off.
    • Fail installation: Click to not attempt the installation of the distribution package when the user is logged off.
    • Run at next logon: Click to not attempt the installation of the distribution package when the user is logged off and to begin the package installation when the user logs on again.

Download options

Use the Download options page to specify whether a client should download the patch and then install it or run the installation from the server.

  • Run from source: Click to install the patch from the preferred server or the core. This option is useful if the client machine does not have enough memory to download the patch.
  • Download and execute: Click to download the patch to the client and then install it. This option reduces the load on the server.

Patch-only settings

Use the Patch-only settings page to select reboot and alternate core options when scanning, repairing, and downloading files.

  • When no reboot is required
    • Require end user input before closing: Select this option for the notification dialog to remain visible until the user responds to it.
    • Close after timeout: Select this option to close the notification dialog after a specified countdown.
  • Alternate core
    • Communicate with alternate core server: Click to select a server to use if the default core server is unavailable.
  • When installing via CSA: Click an option in the drop-down list to specify how the scanner will install via the portal Cloud Service Applicance. This is helpful if you have people who are outside the network, such as employees who are on the road, who need to communicate with the core.
    • Download patches from core as usual: This will require an extra step and may cause delays or network issues.
    • Do not download patches. Fail the request: This will reschedule the download. Select this option if bandwidth is an issue.
    • Download patches from manufacturer. Fall back to core on failure: This will attempt to download the patch directly from the manufacturer, such as Microsoft, before going through the core server. This will use less bandwidth on your own network.
    • Download patches from manufacturer. Do not fall back on failure: This will attempt to download the patch directly from the manufacturer, such as Microsoft. If it is unable to download the patch, it will reschedule the download.
  • When installing via VPN (2020.1 SU3 and newer)
    • Prioritize download from vendor (fallback on core): Enabling this option allows endpoints to directly download patch content from vendors, bypassing the VPN if their VPN configuration allows it. This helps reduce VPN bandwidth consumption. For this to work, you need to provide a VPN interface keyword that allows the agent to detect when the VPN is active. This keyword should match something unique in the VPN interface connection description on clients.
  • CPU utilization when scanning: Set the slider to specify whether to allow low or high CPU utilization during a scan.
  • Check disk space: (2021.1 SU1 and newer) Before patching, check that the specified amount of disk space is available. Patching will fail if there isn't enough room to perform the patch. This is disabled by default.
  • Scheduled task log: Specify which information the scanner sends to the core. For example, if you are experiencing an issue, you may wish to send debug information to try to troubleshoot the problem.

Do not disturb

Use this page to specify mission-critical processes so that a scan will not occur if those processes are running. For example, to ensure that the scanner will not run during a presentation, you could apply the filter so that a reboot could occur with PowerPoint open but not if PowerPoint was running full screen.

  • Add defaults: Populates the list with the default processes.
  • Add...: Opens the Specify process filter dialog box, where you can enter the name of the process and specify whether to apply the filter any time the process is running or only when the process is running full screen.
  • Edit...: Opens the Specify process filter dialog box, where you can change the filter for a process that is already in the list.
  • Delete...: Removes a process from the list.
  • Legacy Mac agent user interruption settings If you have upgraded your Mac client, all of the settings on the Do not disturb page are supported. However, if you have not upgraded your Mac client, you can use the following options:
    • Hide scan progress dialog when a presentation is running: Click to keep the scan progress dialog in the background so that it does not interrupt a presentation.
    • Defer repairing when a presentation is running: Click to postpone any repairs until the presentation is over.

Scan options

Use this page to specify whether the security scanner will scan by group or by type of vulnerability.

  • Scan for
    • Group: Select a custom, preconfigured group from the drop-down list.
      • Immediately repair all detected items: Indicates that any security risk identified by this particular group scan will be automatically remediated.
    • Type: Specifies which content types you want to scan for with this scan task. You can select only those content types for which you have a Ivanti® Endpoint Security for Endpoint Manager content subscription. Also, the actual security definitions that are scanned for depends on the contents of the Scan group in the Patch and Compliance window. In other words, if you select vulnerabilities and security threats in this dialog box, only those vulnerabilities and security threats currently residing in their respective Scan groups will be scanned for.
  • Enable autofix: Indicates that the security scanner will automatically deploy and install the necessary associated patch files for any vulnerabilities or custom definitions it detects on scanned devices. This option applies to security scan tasks only. In order for autofix to work, the definition must also have autofix enabled.

