Configuring services
Many of the most integral and fundamental functions provided by Ivanti components, such as the inventory server and the scheduler service, can and should be configured in order to optimize performance in your particular network environment. Do this by using the Configure Ivanti Software Services applet that you can launch from the Ivanti Start menu program group (or from the management console, click Configure > Services).
NOTE: Configuring services is restricted to only Ivanti Administrators
Only a user with the Ivanti Administrator right can modify service settings. Also, the
Configure services option is available only from the main console, not from any additional consoles you may have set up.
Read this topic to learn about:
- Selecting a core server and database
- Configuring the Inventory service
- Resolving duplicate device records in the database
- Configuring the scheduler service
- Configuring the Custom jobs service
- Managing identity server secrets (2022 SU4 and newer)
Selecting a core server and database
Before configuring a service, use the General tab to specify the core server and database you want to configure the service for.
NOTE: Any service configuration changes you make for a core server and database will not take effect until you restart the service on that core server.
About the General tab
Use this tab to select the core server and database you want to configure a specific service for. Then, select any other service tab and specify the settings for that service.
The Reporting database user credentials let you connect to the database with a different user account when using the Reports tool. For example, you can create a user account for the database with read-only rights, then use that account so that reporting users can read from, but not modify, the database.
- Server name: Displays the name of the core server you're currently connected to.
- Server: Lets you enter the name of a different core server and its database directory.
- Database: Lets you enter the name of the core database.
- User name: Identifies a user with authentication credentials to the core database (specified during setup).
- Password: Identifies the user's password required to access the core database (specified during setup).
- This is an Oracle database: Indicates that the core database specified above is an Oracle database.
- Reporting database user: Specify the user name and password for the account that you want the Reports tool to access the database with. This account must have already been created with specific access rights to the database.
- Web console settings: Displays the server name or IP address on which the Web console can be run. When you want to access the Web console from another device, you type this name or address, followed by /remote, in a Web browser.
- Single Sign-on: Enables the user to log onto the Ivanti console without having to enter a username and password. For more information, see Single Sign-on into the Ivanti console.
- Refresh settings: Restores the settings that were present when you opened the dialog box.
When specifying usernames and passwords to a database, the username and the password may not contain an apostrophe ('), a semicolon (;) or an equals sign (=).
Configuring the Inventory service
Use the Inventory tab to configure the Inventory service for the core server and database you selected using the General tab.
If you need to restart the Inventory service on a clustered core, you'll need to do it through the Windows Service Control Manager. The Restart services button in the Ivanti Software Services Inventory tab can't restart the Inventory service on a clustered core.
About the Inventory tab
Use this tab to specify the following inventory options:
- Server name: Displays the name of the core server you're currently connected to.
- Log statistics: Keeps a log of core database actions and statistics. You can view the log data in the Windows Event Viewer's Application log.
- Encrypted data transport: Enables the inventory scanner to send device inventory data from the scanned device back to the core server as encrypted data through SSL.
- Scan server at: Specifies the time to scan the core server.
- Perform maintenance at: Specifies the time to perform standard core database maintenance.
- Days to keep inventory scans: Sets the number of days before the inventory scan record is deleted.
- Primary owner logins: Sets the number of times the inventory scanner tracks logins to determine the primary owner of a device. The primary owner is the user who has logged in the most times within this specified number of logins. The default value is 5 and the minimum and maximum values are 1 and 16, respectively. If all of the logins are unique, the last user to log in is considered the primary owner. A device can have only one primary owner associated with it at a time. Primary user login data includes the user's fully qualified name in either ADS, NDS, domain name, or local name format (in that order), as well as the date of the last login.
- Advanced settings: Displays the Advanced settings dialog box. You can change inventory-related advanced settings here. As you click each item, help text appears at the bottom of the dialog explaining each option. The default values should be fine for most installations. To change a setting, click it, change the Value, then click Set. Restart the inventory service when you're done.
- Unknown items: Opens the Unknown inventory items dialog box, which lists any objects that have been found in scans that are not already found in the database. This gives you control over what new items are added to the database so you can eliminate potential problems with data. You can choose to allow the data to be added to the database, simply delete the data from this list, or ignore the item in all future scans.
- Software: Displays the Software scan settings dialog box. Configure when the software scans run and how long to save the inventory history.
- Attributes: Opens the Select attributes to store dialog box, which lets you limit the number of scan attributes that get stored in the database. This can reduce database size and speed up scan insertion time.
- Manage duplicates: Devices: Opens the Duplicate devices dialog box, where you can configure how duplicate devices are handled.
- Manage duplicates: Device IDs: Opens the Duplicate device ID dialog box, where you can select attributes that uniquely identify devices. You can use this option to avoid having duplicate device IDs scanned into the core database (see Resolving duplicate device records in the database).
