Using SMS/SCCM Remediation with Ivanti Policy Secure

Ivanti Secure Access Client supports the SMS/SCCM download method for patch deployment. If the Ivanti Policy Secure is configured for the SMS/SCCM method for patch deployment, the Ivanti Secure Access Client endpoint must have the SMS/SCCM client already installed on the endpoint, otherwise remediation fails.

Endpoints configured with SMS/SCCM for software management typically poll the server for updates every fifteen minutes or longer. In a worst-case scenario, clients that are not in compliance with existing Host Checker software requirements might have to wait until the next update interval to login. Using the SMS/SCCM download method, you can force the client to initiate the software update immediately after the patch assessment check. If a user attempts to log in, and the endpoint does not have a required software version for compliance with a Host Checker patch assessment policy, Host Checker immediately notifies the client to poll the server for an immediate update. The client receives notification that an SMS/SCCM update has started.

To configure SMS/SCCM to update the client when notified, set the advertisement time on the SMS/SCCM to As soon as possible.

You assign clients to a particular group or collection on the SMS/SCCM server and then server can advertise patches for that collection. You can configure roles on the Ivanti Policy Secure that correspond to collections and SMS/SCCM can send the appropriate patches for a particular role.

You must have the SMS/SCCM client installed and configured correctly on endpoints, and the SMS/SCCM server must be reachable. In a Layer 2 network, Host Checker is performed before the endpoint is connected to the network. Host Checker can obtain the IP address of the SMS/SCCM server configured for the client. If the endpoint is out of compliance and remediation is necessary, Host Checker pings the server IP address every 15 seconds until the server can be notified to update the client.

You should inform users of the expected behavior if this feature is enabled, as there is no notification to the user until the SMS/SCCM sends back the advertisement.

To enable SMS/SCCM assessment and remediation:

1.In the admin console, select Authentication > Endpoint Security > Host Checker.

2.In the Policies section, click New to create a new Host Checker policy.

3.Under Patch Remediation Options, select SMS/SCCM Patch Deployment.

4.Click Save Changes.

Be sure to include the Host Checker policy in the realm or role you configure for Ivanti Secure Access Client users.