Schedule

Use this page to specify the time frame during which the security scanner will run as a scheduled task. After you select the settings, this page displays a summary of the schedule.

  • Event-driven
    • When user logs in: Click to scan and repair definitions once a user has logged in.
      • Max random delay: Specify an amount of time to delay the scan in order to avoid simultaneously scanning all of the devices, which could flood the network.
  • Schedule-driven
    • Use recurring schedule: Click to only scan and repair definitions during a specified time frame.
    • Change settings...: Opens the Local scheduler command dialog box where you can define the parameters for the security scan. This dialog box is shared by several Ivanti management tasks. Click the Help button for details.

Frequent scan

Use this page to enable the agent to check definitions in a specific group more frequently than usual. This is helpful when you have a virus outbreak or other time-sensitive patch that needs to be distributed as soon as possible. For example, you may want a client to scan every 30 minutes and at every login for a specific group that may contain critical vulnerabilities. The frequent scan is optional.

  • Enable high frequency scan and repair definitions for the following group: Enables the frequent security scan features. Once you've checked this option, you need to select a custom group from the drop-down list.
    • Immediately install (repair) all applicable items: Click to enable the agent to install a patch if it locates one in the folder that you specify.
  • Schedule
    • Event-driven
      • When user logs in: Click to scan and repair definitions once a user has logged in.
        • Max random delay: Specify an amount of time to delay the scan in order to avoid simultaneously scanning all of the devices, which could flood the network.
    • Schedule-driven
      • Use recurring schedule: Click to only scan and repair definitions during a specified time frame.
      • Change settings...: Opens the Local scheduler command dialog box where you can define the parameters for the security scan. This dialog box is shared by several Ivanti management tasks. Click the Help button for details.
  • Override settings: From the drop-down box, select the settings that you wish to override with the settings that you specify in the Distribution and Patch dialog.
    • Edit...: Click to open the Distribution and Patch settings dialog for that particular setting.
    • Configure: Click to open the Configure distribution and patch settings dialog. For more information, click Help.

Pilot configuration

Use the Pilot configuration page to test security definitions on a small group before performing a wider deployment on your entire network. For example, you may wish to install a new Microsoft patch on the devices in only the IT group to make sure that it doesn't cause any issues before it goes out to everyone in the organization. Using a pilot group is optional.

  • Periodically scan and repair definitions in the following group: Enables the pilot security scan features. Once you've checked this option, you need to select a custom group from the drop-down list.
  • Schedule
    • Event-driven

      • When user logs in: Click to scan and repair definitions once a user has logged in.
        • Max random delay: Specify an amount of time to delay the scan in order to avoid simultaneously scanning all of the devices, which could flood the network.
    • Schedule-driven
      • Use recurring schedule: Click to only scan and repair definitions during a specified time frame.
      • Change settings...: Opens the Local scheduler command dialog box where you can define the parameters for the security scan. This dialog box is shared by several Ivanti management tasks. Click the Help button for details.

Spyware scanning

Use this page to replace or override spyware settings from a device's agent configuration.

Real-time spyware detection monitors devices for new launched processes that attempt to modify the local registry. If spyware is detected, the security scanner on the device prompts the end user to remove the spyware.

  • Override settings from client configuration: Replaces existing spyware settings on devices initially configured via an agent configuration. Use the options below to specify the new spyware settings you want to deploy to target devices.
  • Settings
    • Enable real-time spyware blocking: Turns on real-time spyware monitoring and blocking on devices with this agent configuration.

      NOTE: In order for real-time spyware scanning and detection to work, you must manually enable the autofix feature for any downloaded spyware definitions you want included in a security scan. Downloaded spyware definitions don't have autofix turned on by default.