- Status of inventory service: Indicates whether the service is started or stopped on the core server.
- Start: Starts the service on the core server.
- Stop: Stops the service on the core server.
- Restart: Restarts the service on the core server.
About the Unknown inventory items dialog
The Unknown inventory items dialog box (Configure > Services > Inventory tab > Unknown items button) lets you control what new items are added to the inventory database. When the inventory scan runs, it can find objects that are not identified in the database. Because there can be corrupt data or other issues on a managed device, you may not want the new data to be added to the database. This dialog box lists all items that have been found and gives you the option to add the new items to the database, delete them, or block them from ever being added to the database.
- Block unknown inventory items: When this check box is selected, all unknown items are listed here until you choose how to disposition them.
- Blocked items: Lists all inventory objects that are not currently in the database. Click one or more items to select them and apply an action.
- Allow: Select items and click Allow to add the data to the database. The items will be added to the database and allow it to be processed in future inventory scans.
- Delete: Select items and click Delete to remove them from this list only. If the item if found again, it will be listed again. Typically you would delete items that are the result of data corruption and will likely never be found again in a scan.
- Ignore: Select items and click Ignore to permanently block them from being added to the database. For performance reasons, the Ignore list should be kept as short as possible. Note that items in this list are permanently ignored; the only way to remove them from the list is to remove them manually from the META_IGNORE table in the inventory database and restart the inventory service.
- OK/Cancel: In this dialog box, the OK and Cancel buttons apply only to the Block unknown inventory items check box, not to any actions on blocked items.
About the Software scan settings dialog box
Use this dialog box (Configure > Services > Inventory tab > Software button) to configure the frequency of software scans. A device's hardware is scanned each time the inventory scanner is run on the device, but the device's software is scanned only at the interval you specify here.
- Every login: Scans all of the software installed on the device every time the user logs on.
- Once every (days) : Scans the device's software only on the specified daily interval, as an automatic scan.
- Save history (days) : Specifies how long the device's inventory history is saved. Clear the check box to not save the inventory history.
Configuring what inventory scan attributes get stored in the database
The inventory scanner looks for hundreds of inventory items. If you don't need all of this scan information in your database, you can speed up scan insertion time and reduce your database size by limiting the number of scan attributes that get stored in the database. When you do this, managed devices still submit complete inventory scans, but the core server's inventory service only stores the attributes you specify in the database.
By default, the inventory service inserts all scan attributes into the database. Any attribute filtering changes you make won't affect data that is already in the database. To limit what data gets stored, follow the steps below.
To set up inventory scan data filtering
- Click Configure > Services > Inventory tab > Attributes button.
- Attributes in the Selected attributes column on the right get inserted into the database. Move the attributes you don't want in the database to the Available attributes column on the left. When you have finished, click OK.
- Restart the inventory service by clicking Restart on the Inventory tab.
- Click OK.
Resolving duplicate device records in the database
In some environments OS imaging is used regularly and frequently to set up devices. Because of this, the possibility of duplicate device IDs among devices is increased. You can avoid this problem by specifying other device attributes that, combined with the device ID, create a unique identifier for your devices. Examples of these other attributes include device name, domain name, BIOS, bus, coprocessor, and so on.
The duplicate ID feature lets you select device attributes that can be used to uniquely identify the device. You specify what these attributes are and how many of them must be missed before the device is designated as a duplicate of another device. If the inventory scanner detects a duplicate device, it writes an event in the applications event log to indicate the device ID of the duplicate device.
In addition to duplicate device IDs, you may also have duplicate device names or MAC addresses that have accumulated in the database. If you're experiencing persistent duplicate device problems (and you want to prevent future duplicate device records being scanned into your database), you can also specify that any duplicate device names currently residing in the database are removed. This supplementary duplicate device handling feature is included as part of the procedure below.
By default, if a duplicate MAC address is detected five or more times, it is automatically added to the ignore list during database maintenance. You can change this threshold by clicking Configure > Services > Inventory tab > Advanced settings > Duplicate MACs threshold.
To set up duplicate device handling
- Click Configure > Services > Inventory > Device IDs.
- Select attributes from the Attributes list that you want to use to uniquely identify a device, and then click the >> button to add the attribute to the Identity Attributes list. You can add as many attributes as you like.
- Select the number of identity attributes (and hardware attributes) that a device must fail to match before it's designated as a duplicate of another device.
- If you want the inventory scanner to reject duplicate device IDs, select the Reject duplicate identities check box.
- Click OK to save your settings and return to the Configure Inventory dialog.
- (Optional) If you also want to resolve duplicate devices by name and/or address, click Devices to open the Duplicate Devices dialog box, where you can specify the conditions when duplicate devices are removed, such as when device names match, MAC addresses match, or both match.
