Adding a Configuration to a New Ivanti Secure Access Client Installation

When you install Ivanti Secure Access Client for Windows or Ivanti Secure Access Client for macOS client on an endpoint using the default Ivanti Secure Access Client installation program, the endpoint has all the Ivanti Secure Access Client components it needs to connect to Ivanti servers. However, Ivanti Secure Access Client needs a configuration that identifies the Ivanti servers it can connect to, that is, the connections. Connection properties also define how the connections are to be started, manually, automatically, or according to location awareness rules, and how Ivanti Secure Access Client connections receive updates. These connection set properties are also called machine settings. Figure 95 shows the default Ivanti Secure Access Client connection set properties (machine settings) that are passed to Ivanti Secure Access Client as its configuration. Figure 96 shows the connection set properties as they appear in a Ivanti Secure Access Client preconfiguration file, which you can use to add the Ivanti Secure Access Client configuration when you install Ivanti Secure Access Client. The preconfiguration file also includes Ivanti Secure Access Client connections.

There are two methods for installing an initial configuration on a new Ivanti Secure Access Client:

•Use a Ivanti Secure Access Client preconfiguration file (.pulsepreconfig) when you install Ivanti Secure Access Client on endpoints using the default Ivanti Secure Access Client installer.

•Instruct users to open a browser and login to the Ivanti server Web portal where the Ivanti Secure Access Client configuration has been defined. After successful login, the user should start Ivanti Secure Access Client from the Web page. Or you can enable Auto-launch as a role option to have the Ivanti Secure Access Client installation begin automatically after login.

The first time Ivanti Secure Access Client connects to a server that offers a Ivanti Secure Access Client configuration, the configuration settings are installed on the client, and the client is bound to that server, which means that only that server can update the client's configuration. Any Ivanti server can update the Ivanti Secure Access Client software version if that feature is enabled, and any Ivanti server can add a connection to an existing Ivanti Secure Access Client configuration if the Dynamic connections option is enabled as part of the connection set on the binding server. Only the binding server can update Ivanti Secure Access Client's configuration.

If the Ivanti Secure Access Client configuration has Dynamic connections enabled, then connections from other Ivanti servers are automatically added to Ivanti Secure Access Client's connections list when the user connects to the other Ivanti server through that server's Web portal, and the user starts Ivanti Secure Access Client using the Ivanti server's Web portal interface. For example, a user has a Ivanti Secure Access Client configuration from IvantiServerA (the binding server) and the Ivanti Secure Access Client configuration allows dynamic connections. If the user browses to IvantiServerB and successfully authenticates through that server's Web portal and clicks the Ivanti Secure Access Client button, the server adds a IvantiServerB connection to the Ivanti Secure Access Client configuration, and it appears in Ivanti Secure Access Client's connection list. This new connection is set to start manually so that it does not attempt to connect when the endpoint is restarted or conflict with the connections from the binding server. A dynamic connection is added to Ivanti Secure Access Client's connections list. However, the connection's target URL is Ivanti Web server URL; it does not use the URL that is defined for the connection in the server's Ivanti Secure Access Client connection properties. In most cases, these URLs will be the same.

You can see a Ivanti Secure Access Client configuration by creating and viewing a pulsepreconfig file. (To create the file, go to the Ivanti Secure Access Client Component screen, select a component set, and then click the Download Installer Configuration button.) The .pulsepreconfig file contains a section that defines the machine settings and separate sections for each Ivanti Secure Access Client connection deployed to the client, as shown in figure.

The machine settings and each centrally configured connection include the server ID (server-id) of the binding server. When a user browses to a Ivanti server, the server can offer a new configuration, (that is, updates to the machine settings). If the server-id under machine settings matches, Ivanti Secure Access Client accepts the configuration update. If the server-id does not match, Ivanti Secure Access Client ignores the update.

Configuration files have a version number as well. When Ivanti Secure Access Client connects to its binding server, Ivanti Secure Access Client compares the version of its existing configuration to the version on the server. If the server version is later than the existing client version, the client configuration is updated. The update might add, change, or remove connections and change machine settings.

If you have several Ivanti servers and you want to provision the same Ivanti Secure Access Client configuration from all of the servers, the server ID of the Ivanti Secure Access Client configuration must be the same across all of the servers. To accomplish this, you create the configuration on one server, and then use the "push config" feature of the Ivanti server to push the configuration to the other Ivanti servers. This method ensures that the server ID of the configuration file is the same across all of the Ivanti servers so that clients can receive a configuration update from any of the Ivanti servers.