Deploying Ivanti Secure Access Client

Ivanti Secure Access Client Installation Overview

This section describes how to deploy Ivanti Secure Access Client for Windows and Ivanti Secure Access Client for macOS client software from Ivanti Policy Secure and Ivanti Connect Secure platforms.

Ivanti Policy Secure and Ivanti Connect Secure include a default connection set and a default component set. These defaults enable you to deploy Ivanti Secure Access Client to users without creating new connection sets or component sets. The default settings for the client permit dynamic connections, install only the components required for the connection, and permit an automatic connection to Ivanti Connect Secure or Ivanti Policy Secure to which the endpoint connects.

For detailed configuration of the Ivanti Secure Access Client on Ivanti Connect Secure, refer to Ivanti Secure Access Client Configuration on Ivanti Connect Secure.

In all deployment scenarios, you must have already configured authentication settings, realms, and roles.

You can deploy Ivanti Secure Access Client to endpoints from Ivanti Connect Secure and Ivanti Policy Secure in the following ways:

•Web install: With a Web install (also called a server-based installation), users log in to the Ivanti server's Web portal and are assigned to a role that supports a Ivanti Secure Access Client installation. When a user clicks the link to run Ivanti Secure Access Client, the default installation program adds Ivanti Secure Access Client to the endpoint and adds the default component set and the default connection set. If you do not make any changes to the defaults, the endpoint receives a Ivanti Secure Access Client installation in which a connection to the Ivanti server is set to connect automatically. You can edit the default connection set to add connections of other Ivanti servers and change the default options.

Note:The exact mechanism used to launch and install a particular Ivanti Secure Access Client from a web browser depends on a number of factors, including:
- The Ivanti Secure Access Client (Windows/Mac desktop client, Network Connect, Host Checker, WSAM, Windows Terminal Services) being launched/installed.
- The endpoint operating system type and version.
- The web browser type and version.
- The security settings of the endpoint operating system and browser.

For a particular client/OS/browser combination, you may need to enable the appropriate technology on the endpoint device. For example, to launch the Ivanti Secure Access Client from Firefox on Windows, you will need to ensure that Java is enabled in Firefox on the end user's endpoint device. For more information, consult the "Adaptive Delivery" section of the Ivanti Secure Access Client Supported Platforms Guide.

A Web install is not compatible with the Ivanti rebranding tool, BrandPackager.

•Preconfigured installer: Create the connections that an endpoint needs for connectivity and services, download the settings file (.pulsepreconfig), and download default Ivanti Secure Access Client installation program. For Windows endpoints you run the Ivanti Secure Access Client installation program by using an msiexec command with the settings file as an option. For OS X endpoints, you run the default installer and then import the .pulsepreconfig file using a separate command.

Download the Ivanti Secure Access Client from Software Download Portal. You need to have the login credentials to access the portal.

•Default installer: You can download the default Ivanti Secure Access Client installation program and distribute it to endpoints using your local organization's standard software distribution method (such as Microsoft SMS/SCCM). Ivanti Secure Access Client software is installed with all components and no connections. After users install a default Ivanti Secure Access Client installation, they can add new connections manually through Ivanti Secure Access Client user interface or by using a browser to access a Ivanti server's Web portal. For the latter, the Ivanti server's dynamic connection is downloaded automatically and the new connection is added to Ivanti Secure Access Client's connections list when the user starts Ivanti Secure Access Client by using the Ivanti server's Web portal interface. Dynamic connections are created as manual rather than automatic connections, which means that they are run only when the user initiates the connection or the user browses to a Ivanti server and launches Ivanti Secure Access Client from the server's Web interface.

If the Windows endpoints in your environment do not have admin privileges, you can use the Ivanti Secure Access Client Installer program, which is available on the admin console System Maintenance Installers page. The Ivanti Secure Access Client Installer allows users to download, install, upgrade, and run client applications without administrator privileges. In order to perform tasks that require administrator privileges, the Ivanti Secure Access Client Installer runs under the client's Local System account (a powerful account with full access to the system) and registers itself with Windows' Service Control Manager (SCM). An Active-X control or a Java applet running inside the user's Web browser communicates the details of the installation processes to be performed through a secure channel between the Ivanti server and the client system.

•Installing the Ivanti Secure Access Client Installer MSI package requires administrator rights to install onto your client systems. If you plan to use the EXE version, administrator rights are not needed as long as a previous version of the access service component (deployed through, for example, JIS, Ivanti Secure Access Client, and so forth) is already present. If policies are defined for your client with the group policy "Run only Allowed Windows Application", the following files must be allowed to run in the group policy. If not, client applications might not install.

•dsmmf.exe

•PulseCompMgrInstaller.exe

•PulseSetupClient.exe

•PulseSetupClientOCX.exe

•PulseSetupXP.exe

•uninstall.exe

•x86_Microsoft.*.exe

•You should ensure that the Microsoft Windows Installer exists on the client system prior to installing the Ivanti Secure Access Client Installer.

•Your end-users' client systems must contain either a valid and enabled Java Runtime Engine (JRE) or a current Ivanti Connect Secure ActiveX control. If the client systems do not contain either of these software components, the users will be unable to connect to the gateway. If there is no JRE on your end-users' client systems, you should download an appropriate installer package from Maintenance > System > Installers. The service appears in the Windows Services (Local) list as Neoteris Setup Service. The service starts automatically on install and during client system start up.