About the Duplicate Device ID dialog
Use this dialog (click Configure > Services > Inventory tab > Device IDs button) to set up duplicate device ID handling.
- Attributes list: Lists all of the attributes you can choose from to uniquely identify a device.
- Identity attributes: Displays the attributes you've selected to uniquely identify a device.
- Log as a duplicate device ID when: Identifies the number of attributes that a device must fail to match before it's designated as a duplicate of another device.
- Reject duplicate identities: Causes the inventory scanner to record the device ID of the duplicate device and reject any subsequent attempts to scan that device ID. Then, the inventory scanner generates a new device ID.
About the Duplicate Devices dialog
Use this dialog (click Configure > Services > Inventory tab > Devices button) to specify the name and/or address conditions when duplicate devices are removed from the database. When you have one of the remove duplicate options checked, duplicates are allowed in the database, but they are removed the next time database maintenance happens.
- Remove duplicate when:
- Device names match: Removes the older record when two or more device names in the database match.
- MAC addresses match: Removes the older record when two or more MAC addresses in the database match.
- Both device names and MAC addresses match: Removes the older record only when two or more device names and MAC addresses (for the same record) match.
- Restore old device IDs: Restores the original device ID from the older record of a scanned device, if two records for that device exist in the database and at least one of the remove options above is selected and its criteria met. The original device ID is restored when the next inventory maintenance scan runs. This option has no effect unless one of the remove options above is selected.
Configuring the scheduler service
Use the Scheduler tab to configure the scheduler service ( Tools > Distribution > Scheduled tasks) for the core server and database you selected using the General tab. For additional information on scheduling tasks, see Scheduling tasks.
By default the Scheduler service uses the LocalSystem account. If you want to use a different account, that account must have access rights to your software repository locations. This allows the core to generate file hashes for software packages you create.
You can specify multiple login credentials to use on devices by clicking Change login.
One additional setting you can configure manually is the Scheduled task window's refresh rate. By default, every two minutes the Scheduled tasks window checks the core database to determine if any of the visible items have been updated. If you want to change the refresh rate, navigate to this key in the registry:
- HKEY_CURRENT_USER\Software\LANDesk\ManagementSuite\WinConsole
Set "TaskRefreshIntervalSeconds" to the number of seconds between refreshes for an active task. Set "TaskAutoRefreshIntervalSeconds" to the refresh interval for the whole Scheduled task window.
About the Scheduler tab
Use this tab to see the name of the core server and the database that you selected earlier, and to specify the following scheduled task options:
- User name: The user name under which the scheduled tasks service will be run. This can be changed by clicking the Change login button.
- Number of seconds between retries: When a scheduled task is configured with multiple retries, this setting controls the number of seconds the scheduler will wait before retrying the task.
- Number of seconds to attempt wake up: When a scheduled task is configured to use Wake On LAN, this setting controls the number of seconds that the scheduled tasks service will wait for a device to wake up.
- Interval between query evaluations: A number that indicates the amount of time between query evaluations, and a unit of measure for the number (minutes, hours, days, or weeks).
- Wake on LAN settings: The IP port that will be used by the Wake On LAN packet set by the scheduled tasks to wake up devices.
- Status of scheduler service: Indicates whether the scheduler service is started or stopped on the core server.
- Start: Starts the service on the core server.
- Stop: Stops the service on the core server.
- Restart: Restarts the service on the core server.
- Advanced: Displays the Advanced scheduler settings dialog box. You can change other scheduler-related settings here. As you click each item, help text appears at the bottom of the dialog explaining each option. The default values should be fine for most installations. To change a setting, click it, click Edit, enter a new value, then click OK. Restart the scheduler service when you're done.
About the Change login dialog box
Use the Change login dialog box (click Configure > Services > Scheduler tab) to change the default scheduler login. You can also specify alternate credentials the scheduler service should try when it needs to execute a task on unmanaged devices.
The default account the scheduler service uses is LocalSystem. The LocalSystem credentials generally work for devices that aren't in a domain.
If you want to change the scheduler service login credentials, you can specify a different domain-level administrative account to use on devices. If you're managing devices across multiple domains, you can add additional credentials the scheduler service can try. If you want to use an account other than LocalSystem for the scheduler service, or if you want to provide alternate credentials, you must specify a primary scheduler service login that has core server administrative rights. Alternate credentials don't require core server administrative rights, but they must have administrative rights on devices.
The scheduler service will try the default credentials and then use each credential you've specified in the Alternate credentials list until it's successful or runs out of credentials to try. Credentials you specify are securely encrypted and stored in the core server's registry.
