CONFIG mode command details

The following commands are available from the CONFIG mode.

activemq

Apache ActiveMQ service is an open source message broker with a full Java Message Service (JMS) client. When enabled, the service fosters communication from more than one client or server.

Example  

/config#activemq

Warning:Maintenance mode command.

Portal service will be stopped during this operation. Proceed? (y/n)

banner

Defines the text to appear in the CLI login banner. The text also appears on the Admin Portal, Ivanti EPMM System Manager, and self-service user portal login screens.

Specify the following parameters:

Table 20.  banner command parameters

Parameter

Description

bannername

Multi-word string enclosed in quotes.

Example  

/config#banner “Welcome MyCompany”

certificate client

Generates a self-signed certificate for the client for use with Transport Layer Security (TLS). You can also use the Ivanti EPMM System Manager Security > Certificate Mgmt page for this command. For more information, see “Certificate Mgmt” in the Ivanti EPMM System Manager Guide.

Example  

/config#certificate client

Tlsproxy service will be disrupted.

Would you like to proceed? [y/n]:

/config#

The CLI does not provide a confirmation that the certificate was generated.

certificate portal

Generates a self-signed certificate for Sentry configurations.For more information, see “Certificate Mgmt” in the Ivanti EPMM System Manager Guide.

Example  

/config#certificate portal

Services will be disrupted.

Would you like to proceed? [y/n]: y

/config#

The CLI does not provide a confirmation that the certificate was generated.

clock set

Sets the date and time on Ivanti EPMM.

Specify the following parameters:

Table 21.  clock set parameters

Parameter

Description

time

Current time using the format HH:MM:SS. Specify the hours as a value between 00 and 23.

day

Day of the month as a value between 1 and 31.

month

Month of the year. Specify one of the following: January, February, March, April, May, June, July, August, September, October, November, December.

year

Specify as a 4 digit string. For example: 2021

Example  

/config#clock set 10:34:59 23 February 2021

/config#

common_criteria_mode

Sets Common Criteria mode on Ivanti EPMM. After the command completes, do a reload for it to take effect on Ivanti EPMM.

Common Criteria mode refers to a set of features in Ivanti EPMM that meet requirements associated with Common Criteria. Also referred to as Common Criteria for Information Technology Security Evaluation, Common Criteria is an international set of guidelines and specifications for evaluating information security products to ensure they meet the established security standard for government deployments.

Example  

/config#common_criteria_mode

....

/config#do reload

Enter yes to save.

Enter yes to reboot.

The system will not be reachable until the reboot is complete.

db-admin-account

This commands locks and unlocks MySQL miadmin accounts.

Table 22.  db-admin-account parameters

Parameter

Description

lock

Lock the MySQL database miadmin account.

unlock

Unlock the MySQL database miadmin account.

Example  

/config#db-admin-account lock

do

Runs EXEC or EXEC PRIVILEGED commands from CONFIGURE mode.

Use the do command when you are in CONFIGURE mode and want to run a command from EXEC PRIVILEGED mode, but don’t want to have to exit and reenter CONFIGURE mode. After the keyword do, enter the command. For example:

config#do ping someWebSite.com

The following table lists the commands you can run using do:

Table 23.  do sub-commands

Command

Description

clear arp-cache

Clears the ARP cache on Ivanti EPMM.

clock set

Sets the date and time on Ivanti EPMM.

disable

Returns to EXEC mode.

help

Describes the interactive help system.

host

Performs a DNS lookup for a specified IP address or host name.

logout

Closes the terminal window.

ping

Sends echo messages.

poweroff

Turns off Ivanti EPMM.

reload

Halts Ivanti EPMM and performs a code restart.

show

Executes show commands specified in EXEC mode commands and EXEC PRIVILEGED mode commands.

telnet

Opens a telnet connection.

timeout

Sets the idle timeout for the CLI.

traceroute

Traces route to destination.

write

Saves configuration changes.

Example  

/config#do show banner

enable secret

Changes the enable-secret password. This password allows you to change from EXEC mode to EXEC PRIVILEGED mode in the CLI.

You can also use the Ivanti EPMM System Manager Settings > CLI page for this command. For more information, see “CLI” in the Ivanti EPMM System Manager Guide.

Example  

/config#enable secret NewPwd123

end

Returns to EXEC PRIVILEGED mode.

Example  

/config#end

eula

Sets the End User License Agreement (EULA) information.