    • Notify user when spyware has been blocked: Displays a message that informs the end user a spyware program has been detected and remediated.
    • If an application is not recognized as spyware, require user's approval before it can be installed: Even if the detected process is not recognized as spyware according to the device's current list of spyware definitions, the end user will be prompted before the software is installed on their machine.

Install/remove options

Use the Install/remove options to specify what the agent should do once it determines the need for a patch.

  • Reboot is already pending: Click this option if you want to start a patch installation regardless of whether the device has requested a reboot.

Continuation

Use the continuation page to enable the agent to immediately install or remove patches as soon as it meets the specified criteria. For example, if you need to install ten patches to remove a single vulnerability, continuation provides a way to install them one after another.

  • Automatically continue install/remove actions after prerequisites are met: Click to allow the agent to automatically install or remove patches once it meets any prerequisites.
    • Additional automatic repair count: The default is to allow 5 automatic repairs, which balances the urgency of getting the patch installed with allowing users complete their work.

Maintenance window

Use this page to specify the parameters for when the agent can perform any intall, repair, or remove actions.

  • Machine must be in this state: Click to specify whether the user must be logged off or the device must be locked for the specified amount of time.
    • Delay: Use this option if you want to delay the action for several minutes to ensure that the user is not returning to the device.
  • Machine must be in this time window: Click to configure the maintenance window by setting a detailed schedule. Specify the time of day, days of the week, and days of the month. The agent will only run when it meets all criteria.

Endpoint Manager 2022 SU5 added the ability to configure different maintenance window time schedules based on the day of the week. Each day of the week can have a single window. Configure the window you want and click the Add button to add it to the list. Only windows that have been added to the list are active.

Pre-repair script

Use the Pre-repair script page to execute a custom command before installing a patch. For example, if you want to get the environment ready for the patch by turning off a particular service, you can use a script.

  • Abort patch install or uninstall if this script fails: Specify whether to cancel the patch installation if the script does not run.
  • Insert sample script...: Click to select a VBScript, PowerShell script, or batch file to include in the pre-repair script.
  • Insert method call...: Click to open a list of method calls that you can add to the pre-repair script. Click a method call in the list to move it to the Script Content box.
  • Use editor...: Click to open Notepad, where you can write your custom script.

Post-repair script

Use the Post-repair script page to execute a custom command after installing a patch. For example, if you used a script to shut off the AV service before installing a patch, you can use the post-repair script to turn it back on.

  • Run this script even if pre-repair fails: Specify whether to uninstall the patch if the post-repair script does not run.
  • Insert sample script...: Click to select a VBScript, PowerShell script, or batch file to include in the post-repair script.
  • Insert method call...: Click to open a list of method calls that you can add to the post-repair script. Click a method call in the list to move it to the Script Content box.
  • Use editor...: Click to open Notepad, where you can write your custom script.

MSI information

Use this page if a patch file needs to access its originating product installation resource in order to install any necessary supplemental files. For example, you may need to provide this information when you're attempting to apply a patch for Microsoft Office or some other product suite.

  • Original package location: Enter the UNC path to the product image.
  • Credentials to use when referencing the original package location: Enter a valid user name and password to authenticate to the network share specified above.
  • Ignore the /overwriteoem command-line option: Indicates the command to overwrite OEM-specific instructions will be ignored. In other words, the OEM instructions are executed.
  • Run as Information: Credentials for running patches: Enter a valid user name and password to identify the logged in user for running patches.

Branding

The Branding page allows you to customize the status dialog that will notify the user of a scan or other scheduled task. For information on how to hide or display the dialog, see Notification.

The Branding dialog box contains the following options:

  • Customize window caption: Enter a title for the dialog.
  • Preview...: Click to see the dialog box with the custom icon and banner that the user will see.

User feedback

The User feedback page enables real-time monitoring of file changes and deletions made by patches. Enabling this option installs an additional driver on managed devices that gathers this information.

This option adds a system tray icon that users can double-click to launch the Report an application dialog box.

  • Allow the user to report broken applications: Enables the user feedback option on managed devices.