NOTE: Rollup core servers use the scheduler service credentials to authenticate for synchronization. On rollup cores, these scheduler service credentials must be a member of a group with console administrator privileges on the source core servers. If the credentials don't have these privileges, the rollup will fail and you'll see task handler errors in the source core server's synchronization log.
You can set these options for the default scheduler credentials:
- User name: Enter the default domain\username or username you want the scheduler to use.
- Password: Enter the password for the user name you specified.
- Confirm password: Retype the password to confirm it.
You can set these options for additional scheduler credentials:
- Add: Click to add a new user name and password to the Alternate credentials list.
- Remove: Click to remove the selected credentials from the list.
- Modify: Click to change the selected credentials.
When adding alternate credentials, specify the following:
- User name: Enter the user name you want the scheduler to use.
- Domain: Enter the domain for the user name you specified.
- Password: Enter the password for the credentials you specified.
- Confirm password: Retype the password to confirm it.
Configuring the Custom jobs service
Use the Custom jobs tab to configure the custom jobs service for the core server and database you selected using the General tab. Examples of custom jobs include inventory scans, device deployments, or software distributions.
Jobs can be executed with either of two remote execution protocols, TCP or the standard Ivanti agent protocol, CBA. When you disable TCP remote execute as the remote execute protocol, custom jobs uses the standard Ivanti agent protocol by default, whether it's marked disabled or not. Also, if both TCP remote execute and standard Ivanti agent are enabled, the custom jobs service tries to use TCP remote execute first, and if it's not present, uses standard Ivanti agent remote execute.
The Custom jobs tab also enables you to choose options for device discovery. Before the custom jobs service can process a job, it needs to discover each device's current IP address. This tab allows you to configure how the service contacts devices.
About the Configure Ivanti Software Services dialog: Custom jobs tab
Use this tab to set the following custom jobs options:
Remote execute options
- Disable TCP execute: Disables TCP as the remote execute protocol, and thereby uses the standard Ivanti agent protocol by default.
- Disable CBA execute / file transfer: Disables the standard Ivanti agent as the remote execute protocol. If the standard Ivanti agent is disabled and TCP remote execute protocol is not found on the device, the remote execution will fail.
- Enable remote execute timeout: Enables a remote execute timeout and specifies the number of seconds after which the timeout will occur. Remote execute timeouts are triggered when the device is sending heartbeats, but the job on the device is hung or in a loop. This setting applies to both protocols (TCP or standard Ivanti agent). This value can be between 300 seconds (5 minutes) and 86400 seconds (1 day).
- Enable client timeout: Enables a device timeout and specifies the number of seconds after which the timeout will occur. By default, TCP remote execute sends a heartbeat from device to server in intervals of 45 seconds until the remote execute completes or times out. Device timeouts are triggered when the device doesn't send a heartbeat to the server.
- Remote execute port: Specifies the port over which the TCP remote execute occurs. The default is 12174. If this port is changed, it must also be changed in the device configuration.
Distribution options
- Distribute to <nn> computers simultaneously: Specifies the maximum number of devices to which the custom job will be distributed simultaneously.
Discovery options
- UDP: Select UDP to use a Ivanti agent ping via UDP. Most Ivanti device components depend on the standard Ivanti agent, so your managed devices should have the standard Ivanti agent on them. This is the fastest discovery method and the default. With UDP, you can also select the UDP ping number of Retries and a Timeout value.
- TCP: Select TCP to use an HTTP connection to the device on port 9595. This discovery method has the benefit of being able to work through a firewall if you open port 9595, but it's subject to HTTP connection timeouts if devices aren't there. These timeouts can take 20 seconds or more. If a lot of target devices don't respond to the TCP connection, your job will take a while before it can start.
- Both: Select Both to have the service attempt discovery with UDP first, then TCP, and lastly DNS/WINS if it's selected.
- Disable subnet broadcast: When selected, disables discovery via a subnet broadcast. When selected, this will result in a subnet directed broadcast being sent via UDP using PDS.
- Disable DNS/WINS lookup: When selected, disables a name service lookup for each device if the selected TCP/UDP discovery method fails.
Managing Identity Server Secrets (2022 SU4 and newer)
The Identity Server manages authentication between various Endpoint Manager components and other Ivanti products, such as Environment Manager. Use the Identity Server Secrets tab to generate and view authentication secrets.
Normally you don't need to change the built-in Identity Server secret values. Changing secrets may require restarting certain services or applications.
Secrets are used by these components:
- Web console
- Remote control
- Core server
- Environment Manager (requires a separate license)
To view secrets
- Click Configure > Services, then click the Identity Server Secrets tab.
- Click the Load Secrets (Optional) button at the bottom.
- Click the Copy to Clipboard button next to the secret you want to see.