Specify the following parameters:

Table 24.  eula parameters

Parameter

Description

companyname

The name of the company accepting the EULA. Enclose the name in double quotes if it contains spaces.

contactname

The name of the contact at the company. Enclose the name in double quotes if it contains spaces.

contactemail

Email address for the contact.

Example  

/config#eula “My Company” “Joe Doe” [email protected]

fips

Enables FIPS mode on Ivanti EPMM.

The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government computer security standard used to accredit cryptographic modules. FIPS 140-2 defines four levels of security, simply named "Level 1" to "Level 4". It does not specify in detail what level of security is required by any particular application. Ivanti EPMM products are FIPS 140-2 Level 1 Compliant.

Enabling FIPS mode results in Ivanti EPMM changing the selected TLS protocol version for incoming connections to TLS 1.2 and the disabled TLS versions to TLS 1.0 and TLS 1.1. For outgoing connections, the selected and disabled lists remain unchanged. See "Advanced: Incoming SSL Configuration" and "Advanced: Outgoing SSL Configuration" in the Ivanti EPMM System Manager Guide.

Example  

/config#fips

1/3 Generating initramfs-2.6.32-696.6.3.el6.x86_64.fips.img ... This will take a while

1/3 Generating initramfs-2.6.32-696.6.3.el6.x86_64.fips.img ...Done

2/3 Updating grub.conf ...

2/3 Updating grub.conf ...Done

3/3 Updating prelink configuration

3/3 Updating prelink configuration...Done

Must reload system before FIPS 140 enabled.

 

/config#do reload

  1. Enter yes.

  2. Enter yes.

The system will not be reachable until the reboot is complete.

hostname

Configures Ivanti EPMM’s fully-qualified host name.

Specify the following parameter:

Table 25.  hostname parameters

Parameter

Description

hostname

The fully-qualified host name for Ivanti EPMM.

You can also use the Ivanti EPMM System Manager Settings > DNS and Hostname page for this command. For more information, see “DNS and Hostname” in the Ivanti EPMM System Manager Guide.

Example  

/config#hostname myhost123

Please reload the system for the changes to be effective.

/config#

hsts-disable

Disables HSTS.

You can also use the Ivanti EPMM System Manager Security > Advanced > HSTS page for this command. For more information, see “Advanced: HSTS” in the Ivanti EPMM System Manager Guide.

Example  

/config#hsts-disable

HSTS disabled adn httpd service to be restarted in 1 minute.

/config#

httpd-reset-default-ssl-ciphers

Resets the cipher suites to their default values.

Example  

/config#httpd-reset-default-ssl-ciphers

/config#

interface GigabitEthernet

Switches to INTERFACE mode to configure a physical interface. Specify 1, 2, 3, 4, 5, or 6 to select the interface.

You can also configure the physical interfaces in the Ivanti EPMM System Manager Settings > Network > Interfaces page for this command. For more information, see “Managing network interfaces” in the Ivanti EPMM System Manager Guide.

Example  

/config#interface GigabitEthernet 2
/config-if#

See INTERFACE mode commands for available commands.

interface VLAN

Switches to INTERFACE mode to configure virtual Local Area Network (VLAN) interfaces. Specify a number between 1 and 4094 for the VLAN ID.

You can also configure the VLAN interfaces in the Ivanti EPMM System Manager Settings > Network > Interfaces page for this command. For more information, see “Managing network interfaces” in the Ivanti EPMM System Manager Guide.

Example  

/config#interface vlan 2

/config-vlan#

ip arp

Updates the ARP cache on Ivanti EPMM. The ARP cache stores a mapping of IP addresses with link layer addresses, which are also known as Ethernet addresses and MAC addresses.

Typically, the ARP cache is updated automatically, making this command unnecessary.

Specify the following parameters:

Table 26.  ip arp parameters

Parameter

Description

IP address

IP address of Ivanti EPMM.

Mac address

Corresponding Mac address, using format:
xx:xx:xx:xx:xx:xx

Interface type

Specify GigabitEthernet or VLAN.

Interface ID

Specify 1 to 6 for GigabitEthernet.

Specify 1 - 4094 for VLAN.

Example  

/config#ip arp 10.10.15.41 00:50:56:91:71:1B GigabitEthernet 1

ip domain-name

Sets the default domain name for Ivanti EPMM.

You can also configure the default domain name in the Ivanti EPMM System Manager Settings > DNS and Hostname page, described in “DNS and Hostname” in the Ivanti EPMM System Manager Guide.

Example  

/config# ip domain-name mycompany.com

/config#

ip name-server

Sets the preferred DNS server, which is the IP address of the primary DNS server to use.

You can also configure the preferred DNS server in the Ivanti EPMM System Manager Settings > DNS and Hostname page, described in “DNS and Hostname” in the Ivanti EPMM System Manager Guide.

Example  

/config# ip name-server 10.10.15.6

/config#

ip route

Configures a static network route. This command specifies the subnet mask and gateway to use for routing from a network IP address.

Specify the following parameters:

Table 27.  ip route parameters

Parameter

Description

IP address

Network IP address.

mask

Subnet mask.

gateway

IP address for the gateway.

You can also configure a static network route in the Ivanti EPMM System Manager Settings > Network > Routes page, described in “Routes” in the Ivanti EPMM System Manager Guide.

Example  

/config#ip route 192.168.57.0 255.255.255.0 10.10.1.1

kparam

This command configures kernel parameters. Specify the following parameters:

Table 28.  kparam parameters

Parameter

Description

name

The name of the kernel parameter.

Enter rp_filter, log_martians, or tcp_mtu_probing.

value

The value for rp_filter or log_martians. Enter 0, 1, or 2 as follows:

  • rp_filter values:

    • 0 - No source validation
    • 1 - (the default value) Strict mode as defined in RFC 3704
    • 2 - Loose mode as defined in RFC 3704 (use to enable asymmetric routes)

    We recommend that to protect against IP spoofing, you do not set rp_filter to 0.

  • log_martians values:

    • 0 - Disable
    • 1 - Enable

  • tcp_mtu_probing values:

    • 0 - Disable MTU probing entirely.
    • 1 - (the default value) Perform ICMP-based MTU probing, and fall back to TCP-based MTU probing if a black hole is detected.
    • 2 - Perform TCP-based MTU probing only.

Example  

/config#kparam rp_filter 2

/config#kparam log_martians 1

mod-security-disable

Mod_security is an Apache module that helps to protect your website from various attacks. It is used to block commonly-known exploits by use of regular expressions and rule sets. This command disables the Apache ModSecurity module. Requires a restart of the HTTPD service.

Example  

/config#mod-security-disable

<cr>

no

Deletes, resets, and disables various system configurations, as described in the following table.

Table 29.  no command parameters

Command

Description

no appanalytics

Disables app analytics.

no banner

Reverts to the original login banner.

no hostname

Reverts the system's fully qualified domain name to localhost.localdomain. Requires a system reload for the change to take effect.

no interface vlan <vlan number 1 - 4094>

Deletes the specified VLAN interface.

no ip arp <IP address>

Deletes the specified IP address from the ARP cache.

no ip domain-name

Deletes the domain-name of Ivanti EPMM.

no ip name-server <IP address>

Deletes the specified Internet name server from the list of Internet name servers that Ivanti EPMM uses for DNS lookup.

no ip route <IP address> <mask>

Deletes the specified static network route from Ivanti EPMM’s routing table.

no ntp <IP address or hostname>

Deletes the specified NTP server from Ivanti EPMM’s list of NTP servers.

no portalacls

Deletes portal ACLs.

no service <service name>

Disables the specified service (ssh or ntp).

no sshd_authorized_key

Disables SSH public key authentication. The public key for the logged in administrator is removed.

no statichost <IP address>

Deletes the static host entry.

no syslog <IP address or hostname>

Deletes the syslog server specified by the parameter.

no system user <username>

Deletes the system user specified by the parameter.

no system aspm

Sets a kernel boot parameter to turn on the PCIe Active State Power Management (ASPM) subsystem on Ivanti EPMM physical appliances.

ntp

Configures the time sources. The time sources are Network Time Protocol (NTP) servers. An NTP server figures out how much the system clock drifts and smoothly corrects it.

You can also configure the NTP servers in the Ivanti EPMM System ManagerSettings > Date and Time (NTP) page, described in “Date and Time (NTP)” in the Ivanti EPMM System Manager Guide.

Specify the following parameters:

Table 30.  NTP command parameters

Parameter

Description

server

Hostname or IP address of the NTP server.

index

The order this NTP server appears in the configuration (0-2).

Example  

/config# ntp 172.16.0.1 0

portalacl

Configures the portal Access Control Lists (ACLs), which restrict access to various portals of Ivanti EPMM. Access is restricted to servers or networks by specifying their IP addresses, network and mask pairs, or hostname.

Table 31.  portalacl command parameters

Parameter

Description

module

Enter one of the following options:

  • MyPhoneAtWork
  • SmartphoneManagerPortal
  • SystemManagerPortal
  • SentryConnection
  • APIConnection
  • iOSMDM
  • iOSiRegURL
  • AppStorefrontConnection

host

The IP address, network, or hostname from which access is allowed. Only one host configuration is supported from CLI. Use the Ivanti EPMM System Manager portal to configure multiple hosts or Networks.

You can also configure the ACLs in the Ivanti EPMM System Manager Security > Access Control Lists page, described in “Access Control Lists” in the Ivanti EPMM System Manager Guide.

Example  

/config#portalacl MyPhoneAtWork 10.101.1.119

randomizer

This command configures a random source. Requires a system reload.

Table 32.  Randomizer command parameters

Parameter

Description

random

Using /dev/random may require waiting for the result, as it uses a so-called entropy pool, where random data may not be available at the moment.

/dev/random should be suitable for uses that need very high quality randomness such as one-time pad or key generation. When the entropy pool is empty, reads from /dev/random will block until additional environmental noise is gathered.

urandom

/dev/urandom returns as many bytes as user requested and thus it is less random than /dev/random.

A read from the /dev/urandom device will not block waiting for more entropy. As a result, if there is not sufficient entropy in the entropy pool, the returned values are theoretically vulnerable to a cryptographic attack on the algorithms used by the driver. Knowledge of how to do this is not available in the current unclassified literature, but it is theoretically possible that such an attack may exist. If this is a concern in your application, use /dev/random instead.

Example  

/config#randomizer urandom

reset-devshell-password

This command resets the devshell password.

Example  

/config#reset-devshell-password

2+0 records in

2+0 records out

1024 bytes (1.0 kB) copied, 0.000208748 s, 4.9 MB/s

2+0 records in

2+0 records out

1024 bytes (1.0 kB) copied, 0.00016912 s, 6.1 MB/s

devshell password reset successfully.

resize_boot_partition

Increases the boot partition size to 1 GB. Executing this command stops all Ivanti EPMM services, and must be followed by a Ivanti EPMM reload. See reload.

Example  

/config#resize_boot_partition

service

Enables the service ssh or ntp. For ssh, this command also sets the number of instances allowed for the service.

Table 33.  service command parameters

Parameter

Description

name

The name of the service. Enter either ssh or ntp.

instances

Maximum sessions allowed for ssh.

You can also configure this information in the Ivanti EPMM System Manager Settings > CLI page. See "CLI" in the Ivanti EPMM System Manager Guide.

Example  

/config#service ssh 4

software repository

Configures the software repository URL. This URL specifies the location of software updates for Ivanti EPMM.

You can also configure the software repository in the Ivanti EPMM System Manager, in Maintenance > Software Updates, described in “Ivanti EPMM server software updates” in the Ivanti EPMM System Manager Guide.

Specify the following parameters:.

Table 34.  software repository parameters

Parameter

Description

urlstring

URL for the software repository.

username

The username portion of the credentials for accessing the repository.

password

The password portion of the credentials for accessing the repository.

sshd_authorized_key

Use this command to enable SSH public key authorization for a CLI user. With this command, you provide Ivanti EPMM with the public key of a SSH public/private key pair. Providing the public key allows a CLI user to use SSH to connect to Ivanti EPMM using the matching private key rather than with a password.

You can enable public key authorization only for the administrator user that you use to log into the CLI session. Each administrator user can have only one public key. If you enable public key authorization with a second public key, the first public key is overwritten.

Procedure 

To enable SSH public key authorization, do the following in CONFIG mode:

  1. Enter sshd_authorized_key.

  2. When prompted, paste the public key.

  3. Press Enter.

  4. When prompted to save the configuration, enter yes.

Example  

asdfasd/config#sshd_authorized_key

Please provide the public key and press enter: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnFsywrE7Q6kGU+uVFKCLaY4/XlgXtxB1pUQAOPJjKRZukn5zfdbGmLqGaJWjWc7TRMTkbPegV4skPW1ddIcUXNuV79Mfbco4sFJkLFr4Qg7xKQUyo/kk47otSE2HRq4EUoTxfN5UeEuD81WEeU3aqdH6RcrIx0gkdvteFbUuSacWorRw4xoskySYplWeLTva4IgERPXI5jkydBF/uH14B3R1V/TzIxo914xW08o6C0dC/A/bnbPzAnvlngOdskGikUDOQ29jXqvHhrw9jnAWPYcq7vsJfNi2b/6AIAeKVcEZkLOuul1i9WtkePXX1k4lXR8e8lBI2MPhXOfiSIDGx admin

Entered key is: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnFsywrE7Q6kGU+uVFKCLaY4/XlgXtxB1pUQAOPJjKRZukn5zfdbGmLqGaJWjWc7TRMTkbPegV4skPW1ddIcUXNuV79Mfbco4sFJkLFr4Qg7xKQUyo/kk47otSE2HRq4EUoTxfN5UeEuD81WEeU3aqdH6RcrIx0gkdvteFbUuSacWorRw4xoskySYplWeLTva4IgERPXI5jkydBF/uH14B3R1V/TzIxo914xW08o6C0dC/A/bnbPzAnvlngOdskGikUDOQ29jXqvHhrw9jnAWPYcq7vsJfNi2b/6AIAeKVcEZkLOuul1i9WtkePXX1k4lXR8e8lBI2MPhXOfiSIDGx admin

Confirm to add to the authorized keys (y/n): y

Done adding to the authorized keys.

statichost

A static host configuration maps a fully-qualified domain name to an IP address. This static mapping is useful in the following cases:

  • A DNS server is not available.
  • The DNS server entry for a fully-qualified domain name points to an external IP address, outside of your firewall, although the ultimate destination is inside your firewall. You can use this static mapping if you want to associate the fully-qualified domain name with an internal IP address, inside your firewall.

You can also configure static hosts using the Ivanti EPMM System Manager Settings > Static Hosts page, described in “Static Hosts” in the Ivanti EPMM System Manager Guide.

Specify the following parameters:

Table 35.  statichost command parameters

Parameter

Description

ip

IP address of the fully-qualified domain name.

fqdn

The fully-qualified domain name.

Example  

/config#statichost 172.16.80.2 mysentry.mycompany.com

syslog

Configures syslog server information.

Table 36.  syslog command parameters

Parameter

Description

server

Hostname or IP address of the syslog server

loglevel

Specify the log level to be enabled (0-7)

The log level value you specify in this command corresponds to the following log levels:

Table 37.  syslog log level values

Log level value

Log level description

0

Emergency

1

Alert

2

Critical

3

Error

4

Warning

5

Notice

6

Info

7

Debug

You can also configure the syslog servers in the Ivanti Ivanti EPMM System Manager Settings > Data Export > Syslog Servers page, described in “Syslog” in the Ivanti EPMM System Manager Guide.

system user

Creates a Ivanti EPMM System Manager user account. Specify the following parameters:.

Table 38.  system user command parameters

Parameter

Description

username

User name

password

The unencrypted (cleartext) user password

You can also configure Ivanti EPMM System Manager users in the Ivanti EPMM System Manager, in Security > Identity Source > Local Users, described in “Identity Source > Local Users” in the Ivanti EPMM System Manager Guide.

system aspm

Sets a kernel boot parameter (pcie_aspm) to turn off the PCIe Active State Power Management (ASPM) subsystem on Ivanti EPMM physical appliances.

Turning off the PCIe ASPM subsystem is necessary if Ivanti EPMM physical appliances lose connectivity because of issues in some e1000e interface drivers. These faulty drivers erroneously go off-line and stay off-line when the PCIe ASPM subsystem puts the driver into low power mode. When the driver is off-line, Ivanti EPMM physical appliances that use the driver, such as the M2100 Gen 3 or M2200, lose connectivity. Because the PCIe ASPM subsystem’s capability to save power is not applicable to Ivanti EPMM appliances, turning off the subsystem solves the interface driver issue with no impact to Ivanti EPMM behavior.

The setting persists across reboots. However, it does not persist after a Ivanti EPMM upgrade if the upgrade includes an upgrade to the kernel. Re-execute the command after such an upgrade.

x-frame

This command sets the XFrame configuration for Hypertext Transfer Protocol daemon (HTTPd), that is, your web server. The X-Frame options can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.

Table 39.  X-Frame command parameters

Parameter

Description

SameOrigin

The page can only be displayed in a frame on the same origin as the page itself. The spec leaves it up to browser vendors to decide whether this option applies to the top level, the parent, or the whole chain, although it is argued that the option is not very useful unless all ancestors are also in the same origin.

Deny

The page cannot be displayed in a frame, regardless of the site attempting to do so.

Allow-From

This is an obsolete directive that no longer works in modern browsers. Don't use it. In supporting legacy browsers, a page can be displayed in a frame only on the specified origin URI.